[BreachExchange] Better Cyber Posture Requires IT Audits, but Depends on Data Monitoring

[Sophia Kingsbury]

https://www.corporatecomplianceinsights.com/better-cyber-posture-requires-it-audits-but-depends-on-data-monitoring/

An organization’s weakest link is most often human, not technological. Moss
Adams’ Francis Tam explains why, when it comes to cybersecurity, anomalies
like daily logins, users and infrastructure changes should be an
organization’s main concerns.

In today’s technology-driven world, information can be a company’s most
valuable – yet vulnerable – asset. Data breaches continue to become more
frequent and costly in recent years, with many high-profile cases like the
Equifax breach in 2017 making headlines. It’s crucial, then, for companies
to properly utilize data monitoring and cybersecurity audits to avoid
breaches or having information stolen.

Breaches can cost companies an average of $3.9 million and an alarming 54
percent of companies will experience a cyberattack at some point. Full IT
assessments can be time-consuming and costly, so companies often skip this
crucial process or don’t make it a priority, leaving them vulnerable.
Implementing data monitoring for your company’s cybersecurity can help
prevent major breaches.

Risks of a Data Breach

Data breaches can put not just a company and its employees at risk, but
also its customers. The aftereffects of a data breach can be just as costly
as the loss of the information itself. Depending on the scale of the
breach, a company’s reputation could become significantly damaged, driving
down profits and jeopardizing customer and client relationships, leading to
future loss of business.

There are also damage control costs associated with the response to a
breach, such as:


   - Forensic investigation
   - Remediating systems-related vulnerabilities
   - System downtime or other actions taken to recover stolen information
   - Setting up new accounts and help desks for affected customers
   - Planning internal and external communications about the breach
   - Preparing for additional safeguards and monitoring

Companies may even face legal or regulatory fines and lawsuits following
breaches.

Causes of Data Breaches
Data breaches frequently happen without a company even realizing and can
often take a significant amount of time for a company to become aware the
breach occurred. Most data breaches are caused by intentional criminal
attacks, but they can also be the result of simple technology malfunctions
and human error.

Limited System Controls

Companies often have inadequate or primitive systems controls – firewalls,
intrusion prevention systems, etc. – that don’t effectively block remote
and unauthorized access to data.

Ineffective Detection Controls

How data is monitored can also lead to vulnerabilities. Companies often
don’t address the level or quality of their detection controls, or the ways
in which they continuously monitor abnormal activities, whether they’re
coming from inside or outside the organization. This can allow hackers or
other unauthorized parties to slip by and access data undetected.

Lack of Training

When attacks happen from outside the organization, they’re difficult to
detect. It can often take even longer for a breach that happens from within
an organization to be discovered, and a breach may not even be viewed as an
anomaly by employees. This may happen because the company didn’t provide
adequate security awareness training for its employees. Employees may make
data vulnerable during their day-to-day activities without even realizing.
They may not know the correct protocol if asked to upload, download or
divulge sensitive information.

How to Prevent a Data Breach

There are many steps companies can take to protect their data. Here are
some basic steps to follow:

Classify Data and Assess IT Risks

Each company has data unique to its operations or business model, ranging
from personally identifiable information (PII) to more abstract
information. Common types of data at risk can include:


   - Social security numbers
   - Driver’s license numbers
   - Credit card numbers
   - Health care information
   - Financial statements
   - Trade secrets
   - Business leads

The first step to protecting data is simply to identify the type of data a
company touches by taking inventory and categorizing data. While every
company has a lot of data, not all data is necessarily sensitive
information.

By classifying data in different sets from most sensitive to least,
companies can identify their weaknesses, develop an IT risk heat map and
prioritize their most urgent needs and resources to safeguard the data.

Evaluate IT Controls and Security Awareness

Various types of tests can be performed to determine the safety of data.
These can include phishing attempts, in which fraudulent attempts are made
to obtain data by posing as a trustworthy source, as well as firewall
monitoring to determine how strongly the flow of traffic into and out of a
company’s network is being tracked.

Penetration assessments, in which simulated hacking attempts are made
within a controlled environment, should also be made and tailored to a
company’s specific needs. This will help test their unique combination of
systems, controls and processes and counter insufficient software updating,
improper system configuration, inherent software flaws or operational
process weaknesses.

Monitor Data Flow

With many companies operating nationally or internationally and technology
allowing data to be accessed remotely, a company’s data can potentially be
accessed from anywhere. However, businesses likely have high traffic times
and locations for when and where their data is accessed – for example,
during business hours or in locations where the company has offices and
workers.

If information appears to be accessed in ways not adherent to these
standards, or other abnormal activities seem to have taken place, that may
be a red flag that information has been breached.

Provide Security Awareness Training

Company employees who have access or high power rights to sensitive
information should be trained to spot suspicious requests to disclose
information or move assets, even if they appear to come from legitimate
sources or within the organization.

Companies should also have an action plan in place in the event of a breach
so employees know how to appropriately question, challenge and respond to
these abnormal requests.

Monitor Service Providers

Companies should continually monitor the activities of third-party service
providers, such as cloud and SaaS operators, who come into contact with
their sensitive data and information. Companies can’t necessarily perform
scans on an outside organization, but options for performing due diligence
can include providing these groups with questionnaires relating to how they
handled data or reviewing system and organization controls (SOC) and
network penetration vulnerability reports.

Cybersecurity Advisors

While there are many steps companies can take to prevent data breaches,
having a trusted advisor with expertise on how to monitor and prevent
attacks can be very beneficial.

Depending on the type of company, the frequency in which monitoring should
take place is increasing quickly with some organizations, such as ecommerce
groups, potentially needing daily overview. This can become burdensome and
time-consuming, but the presence of a trusted advisor can make the process
smooth and efficient. Advisors can also provide in-depth security awareness
training for employees to keep an eye out for risks that could lead to
future breaches and help create a company action plan should a breach occur.

Cybersecurity is a continuing exercise, and as technologies change, there
will only be more cases for companies to be at risk.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210610/e7295e77/attachment.html>