The cost of lost business makes up around 40% of the average cost of a large-scale data breach, translating in customer turnover, lost revenue due to system downtime and higher cost of acquiring new business due to reputation damage. This was the finding in a Ponemon Institute research study sponsored by Accenture.
The latest Cost of a Data Breach Report 2020 (which also includes data obtained since the COVID-19 pandemic) by IBM Security confirms that lost business remains the largest contributor to the total cost of a data breach, which has increased from $1.42 million in their 2019 study, to $1.52 million in their 2020 study.
Taking a closer look at the root causes of these breaches, reveals interesting common denominators. Businesses have not yet fully appreciated the value of data as their business lifeblood and they fail at their fundamental data security practices. We take a fresh look at how these practices can secure your business and its high-value assets from the inside out.
How to be brilliant at the basics of data security
Point of departure for data protection should be to identify your high-value assets. Your high-value assets are the ‘crown jewels’ – the data that is most critical to your operations – which are subject to the most stringent regulatory penalties, and most important to your trade secrets and differentiation in the market. As soon as you have identified these, you have to harden them.
- Harden your high-value assets
Simply put, ‘hardening’ your high-value assets means making it as difficult and costly as possible for adversaries to obtain your data and limiting the damage they can cause if they do obtain access. Here are some guidelines:
Adopt the attacker’s mind-set – Ask yourself what they want most and design and execute your threat and vulnerability program, and overall security solution, to deny it.
Consider and use multiple techniques – Use a combination of methods such as encryption, tokenisation, micro-segmentation, privilege and digital rights management, selective redaction, and data scrambling.
Add additional protection to legacy systems instead – If your high-value assets are on legacy systems, do not try to harden those assets all at once. Instead, add additional protection and increase visibility over control points or points of access until you migrate or modernise these systems. If you have legacy systems that cannot be suitably hardened, look for opportunities to restrict access and up-level your monitoring. Be laser-focused on timely detection at your weakest links.
Apply the same control to people who have access to the data – Remember that whilst it is critical to focus on securing and encrypting data, and keeping it in the safest of system, you will simply move the point of failure, if you do not apply the same controls to people who have access to the data.
- Build up your defences through network enclaves; on-premises and in the cloud
Note that the perimeter is no longer the perimeter – it has become too easy for adversaries to breach. And the enterprise that the perimeter is intended to protect now extends well beyond ‘the four walls’ to the cloud and the field and the control rooms.
Consider creating enclaves – environments both on- and off-premises where you can better monitor the comings and goings of users and the behaviour of applications – which limit an attacker’s manoeuvrability.
- Build and execute a hunting program
There was a time when businesses felt they only had to activate their incident response plans in the event of a breach.
Not any longer. Today, the best approach is to adopt a continuous response model – always assume you have been breached and use your incident response and threat hunting teams to always look for the next breach (“find them before they find you”).
- Build and use adversary simulation and catastrophe scenarios
Run and test those scenarios for end-to-end effectiveness, so you can verify and validate that you can detect an adversary, and that your people are prepared and ready.
- Regularly test the security of your applications
Conducting security testing is important because it helps identify actual vulnerabilities – ideally as soon as they are discovered and reported. But this is only one component in an overall security framework.
To optimise testing efforts, you must obtain a complete as possible grasp on your external assets and know what you need to scan. Know who owns the assets and who can fix vulnerabilities.
Make sure your security team can validate scanning results and quickly eliminate false positives. Integrate security into the development cycle itself, so that bugs get fixed early – at times even before a single line of code is written.
In security parlance, shifting left, is more cost-effective at identifying design flaws early which account for the largest remediation cost. Measure the resolution time for vulnerabilities and help the business prioritise remediating those which pose the greatest risk.
Application security testing is not just having a tool but having a robust end-to-end program to decrease security risk in a cost-effective manner.
- Patch your systems
This is easier said than done. Businesses fail to patch their systems because they have a fluid system landscape and they do not know how many systems are active in their inventory.
If they do have an inventory, they might not know all the different versions of software on their platforms; a patch to a certain version of an operating system might break the application on top of it. A threat intelligence program can provide automatic notification when specific applications with high-value assets require a patch to avoid being exploited.
The program must also reconcile anomalies, such as a patch that requires a reboot on a system prohibited from rebooting.
- Limit, monitor and segment access
Use two-factor authentication as much as possible, as well as use role-based access, to make automated decisions about who can see what data and systems.
Move toward micro-segmentation in your access control, recognising that when sensitive data needs to be adjudicated by different people for different reasons, none may need to see the data in totality.
Micro-segmentation can show each person what he or she needs to see based on his or her roles and responsibilities, while obscuring the rest. This also limits damage in the event of a breach, and if any user’s credentials are compromised, only a portion of the data is exposed. To exfiltrate whole objects or larger swaths of data, the adversary’s job becomes much more difficult.
- Monitor anomalous and suspicious activity
Continuously and vigilantly monitor, not just for unauthorised access, but also for undiscovered threats and suspicious user behaviour. Show each person what they need based on roles and responsibilities and obscure the rest.
- Develop both strategic and tactical threat intelligence
Have a sustainable threat intelligence program that collects and curates both strategic and tactical threat intelligence.
Strategic threat intelligence is human intelligence coming from a variety of both closed and open sources, i.e. an e-mail explaining that certain versions of Apache Struts are vulnerable to attack, and how that vulnerability is exploited. Other forms of strategic intelligence can provide insights on campaigns targeting certain industries or technologies, or geo-political trends that could change the incentives of attackers.
Tactical threat intelligence includes machine indicators of compromise that feed in automatically to your systems. Stay as current as possible on both the broader threat landscape and the specific relevant threats.
- Build a security ecosystem
No business is an island. Supplement internal talent and skills with a diverse vendor support system.
When necessary and appropriate, take advantage of the assistance that managed services businesses can deliver.
- Prepare for the worst
Transform your incident response plan into a crisis management plan that can be enacted if the worst-case scenario materialises. Ensure that legal and corporate communications teams are on ‘standby’ and exercise the plan to identify areas for improvement and be ready when the next issue arises.
Be ready for a catastrophic cyberattack where e-mail, voice over IP, and other communication systems used on a day-to-day basis are unavailable. Consider storing critical contact information in the cloud, for such instances and be prepared to use the cloud as a secondary out-of-band platform for e-mail and voice communication.
Considering the significance of data in an exponentially digital-accelerated business landscape and the true cost of data breaches, it is no wonder that data is being dubbed ‘the new oil’ across the world.
To avoid serious data breaches, every business owes it to itself to review the efficiency of its fundamental data-centric security practices. Closing any gaps as soon as possible, will help fend of breaches and minimise their impact.
Essentially, when it comes to data breaches, prevention is not only better than cure, but also significantly more cost-effective than cure.