Part 12 in the “Controls and Risk Management” series
Much like police officers follow the clues to find the culprits and arrest them, cyber investigators must follow the breadcrumbs to identify the source of a data breach and measure the scope of data impacted. But that’s only part of the job – and hopefully not the most frequent one!
More proactively, and once again much like a police force, the role of the IT security department within an organization is to prevent incidents – here a data breach – to protect the information and the organization itself.
For this purpose, most IT security departments leverage a variety of technical responses available to them. For example:
- Data masking so that sensitive information is not available to every user
- Access governance to ensure that users are adequately authorized by their roles and profiles and that permissive accesses are reduced
- Secure logins with password policies – what’s the point of having security tools in place if people still use “123456” as the key to access the (information) safe?
In order to be efficient, IT security departments must know what they are up against. Here’s where databases such as Gemalto’s Breach Level Index can be as useful as police archives are for investigators.
The Breach Level Index “is a global database that tracks data breaches and measures their severity based on multiple dimensions, including the number of records compromised, the type of data, the source of the breach, how the data was used, and whether or not the data was encrypted.”
Unfortunately, the site was relaunched at the end of 2019, and the data breach library is currently not accessible; only the final report outputs are now available. Let’s hope it will be brought back to the site in the future.
Findings from the Breach Level Index
I was lucky enough to download the information before the site revamp, and I decided to leverage the raw data to flesh out the information and identify patterns. It appears that technological and social media companies with large volumes of individual personal information have been most subject to data breach events. This assessment is a way of classifying the severity score for each breach, to distinguish between data breaches that are “not serious versus those that are truly impactful.”
Looking at what has driven most breaches, it seems that “identity theft” is the most common type of incident, and that within this typology, “malicious insider” is the prevalent source. As most cyber analysts have been warning for quite some time, the insider threat is the most difficult one to control and mitigate.
Finally, since the database also provides the location of the breach, I crossed this information with the average risk score. While there is no information on many of the countries, there is no safe haven.
What to do?
In my opinion, this database helps highlight that the malicious insider is still to be considered very seriously even if technological responses are in place. Nevertheless, there are two types of insider threats: erroneous or with malicious intent. The database doesn’t provide information about the intent behind a breach, but one thing is certain: the consequence is negative regardless of how you look at it.
As with fraud, cybersecurity is a difficult battle since companies are up against very imaginative and clever individuals or organizations.
I don’t think there is a perfect answer for this threat, but I do believe that companies can implement some steps to get on the right track:
- Rate the criticality of the information accessed without your consent, rank your data protection needs, institute a classification system from “Public” to “Confidential,” and ensure that it is understood and applied consistently.
- Map your assets (location, intent), document the dependencies, describe the accesses and authorization structures, and regularly update this risk context.
- Identify and document the threats (including by leveraging databases such as the one described in this blog), apply a root-cause approach, assess all impacts (not just IT!), document and roll up the risk chain to get a complete picture, and report on the real exposure of each vulnerability.
- Implement a sound access-governance process with distributed policies, test your defense system internally and externally, and regularly review roles and authorizations.
- Track patterns to identify breaches as they occur, have an incident response process, share with peers and exchange information, realize operational tests of data breaches, and continuously challenge your security organization.
Of course, I don’t claim that this will be sufficient. Cybersecurity is a multifaced function that requires all actors in the chain to take part and act responsibly – from internal stakeholders such as employees to external parties such as suppliers that can have access to some part of your system. Nevertheless, I hope this at least helps in providing some suggestions.
What about you? Do you see the role that risk management plays within your company changing? I look forward to reading your thoughts and comments on Twitter @TFrenehard.
If you are interested in hearing more about this topic and discussing it, then have a look at the SAP Conference on Application and Information Security – Building Digital Trust, taking place October 20 and 21, 2020, in Dublin, Ireland.