Does this sound familiar? Parts of your business started out creating solutions security to unquantified compliance and risk problems. Those teams worked in isolation, discussing the problem, needs, requirements and desired outcomes, however, given the perceived risks had not yet been fully quantified or understood, the focus remained on achieving the desired outcome and not on ensuring governance and compliance.
As a result, the effort did not attract the relevant level of focus from the business and any funding was capped or limited. It is also likely that the initiative did not get participation from the appropriate resources in the security team and/or the line of business owners. This approach is all too common when in mitigation or problem-solving mode and does not address the most important issue which is ‘where are we exposed or at risk and how can we address that potential weakness’?
Given the above, its likely that we are at risk of a breach, could you provide an example? Take into consideration some of the following statistics as it relates to financial information (PCI-DSS) and then applies the same to Health Insurance Portability and Accountability Act (HIPAA) or Personally Identifiable information (Pii).
- PCI DSS (Payment Card Industry Data Security Standard) compliance has increased by 167% since 2012. However, even with this significant rise in compliance, there are still 80% of organisations that are behind in compliance 80 percent!!!
- Only 29% of organisations are compliant a year after validation. To better put this into perspective, but not to insult your intelligence… that is saying that 71% of companies are NOT compliant a year after validation.
- Only 26% of news media executives feel confident their businesses are compliant
Pretty compelling right? – Can you imagine contacting one of your own customers to tell them that you have had a breach, or that you have leaked personally identifiable information (PII)? Under Mandatory Breach Disclosure law, you are now required to do just that.
If you are unlucky enough to suffer a breach, consider the following
- Statistically, 69% of customers would be less inclined to do business with a breached organisation. What would happen if 69% of YOUR customers lost trust in you or for their own compliance and governance reasons could no longer do business with you?
- On top of risking the integrity of your organisation and loss of customers which equates to a loss in profits, you could face punitive action and fines up to $5,000 USD each month for being non-compliant… or much more. According to the Ponemon Institute, which tracks the costs of data breaches every year, the average cost of a data breach is more than USD4 million.
- GDPR – At its highest level, failure to comply with the General Data Protection Regulation could result in fines of up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher.
So, how could your business approach this differently? This is a two-part Data Loss Prevention (DLP) answer.
Part One – You must get visibility of the way in which users create, interact with, store, share and handle information of all types. Sounds easy right? Well… almost. The key part is to ensure you get a clear understanding of all ingress, egress potential data exfiltration points and the way in which you user bases interacts with them. Think for example of cloud-based services and the way in which your information could be traversing between them.
Part Two – This is the intelligence. Users should apply classifications and labels to information and documents to ensure compliance is adhered to and then have a policy and enforcement engine that can understand classifications and labeling and apply appropriate policy.
So what next, how should we approach this?
- Perform cultural awareness education-focused both inward (the business) and outward (the market and people you do business with)
a. Ensure Security teams and/or compliance resources are engaged across all projects - Conduct a Risk Assessment exercise.
a. Define the actual, perceived, and identified risks to the business
b. Understand what your risks really are and where the focus needs to be applied
c. Categorise and prioritise the risks - Gain Visibility.
a. Understand your information highway – ingress and egress points
b. Conduct a Cloud Application security assessment – gain visibility to allow you to make informed decisions around governance and compliance - Ensure your focus is on the areas identified in the risk assessment as reducing your attack or breach surface
- Define a baseline.
a. User Behaviour Analytics (UBA) define what is known as good or normal - Measure and enforce a policy against this baseline
- Rinse and repeat
It is no longer a case of if but when a breach will occur. Staying ahead of compliance and ensuring governance is a continuous process and involves people, process, and technology working in harmony.
We have to start with visibility – once we have that, we can make the right decisions and empower project teams through insights to make the right decisions when solving problems that do not leave the organisation open from a governance and compliance standpoint.
You cannot manage what you cannot see, and you cannot secure what you cannot manage!
