The security landscape is rapidly changing in form, complexity, volume and timing.
According to the Ponemon 2014 Cost of Data Breach Study, there are roughly 387 new malware threats every minute, or more than six every second, and if your company is unlucky enough to be hit by an attack, it could cost $3.5 million. Even this astronomical figure may not represent the true cost of a breach since most companies do not assign enough worth to their most valuable asset: data.
Unfortunately, it is extremely difficult for organisations to assign a value to their intangible information assets, like data. Without having established a value on its data assets, an organisation will find it nearly impossible to perform a risk analysis – an essential step in determining the best approach to securing their data.
>See also: The 2015 cyber security roadmap
But, data can also represent an organisation’s greatest liability. If data is not properly disposed of, the risks to an organisation, should there be a breach, can be devastating.
Hackers today have a wide range of motivations from pure financial gains and commercial ransom to political statements and protest. High-profile events have affected millions of households around the globe and resulted in a myriad of information, including health records, bank accounts, and the very sensitive reveal of personal information, emails and scripts from a large corporation to the masses.
These events have taught businesses to never assume data is simply not of interest to cybercriminals and thus has no value. If a hacktivist or insider-attack strikes, old company emails might be exactly what they need to embarrass or blackmail. For the nation state or organised crime-based attacker, personal information might be the key for their black market dealings.
A key step in determining the value of data is to pinpoint its location. Many larger organisations have a history of mergers and acquisitions or large structural changes. These activities can lead to data being scattered across a multitude of systems, including ‘shadow IT’ infrastructures, which only exacerbate the problem by making the application of proper security controls nearly impossible.
Technology alone is not the answer. Strong cyber security measures, in many ways, have as much to do with process as it does with technology. Even though organisations spend an average of $500,000 to $800,000 on security for a 1,000-person organisation, according to 451 Research’s report ‘The Real Cost of Security’, that figure doesn’t account for maintenance, training, staff turnover and technology refreshes.
It is only after an organisation has undergone a thorough risk assessment that it can apply proper security controls and procedures to protect its data. The type of security controls, and the amount spent on those controls, should be based on data value, vulnerability, and the likelihood of a breach and the impact of breach.
Company-wide security procedures, including database authentication, BYOD security controls and document archiving and destruction must be implemented to complete the security posture. This approach improves an organisation’s overall security posture, and can lower its costs.
>See also: 2015: the year of cyber security action, not words
Threat intelligence can be the key to early detection of potential vulnerabilities that can lead to data breaches. Potential breaches are discovered by monitoring for two-way communications between systems and bad actors on the Internet.
For example, threat research could indicate that a database application is communicating with new and unusual external IP address, and that data is being exchanged. If discovered early enough, access can be shut down prior to the onset of the data exfiltration process.
*Origination traffic based on botnet command and control server activity measured by Level 3 Threat Research Labs during the period of Q1 2015
There are no silver bullets, but with the right processes in place many of the data breaches over the past year could have been avoided. A comprehensive security posture derived from a risk assessment based on data value and location is needed to secure enterprises today.
Sourced from Chris Richter, SVP of managed security services at Level 3 Communications. Chris will speak in the Information Security Exchange seminar stream at InfoSecurity Europe on 4 June.