[BreachExchange] 20 Million Reasons for C-Suite to pay Attention to Data Loss

Audrey McNeil audrey at riskbasedsecurity.com
Mon Jun 12 18:56:13 EDT 2017


https://www.infosecurity-magazine.com/opinions/20-million-reasons-csuite/

Fines of up to €20 million for breaches of personal data will be enabled by
the General Data Protection Regulation (GDPR) which comes into force on 25
May 2018.

Limited to 4% of annual turnover, the penalty is nevertheless a sobering
prospect – especially when you consider how easy it is to fall foul of the
regulations. A breach could arise from something as simple as a
misaddressed email, a poorly configured cloud application, or a misplaced
USB stick. Or, perhaps someone makes a mistake in not wiping IT correctly
before disposal.

The consequences for organizations that fail in their obligation to secure
personal data extend far beyond the spectre of a swinging fine. Loss of
commercially sensitive data can result in devalued intellectual property,
irreversible brand damage, and reduced shareholder confidence.

Given that data loss is often the result of poor behavior by authorized
users rather than a sophisticated hack or malware attack, what can an
organization do to protect itself?

Eight technical tactics to reduce risk

There are many technical ways to combat poor computer user behavior and
help prevent loss of data:

1.Email systems can be extended with plug-ins to check that the security
classification of attachments is compatible with the intended recipients of
the email. If it isn’t, the program prevents the email from being sent and
can alert users and management.

2.Email systems can be configured to remove the ability to set up automatic
forwarding to external addresses.

3.Laptops and workstations can be configured to prevent the use of
unauthorized removable media, such as USB sticks. Usage can be limited to
approved encrypted secure devices only.

4.Laptops and workstations can be configured with strong full disk
encryption. This function is included in many professional/enterprise
operating systems.

5.Firewalls and web proxies can be configured to prevent access to
unauthorized cloud file-sharing and email solutions.

6.Wired and wireless networks can be configured to deny connections to
unauthorized IT (network access control)

7.Laptops and tablets can be configured to connect only to whitelisted
Wi-Fi providers which meet minimum security standards, while blocking
access to unknown and insecure Wi-Fi hotspots.
Preventative monitoring systems can immediately notify management of
unusual activity in databases and storage networks such as large
out-of-hours downloads of data while it is in progress.

What’s stopping you?

It doesn’t have to be difficult or expensive to put effective technical and
procedural measures in place to prevent loss of personal data. The biggest
hurdle tends to be complacency: an ‘it will never happen to us’ attitude.
But even companies with good security awareness can be unlucky.

Security needs to support the business, not throttle it. Poorly thought
through knee-jerk security controls can create difficult, even unworkable
business processes, resulting in dangerous workarounds that increase risk
of data loss. The aim should be to deliver great IT user experience with
security measures that are sufficient to address actual risks.

The good news is that many technical measures to protect data are
inexpensive and require only simple changes in the way employees work.

What to do – and what not to do

Do:

- Get rid of shared network drives: use modern document collaboration tools
that tightly control access to specific project teams.
- Keep sensitive data in databases with credentialed and logged access
controls rather than in spreadsheets.
- Give employees decent size limits for email attachments to discourage
them from using file sharing sites or removable media for large files. With
suitable technical controls, email is a perfectly good method for
exchanging documents between organizations and many solutions are now
capable of 100MB attachments.
- Go paperless. Paper copies get lost or left on the train – and you can’t
encrypt paper.
- Restrict access to all information, allowing only specific people to
access specific data.

Make this standard practice rather than restricting access only when there
is a particular security consideration.

Don’t:

- Allow users to keep any unstructured data on workstations and laptops
because this is difficult to manage and easy to attack through network
connections.
- Let your IT department take responsibility for cybersecurity. Get
independent penetration tests and health checks on websites and all
internal and external systems and have someone from outside IT to manage
this process.
- Tolerate shadow IT, particularly among the senior management team. That
shiny new tablet picked up in duty free might look great in meetings, but
it won’t have full disk encryption or your corporate email protection. If
it is stolen with your company data on it, the company is liable.

A quick health check for the CEO…

How much thought do you give to data security? Do you think of it as
someone else’s responsibility? Perhaps you should not expect your staff to
be any more concerned with it than you are.

Look at your company mission statement and values. Are the resources you
give to information security, and your organization’s level of independent
IT testing and audit, consistent with these values?

Protecting your data is as important as protecting your people – and it’s
up to you to make sure the organization gets it right.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170612/d309ca45/attachment.html>


More information about the BreachExchange mailing list