/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsBANGALORE, INDIA: The increase in data breaches off late is resulting in much needed dialogue around security. Take the recent data breach at Target, as an example which is also considered as one of the biggest data breaches of all time. It was initially estimated that 40mn customers' data was compromised, but the number has increased to 70mn to date.
Investigators believe the data was obtained through a software installed on the magnetic strip of Target's card swiping machines which customers used while paying for merchandises at Target stores.
According to The Ponemon Institute's 2013 Cost of Data Breach Study, the average cost of a data breach in the USA alone is estimated at $188 per record. Given the sheer volume of data breaches annually, this leads to an average loss of $5.4mn for organizations. Therefore, enterprises need to make changes to the overall data security approach to prevent accidental or intentional data losses.
The fundamental issue that we need to understand is that attacks of this nature and magnitude don't happen overnight. A study on industry statistics suggests that a data breach happens over hundreds of days and it takes about 200 more to discover it. Usually, the data breach is first identified by external sources.
Any CISO or CIO reading such data breach reports will heave a sigh of relief that his organization was not the victim of such attacks. However, he should also immediately examine how prone is his organization to these attacks and what measures he should adopt to safeguard against future threats.
While there is definitely awareness that an organization's data is its Holy Grail, the CISOs need to look at novel ways to approach data security in order to beat their sophisticated invisible attackers. Most often, CISOs tend to look at threat areas in silos and lack visibility towards an integrated view. What enterprises need to adopt is Integrated Security Control that provides a comprehensive security cover.
The key tenants of the Integrated Security Control are:
1.Data Protection
2.Governance
3.
The first and most important aspect is Data Protection. To plan effective Data Protection, the first step is to identify sensitive data. The process of identifying sensitive data can be achieved through eDiscovery, which helps in automating the process of data identification based on defined policies.
Discovery should be followed by effective classification of the data and efforts should be made to increase the level of protection at individual level. This can be done on the basis of code of conduct, standardization and certification.
However, onus remains on organizations to create a regulatory framework for protecting the sensitive data and supporting self-regulation in the private sphere. Also, organizations need to ensure that Data Protection is based on the sensitivity and confidentiality of the content and should define different levels of protection based on varying sensitivity/confidentiality of the content.
The second component of Integrated Security Control is Governance. Organizations should focus on establishing a proper framework to govern the data flow. Organizations need to build strong risk and data governance councils by including business, security, data management and IT Teams. They should ensure that all the data in the estate has ownership and there are designated risk owners for all data.
An effective governance framework ensures sharing of goals between security management and data management. Also, the framework helps the organizations in creating a visibility towards handling of the sensitive data.
The third component of Integrated Security Control is Cyber Security. In a traditional approach to Cyber Security planning, organizations tend to focus on the traditional threat vectors like virus, malware, phishing attacks, Trojans and Keyloggers. Although these threats are still common which can impact enterprise security from gateway to endpoint, the attacks have become more sophisticated and advanced. Attackers now use multi vector and multi stage attacks which target sensitive data.
Cyber security control should provide multi-vector and multi-stage protection by signaling security alerts related to sensitive data to the governance framework. The framework in turn, should create visibility so that appropriate data protection is applied to those findings.
When closely knit together Data Protection, Governance and Cyber Security provide an effective data protection strategy for any enterprise; leaving almost no room for data breaches. The approach also allows enterprises to formulate proactive action plans in a rare case of breach by alerting business owners in time to minimize the loss. It also helps in tracking the sources of attacks and preparing the organizations to effectively counter different types of data breaches with a minimal impact to the business.
(The author is CEO, Infrastructure Management Services and Security Business at Happiest Minds Technologies)