Facebook, British Airways, Uber, Verizon, and over 140 US-based universities … all have recently suffered massive data breaches and, as a result, irreparable damage, both monetary and reputational.
With each new data breach, it becomes more and more evident that IT governance is critical and data breaches must be looked at as an organizational risk—after all, they have the power to totally cripple the business and disrupt operations, impacting the bottom line.
Vulnerabilities exist in every organization
According to Wired magazine’s Worst Cybersecurity Breaches of 2018 So Far, a group of Iranian hackers were able to infiltrate 144 US-based universities (in addition to international universities and private companies across the globe) through spear phishing emails.
These emails were highly targeted. They tricked the professors and other university affiliates to click on malicious links and enter their login information. Before you knew it, the suspected hackers had their hands on over 31 terabytes of data.
For these large, well-known universities—organizations with data privacy officers, data protection managers, IT compliance managers, or infosec managers—how does this sort of thing happen? And more importantly, how can it be prevented?
Identify your specific threats and controls
You might not be the size of Facebook, and maybe your IT team is significantly smaller than the one at Uber, but there are some general IT governance best practices you can implement to ensure proper infosec hygiene and stop your data from falling into the hands of unauthorized individuals.
The first step is to identify your threats. In the case of this blog post, we’re focused on data breaches, so some examples that could result in a data breach include:
Those are just a few examples. There are countless resources to help you with threat identification, from simple reference lists like this one from Advisera, to advanced threat intelligence platforms.
Once you’ve identified potential threats, you should identify and implement the controls. Some sample mitigating controls based on the threats listed above could include:
Continuously monitor controls
Next, you’ll need to test your controls. This is so you can ensure they’re operating effectively and mitigating your identified threats. Using traditional methods, the process of monitoring can be very time consuming and prone to error.
But it becomes much easier when you connect your data sources in a single platform like ACL, and employ analytical techniques for automated testing. And for those of you who aren’t scripting wizards, ACL has pre-built scripts to run countless tests.
A few tests to consider based on the controls above:
Setting these control tests to run on a regular basis (continuous monitoring) will help to ensure you’re staying on top of your controls and you’ll know right away when something suspicious needs your attention.
Refine and expand your program
Identifying and prioritizing threats, and continuously monitoring the effectiveness of IT controls leads to increased confidence in any organization’s cybersecurity.
This data-driven approach means that you’ll be able to quantify risk and focus your efforts as well as your limited resources. And over time, your program will become more sophisticated, which means you’ll know which areas require more attention and which require less.
The final piece of the puzzle is to integrate the technical elements of your cybersecurity program (discussed above) with your overall IT risk landscape. Once you’ve achieved that, you can start looking to align with the top-level enterprise risk management framework of the organization. Cybersecurity is regularly cited as one of the key risks on every board’s agenda and because of that, it needs to be effectively managed, both bottom-up and top-down.
In this 22-page eBook, you’ll learn how to:
- Identify and assess IT risks and map them to controls
- Plan, scope, and stress test micro risks
- Assess the effectiveness of existing controls
- Capture, track, and report deficiencies
- Create a continuous cycle of testing, monitoring controls, and addressing exceptions.