The Changing Face of Data Security
As data breaches become an almost daily occurence, the conversation about who is responsible has started to change.
March 2019 │Omada
The Changing Face of Data Security
In the last twelve months, as data breaches have become a regular occurrence, and the impact of GDPR has been fully realized, there has been a lot of news reporting on identity theft. But while this may not be such an unlikely trend, given the increasing complexity of the globalized, digitalized and hybridized world we live in, the change in the dialogue around who is the blame for these breaches is something worth paying attention to. We investigate the DACH media to find out what is being discussed.
From ‘bad behavior’ to inadequate security
In previous years, it was said the onus fell very much with individuals and end users – that it was their ‘bad’ behaviors that were to blame for data breaches. There was a proliferation of articles discussing how to change your password and make it more complex; how phishing methods were getting smarter; and how security breaches were largely caused by ‘stupid’ end users.
But more recently that discussion has changed. This year Heise Online reported that while about 2.2 billion stolen records are currently circulating the internet all of these are actually the result of an organization’s breached access. End users have become the victim of an organization’s failed security measures and it is their negligence in handling users’ passwords that has resulted in data leaks. The leaked information – with various large-scale examples like Yahoo, eBay, Adobe, Linkedin and Dropbox - is the product of organizations, who were entrusted to look after a user’s data, not paying close enough attention to their own storage of it.
A shift in the data breach conversation
More and more articles are reporting that companies and organizations are being attacked because they do not secure data professionally. Whether it is by storing or transmitting passwords in clear text; making account phishing too easy; or even because they are giving users more passwords than they can reasonably handle. The onus appears to no longer be on individuals to secure their own data, but rather, those who are storing and using it to trade.
We are also seeing the focus move onto companies not misusing individuals’ data through the enforcement of public regulations like GDPR. Large fees are now leveyed for non-compliance, greatly increasing the financial risk of companies mishandling data. In fact, the State of California has gone a step further with a cybersecurity law for the Internet of Things that is designed to prevent unlawful access by regulating the behavior of manufacturers more closely. From 1 January 2020, manufacturers of Internet-enabled devices must equip them with "proportionate" security features that will ensure they can prevent unauthorized access, modification or information disclosure. [CS1]
What does this mean for your organization’s security?
A lack of data security today has more significant consequences than in the past. It can cause tremendous damage to an organization’s reputation - being reported on by global media – its bottom line - in the form of data breach lawsuits, and fines for GDPR non-compliance – and also its ongoing ability to trade - with stolen IP that can potentially be misused by competitors.
Organizations need to continuously ensure that they have the right level of security implemented for their needs and context. The first step to doing this is understanding your organization’s risk appetite, and how this can help fuel and prioritize which security initiatives should be put in place to minimize risk of malicious activities - intentionally or by accident.
When it comes to protecting your organization against data breaches and information theft, identity management and access governance play a major role in your security. It is the only way to ensure that you know who has access to sensitive and company-confidential information stored in your business systems. Access rights should only be granted to information based on a “need-to-use” basis. So, if a user does not have a legitimate business use for the data, their access should be revoked. In addition, accounts of employees that are no longer working with the organization should be removed and technical accounts used for administrative purposes should be assigned an owner so they can be governed properly. As well as ordinary user accounts, so-called privileged accounts that have administration rights to various business systems should be tightly controlled as their compromise might result in an attacker gaining access to a significant amount of sensitive and company information.
As well as preventing compromised identities from granting excessive access to attackers, locking down users to ensure that they do not have excessive access to information helps prevent against insider attack. These are attacks by employees that are already logged into the system, but who may have malicious intent because they are unhappy with some company action, or because they are leaving the company for a competitor and want to steal company secrets.
Being able to document that you are in control of your security and your identities’ access rights is the only way you can stay compliant with regulations like GDPR, and stay out of the media. The onus is on an organization to protect its data and that of its users and business partners. No longer just a ‘nice to have’, identity governance and administration (IGA) is both a license to operate and a business advantage.
How can you make your data more secure?
Organizations need understand and act on the integral role they play in protecting their own and their users’ data. Consider these key areas before you take action to protect your organization from a data breach:
- Understand the importance of reconciliation: reconciliation is the cornerstone of a robust Identity Access Management (IAM) solution. Without it, you will not be able to get in control and stay in control - knowing when your access is breached, so you can take the appropriate measures to rectify it.
- Recognize IAM as an enterprise-wide security system: this means that it carries the same gravity or necessity as anti-virus software and firewalls. And not just with the public, but by governmental departments like the German BSI (the federal authority for information security) who are tasked with minimizing risks for everyone.
- Remember to clean up: deleting old and unused accounts is just as important as securing new and ongoing ones. It isn’t hard to understand that the less accounts or users you have, the less data you have that can be stolen.
- Control extends to systems, not just data: getting in control of your data also means getting in control of your systems. But these powerhouses need processes and automation to make them secure.
- Reduce the amount of admin accounts: which first requires being able to identify them. Once you have done this, you can create risk classifications, perform recertifications, set up segregation of duties, and approval mechanisms that will prevent toxic combinations of access rights.
A Third of all GDPR Organizational Data Breaches are German
To celebrate Data Protection Day 2019, the European Commission provided the first summary of GDPR since it came into effect in 2018.
Politicians and Celebrities Targeted in Germany’s Biggest Data Hack
The private details of almost 1,000 German politicians, celebrities, journalists and other prominent people were leaked via a Twitter account in Germany’s biggest data breach yet.