ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > Stopping Data Leakage: A Four-Tiered Approach

Stopping Data Leakage: A Four-Tiered Approach

Michael Brengs, Managing Partner, Optimal IdM

| Posted at 3:13 PM by ISACA News | Category: Audit-Assurance | Permalink | Email this Post | Comments (0)

According to research by the Ponemon Institute, the average cost of a data breach in 2015 reached more than $3.8 million, or between $145 and $154 per record compromised. That is a 23 percent increase over 2013. This upward trend reflects a clear need for more effective security controls, both in terms of information storage and at the level of an organization’s polices and procedures. While every business faces different threats, there are several steps every entity can take to be more secure.

  1. Start From the Ground Up
    Even the most sophisticated system is only as safe as its users. Whether it is an employee clicking on the wrong link or an unsecured device in a BYOD environment, human error is a factor in almost every data breach. The authors of the Experian 2015 Data Breach Industry Forecast note that “employees and negligence are the leading cause of security incidents but remain the least reported issue.”

To build safer networks, start with your staff. Cisco Systems found that 43% of IT professionals felt not enough was done to educate employees about security risks. To address this, make sure employees have the resources they need to work safely and securely. You can consider holding mandatory refresher courses on basics, such as password safety, appointing a dedicated liaison between staff and security personnel and establishing clear policies for responding to incidents when they happen.

  1. Secure Board-Level Involvement
    At the other end of the spectrum is your board: the high-level decision-makers who establish organizational priorities, delegate responsibilities and set aside funding for security projects. Engaging management in cybersecurity is good for you and good for C-level executives who often face critical media coverage and legal and regulatory scrutiny after a major incident. Though it may seem obvious, the more management prioritizes security, the more empowered IT professionals will be to implement systems and policies that are truly effective.
  1. Take Auditing Seriously
    As you move from the level of people and policies to the actual systems at work defending your network, make sure you take full advantage of the network security tools currently at your disposal. Too many organizations view meeting their regulatory requirements for data governance — whether it’s vis-à-vis HIPAA, ISO 27001 or any other standard — as a nuisance requirement. As a result, expectations are low, responsibilities for action are fragmented and costs are often excessive.

    According to a 2012 PwC report, audits need to play a critical role in providing assurance around data security and privacy controls. When done properly, auditing provides a framework for enhancing security organization-wide and mitigating the risk of a data breach. Periodic audits provide a snapshot of who is accessing your databases, how they are doing it, and how strong your overall security posture is. You can use this information to identify gaps, set goals and priorities, and manage risk more effectively.
  1. Centralize Access Control
    In complex, multi-forest network environments, access control is one of the most persistent problems administrators have to deal with. While implementing the principle of least privilege (POLP) is widely recognized as one of the best things you can do for network security, the reality is complex. In Active Directory, tools like virtual identity servers can provide a centralized platform for managing applications and identities across multiple databases via a virtual Lightweight Directory Access Protocol (LDAP) directory. This saves your IT team time and reduces the risk of an employee gaining unauthorized access to sensitive data.

Ultimately, managing risks across complex corporate networks requires that people, policies and programs work together to prevent sensitive data from getting into the hands of malicious actors. When your staff members know what they are doing, your executives know why it is important and your IT team has the tools to monitor and manage activity at both levels, you have taken an important step towards securing your data and preventing a leak before it happens.


There are no comments yet for this post.
You must be logged in and a member to post a comment to this blog.