Facebook, British Airways, Uber, Verizon, and over 140 US-based universities … all have recently suffered massive data breaches and, as a result, irreparable damage, both monetary and reputational.

With each new data breach, it becomes more and more evident that IT governance is critical and data breaches must be looked at as an organizational risk—after all, they have the power to totally cripple the business and disrupt operations, impacting the bottom line.

Vulnerabilities exist in every organization

According to Wired magazine’s Worst Cybersecurity Breaches of 2018 So Far, a group of Iranian hackers were able to infiltrate 144 US-based universities (in addition to international universities and private companies across the globe) through spear phishing emails.

These emails were highly targeted. They tricked the professors and other university affiliates to click on malicious links and enter their login information. Before you knew it, the suspected hackers had their hands on over 31 terabytes of data.

For these large, well-known universities—organizations with data privacy officers, data protection managers, IT compliance managers, or infosec managers—how does this sort of thing happen? And more importantly, how can it be prevented?

Identify your specific threats and controls

You might not be the size of Facebook, and maybe your IT team is significantly smaller than the one at Uber, but there are some general IT governance best practices you can implement to ensure proper infosec hygiene and stop your data from falling into the hands of unauthorized individuals.

The first step is to identify your threats. In the case of this blog post, we’re focused on data breaches, so some examples that could result in a data breach include:

  1. Systems and network devices use out-of-date, potentially vulnerable software.
  2. Inappropriate manual intervention may cause unauthorized changes to programs or data.
  3. Inappropriate access may lead to unauthorized changes to systems or programs.

Those are just a few examples. There are countless resources to help you with threat identification, from simple reference lists like this one from Advisera, to advanced threat intelligence platforms.

Once you’ve identified potential threats, you should identify and implement the controls. Some sample mitigating controls based on the threats listed above could include:

  1. Ensure system software patches and upgrades to server systems and network devices are applied.
  2. Employ a defense-in-depth strategy for cybersecurity and implement critical systems to help prevent known threats and vulnerabilities (i.e., anti-malware, anti-virus, encryption, data loss protection, firewall, VPN, etc.).
  3. Authenticate the identity of users and ensure the proper maintenance of these user profiles so that new contractors, terminations, and role changes are always up to date.

Continuously monitor controls

Next, you’ll need to test your controls. This is so you can ensure they’re operating effectively and mitigating your identified threats. Using traditional methods, the process of monitoring can be very time consuming and prone to error.

But it becomes much easier when you connect your data sources in a single platform like ACL, and employ analytical techniques for automated testing. And for those of you who aren’t scripting wizards, ACL has pre-built scripts to run countless tests.

A few tests to consider based on the controls above:

  • Failed login trends: identify how many times a user has failed to login and flag the instances that might require further examination.
  • Password expiration: find those user accounts where the password age exceeds the expiration policy.
  • Dormant accounts: locate user accounts that have been inactive for an extended period of time.

Setting these control tests to run on a regular basis (continuous monitoring) will help to ensure you’re staying on top of your controls and you’ll know right away when something suspicious needs your attention.

Refine and expand your program

Identifying and prioritizing threats, and continuously monitoring the effectiveness of IT controls leads to increased confidence in any organization’s cybersecurity.

This data-driven approach means that you’ll be able to quantify risk and focus your efforts as well as your limited resources. And over time, your program will become more sophisticated, which means you’ll know which areas require more attention and which require less.

The final piece of the puzzle is to integrate the technical elements of your cybersecurity program (discussed above) with your overall IT risk landscape. Once you’ve achieved that, you can start looking to align with the top-level enterprise risk management framework of the organization. Cybersecurity is regularly cited as one of the key risks on every board’s agenda and because of that, it needs to be effectively managed, both bottom-up and top-down.

Of course, all of this is made so much easier when you use a tool like ACL. Read up on how to get started with IT governance software or learn about ACL’s IT governance solution.

eBook: 9 steps to IT audit readiness

eBook:
9 steps to IT audit readiness

In this 22-page eBook, you’ll learn how to:

  • Identify and assess IT risks and map them to controls
  • Plan, scope, and stress test micro risks
  • Assess the effectiveness of existing controls
  • Capture, track, and report deficiencies
  • Create a continuous cycle of testing, monitoring controls, and addressing exceptions.

Download eBook

Share This