Every day we hear of a “major” security breach at another big company. Not to be taken lightly, security breaches can have a devastating impact to organizations as they can be very costly, damage reputations and contribute to the loss of customers.
According to a latest study by UK-based market analyst Juniper Research, the increase in digitization of business records will lead to the cost of data breaches reaching US$2.1 trillion by 2019 worldwide, increasing to almost four times the estimated cost of breaches in 2015. Alongside this, as more business infrastructures get connected, the average cost of a data breach in 2020 will exceed US$150 million.
Inevitably, the organization breached goes on a spin campaign to shift blame away from itself, but never simply says, “We could have prevented this if we had our act together.”
Security breaches can’t happen unless someone gets access they shouldn’t have. Access is totally within the organization’s control (or should be), and, while there’s no list to guarantee you’ll never be the victim of a breach, there are some simple best practices to make you a harder target, and minimize the damage if someone does get in.
- It starts with authentication and authorization. Identity and access management 101 explains that access is the combination of authentication (proving you are who you claim you are) and authorization (limiting what you can do based on who you are). Too often, access is executed haphazardly, taking a path-of-least-resistance approach that secures things appropriately as long as it’s not too difficult. It’s well worth the investment, however, to establish rights correctly, ensuring that every user has access to everything they need to do their job, and nothing else.
- Treat data security as a single issue, not several separate issues. The knee-jerk reaction to regulations and security is to search for the most likely target and find a way to secure it. The result is a siloed approach that’s neither efficient nor consistently secure. A better approach is to unify the things that control access (policy, identity, authentication, provisioning, role, etc.) and get it right once. If a single role definition includes all the appropriate access rights for a group of employees, the risk of someone going rogue, or someone doing something bad with stolen credentials is reduced. If they can’t get it, how can they abuse it?
- Put the right people in control. The vast majority of access controls are set up by people who know how to manage the system, rather than those with the most at stake. IT usually is at the front line of implementing access controls, because they have the rights, tools, and knowledge necessary to set up access for individuals and groups. But, IT typically lacks the context to know what access individuals should have. That’s the property of line-of-business personnel. Find a way to put the line-of-business in control of access rights and as much of the management process as possible.
- Don’t forget about your administrators. Finally, the “superuser” credentials associated with every system are the crown jewels of access. Someone logging in with these shared, anonymous, and all-powerful sets of rights, can do anything and everything they want, from planting malware to stealing data. Technologies exist that remove the shared nature and anonymity of administrative credentials, and audit all activities performed with them.
This one practice alone could prevent the majority of high-profile breaches permeating the news. Just because you trust your employees doesn’t mean you shouldn’t implement access control on all of them.
by Matthew Johnston, managing director for South Asia, Dell Software