It’s no exaggeration to say that today’s threat landscape is unprecedented.
For one thing, data breaches are rising in frequency and cost. According to the latest Symantec Internet Security Threat report
, more electronic records were breached in 2008 than in the previous four years combined. A recent study by the Ponemon Institute fixes the average cost of a data breach at $6.7 million.
At the same time, insiders now pose the biggest threat to data. Lost and stolen laptops, portable storage, layoffs, inefficient business processes, and outsourcing all increase the risk of data loss. Another study by the Ponemon Institute found that 59% of employees who lost or left a job last year admitted to stealing company data.
Perhaps most ominously, targeted attacks are threatening businesses as never before. Increasingly sophisticated cyber-criminals now concentrate their efforts on stealing end user information for the purpose of identity theft. Last year, Symantec created more than 1.6 million malicious code signatures, more than in the last 17 years combined.
Taken together, these developments lead to one conclusion: security officials today operate in an environment of increased threats to their data from both internal and external sources.
This article makes the case that, at a time when “business as usual” is not an option, organizations need to be much more proactive to secure their critical information.
Given the current threat landscape, one of the biggest challenges organizations face today is how to balance the operational demands for information availability with the need to adequately protect that information from unauthorized disclosure. These are not mutually exclusive goals, and smart companies understand the importance of maintaining a balance between information availability and information protection.
An information exposure assessment
is essential to maintaining that balance. An information exposure assessment provides you with a detailed analysis of how your information is exposed internally and externally, along with a clear plan for reducing and eliminating your areas of exposure.
An information exposure assessment seeks answers to three fundamental questions:
- Where is my confidential data?
- How is it being used?
- How do I prevent data loss?
The questions sound simple. But think of all the places where your confidential information can turn up today: It gets loaded onto laptops, copied to USB devices, stored on PDAs and smartphones, posted on blogs, burned to CDs and DVDs, and relayed via IM and Web-based email.
An information exposure assessment provides you with a complete picture of your security risk. Most importantly, it enables you to address individual exposures within the context of your larger information risk profile.
Bottom line: Only when you have knowledge of where your data is stored, where it is going, and how it is being used will you be able to clearly identify problematic practices, prioritize data and groups for phased remediation, and begin to staunch the flow of proprietary data leaving your organization.
Of course, it doesn’t help that enterprises are facing this threat landscape as they also work their way through a slumping economy. The pressure is intense to shave budgets, shelve ambitious IT programs, and freeze or reduce headcount.
That’s why smart companies are reassessing their compliance processes. Multiple regulations now require companies to demonstrate compliance with greater frequency. To make sure they’re prepared for internal and external audits, security professionals must accurately prioritize risks and remediate potential deficiencies on an ongoing basis.
What they’re starting to realize, however, is that existing manual compliance processes no longer cut it. They’re time-consuming, costly, and error-prone, and they expose the company to budget shortfalls and audit failures. According to recent research by the IT Policy Compliance Group, organizations that deploy ad hoc controls typically experience higher compliance costs, more audit deficiencies, greater business downtime due to IT failures, and increased risk of confidential data loss.
That’s why smart companies are increasingly implementing an automated process for auditing security controls to ensure that a proper level of risk is maintained between information flow and information protection. By taking a more proactive approach to compliance, predicting audit needs in advance and being armed with detailed knowledge, companies are empowered to confront any audit issues that arise.
Bottom line: Companies with mature compliance practices are more successful at passing audits because they’re focused on operational excellence. According to the IT Policy Compliance Group, they also spend less money on the audit process, report fewer audit deficiencies, and experience fewer information losses.
Smart companies today also understand that preventing data breaches involves taming the complexity in their data centers.
Think about it: Today’s enterprise data center is a hive of heterogeneous technologies. There are servers supporting a wide range of operating systems, storage, and hardware from multiple vendors, scores of unique applications and databases, and tools from numerous vendors. But as data center managers worldwide have learned, heterogeneity exacts a price: A customized environment that has been created to meet specific business requirements is complex and expensive to manage.
It’s also more susceptible to attack. Traditionally, enterprises have tried to address their security risks with multiple “best of breed” security products from multiple vendors. But the lack of central visibility and process control across technology silos has become a major challenge. So despite significant investments in security products, many organizations remain at risk from data breaches and targeted attacks.
Smart companies are simplifying their security management by deploying fewer products with more capabilities. And they’re standardizing their IT environment, systems management tools, and configurations to improve operational efficiency while reducing cost, complexity, and downtime.
Bottom line: Preventing data breaches requires multiple solutions that work together to solve the problem. This means much more than defense-in-depth. It means that the solutions you deploy – whether to monitor information, protect endpoints, check technical controls, harden core systems, or provide real-time alerts – must be integrated to create a centralized view of information security so you can make correlations and discover root causes quickly and decisively.
No organization wants to be in the news because of a security breach. But threats to corporate information continue to increase, and IT organizations now have to worry about internal as well as external attack vectors – including employees who intentionally or accidentally risk critical information. Loss of this critical information can result in a loss of revenue, customers, and competitive advantage, not to mention regulatory penalties.
The traditional security approach, which relies on disparate security strategies, applications, and processes all working independently of each other, makes it difficult to evaluate the impact of security breaches and quickly take appropriate action in times of crisis. Ultimately, this approach fails to address the complex challenges posed by today’s threat landscape.
Smart companies know that “business as usual” is no longer an acceptable risk posture. They know they must be able to protect that information wherever it’s used or stored. And they know they must consolidate protection and recovery technologies and establish threat priorities. In short, they know they must be proactive.
To recap, then:
- The most common causes of data breaches are well-meaning insiders, targeted attacks, and malicious insiders.
- Breaches are preventable, but you have to know where your data is and how it’s stored.
- Manual compliance practices are time-consuming and error-prone. Companies that automate their compliance practices experience fewer information losses.
- Preventing data breaches requires multiple solutions that work together to solve the problem.