[BreachExchange] The data breach era: Why data governance is a critical tool

Audrey McNeil audrey at riskbasedsecurity.com
Thu Sep 7 19:45:36 EDT 2017


http://www.itproportal.com/features/the-data-breach-era-
why-data-governance-is-a-critical-tool/

As the number of data breaches increases every year and hackers become more
and more sophisticated, organisations themselves need to become
increasingly astute in terms of protecting their reputation.

There are currently over 111 data protection regulations and standards
around the world. Many of these are widely known in the IT security and
technology industry, such as HIPAA, Sarbanes Oxley Act, ISO 27001, UK Data
Protection Act and EU GDPR. There are also lesser known regulations, such
as the Network and Information Security Directive (NISD).

Regardless of how well-known regulations are, businesses are nevertheless
expected to both understand and comply with each and every one of them.
What’s more, the ability to impose record-level fines when these
regulations are not adhered to is one of the key weapons in the armoury of
data protection regulators.

When a business fails to adequately protect sensitive information, they
could come up against both legal and financial problems. What’s alarming is
that when we asked IT professionals in the US and UK about their concerns
with regards to data privacy regulations, most businesses flagged that they
are more interested in protecting their reputations (48 per cent) than
passing audits (38 per cent). Many of these organisations are further
risking the health of their businesses by only performing compliance audits
and assessments as little as twice a year or worse still, only when
requested.

What organisations are failing to realise is that these regulatory fines
and failed compliance audits are only the beginning when it comes to the
negative consequences they could face. Their reputation, which we already
know is highly important to them, will be on the line. By suffering a data
breach, they would not only be at risk of losing customers, but more often
than not, sales see a considerable decline and that could lead to a
possible decrease in share price. If they truly hold reputation dear, then
they should be doing everything within their power to ensure that this does
not happen, and must be fully considered when agreeing to their IT security
and governance programs.

The TalkTalk data breach is still in the forefront of most people’s minds.
Not only did it result in a regulatory fine of £400,000, which has this
week been increased to £500,000 due to “unlawful and unauthorised access”
by a third-party suppler, it also cost the organisation more than £60
million in lost revenues and exceptional costs. Considering that the
upcoming GDPR is threatening victims of data breaches with fines of €20m,
or 4 per cent of annual worldwide turnover, whichever is greater, now
really is the time for companies to take heed and learn from these
mistakes.

Severe consequences

As the enforcement date for the EU GDPR fast approaches, I firmly believe
that now is the time for organisations to sit up and listen when it comes
to understanding the value they are placing on their reputation. And data
protection regulations need to be respected now more than ever. With the
arrival of severe consequences and requirements around criteria such as the
‘right to be forgotten’, as well as data breach notification within 72
hours, it should undoubtedly focus CIOs’ minds on the importance of
permanently erasing data when it is no longer needed, when it reaches its
end of life, when customers demand its removal upon terminating their
subscriptions/accounts and when it is required by regulators for compliance
purposes.

We need to get organisations to change their thinking in order to better
protect their reputation. They should be encouraged to make it a priority
to conduct audits on a regular basis to enable them to identify existing
gaps and problems within their IT infrastructure and security posture. This
will allow them to both correct such problems, as well as to drive complete
regulatory compliance in the future.

The more often audits take place, the more certain an organisation can be
in terms of knowing exactly how much data it is responsible for. After all,
the more data you hold, the higher the chance you have of forgetting some
of it exists. If you’re unsure of the types of data you hold, you have a
lower chance of being able to understand how to properly prioritise actions
to protect that data and prevent it from being accessed or exposed. If
you’re unsure of the volume and type of data you’re working with, how can
you properly manage it, mitigate the risks and prevent unnecessary data
theft? Without a comprehensive picture of your data landscape, and if your
organisation were to fall victim to a data breach, it would become all but
impossible to fully comprehend the scale of the issue and how many people
it would have effected. This really could be the point at which your
reputation truly comes into question.

One recent example of this is when four-year-old data from 200 million
Yahoo! accounts were leaked onto the dark web by the hacker “Peace”. What
the organisation had failed to realise is that as data ages its usefulness
diminishes until it eventually changes from being an asset to a problem.

Avoiding attacks

In order to fully comprehend the extent of the data any organisation holds,
they first need to classify the data that already exists. You might think
this is obvious, but we often see this first step is the one that is
overlooked. Once this has been completed, you can then think in terms of
data lifecycle management. This is a comprehensive approach to managing the
flow of information system’s data and any associated metadata from point of
creation and storage to its end, where it becomes obsolete and must be
sanitised so that it can never be recovered.

Many organisations are also completely unfamiliar with how much data
storage is actually costing them. This includes both soft and hidden costs.
Once you are fully aware of how much money you are spending to store your
obsolete data, you will really be able to see the true benefit of erasing
that unnecessary data (as well as how much money could be saved). Once you
have done this, the next important step is to create and maintain processes
for classifying and then erasing your unnecessary data, as well as
regularly monitoring and updating how your data management processes are
controlled.

As the number of data breaches increases every year and hackers become more
and more sophisticated, organisations themselves need to become
increasingly astute in terms of protecting their reputation. The bottom
line is, to avoid attacks, you need to know what you’re storing, where and
why. Many organisations have been able to mitigate their security risks
through data erasure, and thereby, protect the reputation they have worked
hard to establish.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170907/d0912262/attachment.html>


More information about the BreachExchange mailing list