Recent breaches at major telecommunication, financial and news organisations in Australia continue to occur despite investments in security measures because organisations lack a holistic view of security systems. Many organisations lack a real understanding of their security situation because they use a variety of security-point solutions that aren’t linked or cross referenced. This leads to a fragmented view of vulnerabilities and threats and an inability to respond in a timely manner.
What’s worse, there is often a disconnection between what IT managers and C-level executives consider to be a significant breach and how it will affect customers and the business’ reputation. For example, to view a data breach as simply a procedural or technical failure could totally underestimate the potential business impact of such a breach. In fact, the November 2011 Unisys Security Index* found that Australians have little tolerance for data breaches in organisations they do business with and are very likely to change provider or vent their frustrations publicly:
- 85% of Australians say they would stop dealing with an organisation (i.e. close their account) if they became aware that their personal information had been breached. Of the 12 countries surveyed, Australians are the most likely to say they would take such action.
- 64% of Australians say they would publicly expose the issue – suggesting that the Australian public expects organisations to be held accountable for data breaches.
On the other hand, it seems many employees are not aware of, or disregard, the degree to which their actions can expose their organisation to risk. A recent Cost of Data Breaches Study** found that while malicious and criminal attacks were the main cause of data breaches in Australia, accounting for 36%, employee and third-party negligence accounted for 32% of losses, and lost or stolen devices also impacted 32% of respondents.
As a result, organisations must treat the internal environment as hostile territory. Defence should not stop at the perimeter.
The Internal Threat, Be It Intentional Or Not, Is Equal To The External Threats.
The human factor is always there. Employers assume an implicit trust in people within the organisation to do the right thing but, let’s face it, in today’s world you cannot afford to assume. You can trust, but first verify.
To manage the human risk factor requires a mix of approaches, such as implementing policies and procedures, as well as conducting an education program to ensure people know how and why they need to adhere to them. Technology measures can be used to:
- verify that people are who they say they are;
- limit access to data to those who need to access it to do their jobs;
- require the use of a secure Virtual Private Network to access the corporate network remotely;
- prevent certain data from being emailed unencrypted or saved to an external device.
But these technologies may not be sufficient to protect against data breaches. Attribute-based access control is an emerging technology that grants access based not only on the nature of the data and the individual requesting access,
but also on the location from which access is being requested.
For example, your location could govern what data you can access depending on whether you are trying to access it from a public area, where prying eyes might see the information, or from a more secure location, such as your home.
Similarly, the method used to authenticate your identity may determine what level of data you can access. For example, a password may grant a lower level of access than the use of a biometric fingerprint which offers a higher level of identity authentication. Conversely, a request to access more sensitive data or initiate a high-value transaction might trigger a request for additional authentication.
Technology can also be used to flag anomalous behaviour by noticing when you (or someone who says they are you) do something outside your normal pattern, such as accessing information you don’t normally access or during hours outside your normal work schedule.
Ultimately, this is all about refocusing security strategy on the user rather than the perimeter. This requires a centralised identity and access management approach that integrates user access with device security. This process takes a co-ordinated approach to the protection of sensitive data by means of secure document access and delivery, data encryption, data masking and/or digital rights management. Such protection is essential when accessing areas such as the cloud and social networks where sensitive data can be particularly at risk.
Start With The Data
As organisations are forced to manage more and more data, it is not financially viable to implement top-level security measures across all of it. Not all data is the same and the level of its sensitivity varies. Therefore, look at the different levels of classification of data and group it together according to the level of confidence needed to ensure its security. Then look at how security measures can be applied, based on the classification grouping of the data.
In addition, rather than rely solely on controlling access to the data, look at securing the data itself using encryption. That way, even if the wrong people do access the data, they still can’t read it.
A Holistic View
With so many security options available, a real-time holistic view of all security systems provides true situational awareness for both IT and senior executives, providing them with the ability to identify threats and take action against them in a timely and effective manner.
To achieve this holistic view, detailed event logs and other reports from silo security systems can be fed into security analytical tools and the results presented as an easy-to–understand, integrated dashboard that identifies patterns, risks and weaknesses across all areas of the business.
This could include identifying an outside attack on the data system or something as simple as preventing an employee from storing certain types of information on their smartphone or tablet.
As organisations grow, there are more end points to secure, making a modern, rigorous security system essential. Similarly, the growing trend of employee-owned mobile devices used in the workplace also vastly increases the number of end points that need to be secured.
However, security cannot be at the expense of efficiency. The easiest way to secure data is to simply prevent it from being accessed or used. Although such an approach is clearly nonsensical from an operational perspective, many security measures reflect a certain amount of this thinking. For an organisation to be effective, security measures should enable (not hinder) people to carry out their everyday duties. And this is particularly true when organisations start using mobile devices to improve their operational efficiency.
As new threats and opportunities continue to appear, businesses need to regularly revisit their security measures to ensure they have a whole-of-enterprise system in place to protect infrastructure and assets.
While attacks are a painful reality of today’s organisations, savvy businesses and governments are by no means sitting still. Instead, they weave security into all aspects of their decision making. No organisation is immune to these attacks, but the best organisations will limit the impact of the event and will quickly and successfully respond, recover and reconstitute normal operations.
John Kendall is the Security Program Director for Unisys Asia Pacific.