Organizations need to plan, rehearse and modify their security protection on a continuous basis, to see what they are doing well and how they can do better.
Data breaches are happening with greater frequency and are compromising larger volumes of data than ever before. As data breaches continue, and the number of compromised records grows, organizations are being subjected to stronger financial penalties, greater legislative and regulatory scrutiny, and tangible reputational damage. For organizations that suffer an incident, responding in an intelligent and confident manner is essential.
Given today’s fully connected business environment, how can organizations protect themselves and their customers, while safeguarding or even increasing business value? Furthermore, what are some of the most significant obstacles they must overcome with data breach prevention and response?
The answer is simple. Organizations of all sizes need to plan, rehearse and modify their information security protection on a continuous basis, as we already see many companies doing with their business continuity plans. This will provide the opportunity to see what the organization is doing well, and how it can do better, as it prepares for the inevitable breach.
Preventing a Data Breach
Today's reality is that organized criminals, malicious hackers and disgruntled insiders pose the majority of threats to most private-sector organizations. It is also true that for preventing, detecting and responding to data breaches, implementing basic security measures will go a long way toward mitigating the majority of risks.
So how exactly do we define data breach prevention?
Data breach prevention is based on the premise that it is possible for an organization to increase an adversary’s "work factor" to such a degree that malicious activity becomes unprofitable, and attackers move on to easier targets. Basic technical preventative measures are popular because they scale easily and are more reliable than employing a person for the same task.
However, the human factor still has a role to play. There are a wide range of motivations for malicious actors, and without investment in measures such as threat intelligence, an organization could easily spend too much or too little time and money on prevention.
Some organized crime threat actors have capabilities that are equal to nation state intelligence agencies and will be capable of overcoming nearly any private sector attempts at information security. In addition, their ability to operate globally and have an ever-increasing range of targets continues to improve.
In my experience, supply chain security always rises toward the top of the discussions I have, and it is clear that weaknesses here are prevalent and persistent. This was demonstrated by the Target data breach in which attackers compromised vendor credentials to access the retailer’s internal networks. Such oversights in managing third parties—and the complexity associated with managing what can be many thousands of suppliers—are often beyond the ability of any individual or department to fully handle.
The Information Security Forum (ISF) has looked at supply chain security and offered guidance such as the Supply Chain Assurance Framework (SCAF) to assist our members in the procurement phase of a supplier relationship. These basic measures address the initial element of complexity, but not all procurement will be done with such rigor, and poor supplier security will continue to result in regular data breaches.
Responding to a Data Breach
Many organizations realize that incidents can occur regardless of precautions, so they seek to respond to breaches in a resilient and professional manner. However, these capacities can often be lacking, and the resulting disorganization damages customer trust, brand value and, ultimately, reputation.
Response is harder than prevention and detection because it forces interaction between a wide range of both internal organizational stakeholders and external stakeholders, such as shareholders, customers, vendors and regulators. This can create significant coordination and communication problems. In addition, these interactions take place in a high-pressured and time-poor environment, where the commercial and professional stakes are high and tolerance for error is low.
So how can information security demonstrate business value when responding to a data breach, and what are the key organizational capabilities to have in place: technical, procedural, people and political? Follow these three simple steps:
• Develop a plan.
• Practice the plan.
• Respond decisively.