|
At least 105 security breaches were reported in the United States in 2005, impacting a minimum of 52 million consumers, according to the San Diego-based Privacy Rights Clearinghouse. A similar report in the December 2005 issue of USA Today places the number of breaches even higher – 130 in total – with an estimated impact of 55 million Americans. Legislators have taken notice. In 2005, 21 states adopted laws similar to the California Security Breach Information Act (SB-1386), imposing civil and/or criminal penalties for failure to comply. This does not include breaches that were not reported or that were not known about, which is likely to be a much larger number.
Such widespread legislation, coupled with federal compliance mandates from HIPAA to GLBA to SOX makes protection of customer data a top priority for company executives. To minimize security risk, businesses must develop a plan that not only utilizes security products, but one that includes policies and procedures to secure data. These policies and procedures must be easy to implement and must be understood and implemented throughout the organization.
More than just data
Effectively protecting data directly relates to the bottom line. A business that is successfully charged with faulty data security may not only be legally liable, but may lose its customers, reputation and revenue stream. Two surveys conducted by the Ponemon Institute and published in November 2005 underscore the hazards. The “National Survey on Data Security Breach Notification” found that 20 percent of U.S. adults who were notified of security breaches immediately terminated their accounts and an additional 40 percent were contemplating doing so. The second survey, “Lost Customer Information: What Does a Data Breach Cost Companies,” revealed average costs of $140 per lost record, with direct costs averaging $5 million per incident.
Despite this clear connection to the business as a whole, many companies today still evaluate information security based solely on technology, designing security strategies to protect the hardware, software and systems that run the business. While this is an important step in security, it should be viewed as one part of a larger security strategy.
To more effectively safeguard the information and, ultimately, the business itself, companies must take into account their own business goals. Better yet, businesses should use these goals to drive overall information security decisions.
Risk management
One valuable process, known as risk management, can be used to evaluate, define and execute information security needs from the top of the organization down with a balanced focus between the bottom line and the proper level of security an organization requires. This process helps businesses identify critical functions (such as customer data, communications, accounting and IT infrastructure), the potential risks, the costs, and the likelihood of those risks occurring for each function.
After these risks are identified, businesses can look at the cost of lowering the risks. Once the risks and costs are known, a plan for mitigation can be developed and the people, processes and products required for a cost-effective mitigation will become clear. Risk management allows a company to strategically determine how much it should spend to secure data and protect against risk. Spending too much on information security unnecessarily diverts financial and other resources from business objectives; spending too little invites the financial and reputational damage associated with security incidents.
Companies should begin risk management by defining a benchmark of existing assets and functions. From there, the following questions will help determine vulnerabilities within the business, and the potential impact of a failure:
- What are the threats to these critical functions and assets?
- What are the potential losses if a threat or failure is realized?
- What are the chances of the organization being affected by this threat or failure?
- What is the cost to reduce the risk to an acceptable level?
The risks associated with each function and asset then need to be individually evaluated to determine how each can best be mitigated. Managers must make decisions of avoidance, rejection, acceptance or transfer of risk to modify the baseline, before any security implementation strategies are started.
Avoidance requires the elimination of risk by ceasing or never undertaking an activity that produces exposure to risk. In making this decision, a company must weigh the potential value of an asset against the reality of not having it. If the risk is high and cannot be mitigated, the asset may have a negative value and should be avoided. But, avoidance decisions need to fit the business model as well. If a specific function is required for a business application, it cannot be avoided and therefore the company must find a way to reduce risk without disabling the service.
Risk rejection is a decision that the mitigation cost outweighs the cost of potential loss. For example, building a custom application to eliminate 100 percent of spam would be costly and could result in a high rate of false positives, thereby introducing costs and an increase in loss of productivity that may be incurred by the spam itself.
According to the Telecom Glossary 2K, risk acceptance can be defined as “a managerial decision to accept a certain degree of risk, usually for technical or cost reasons.” To help determine acceptable risk levels, develop a baseline of what security you already have in place. Make sure it is working properly and is up to date. Then determine the gap between what you have and what you need to reach the level of security you want to pay for.
Finally, transferring risk is the act of moving the responsibility to a third party, such as an insurance company. While this may be beneficial from a direct cost standpoint, risk transfer does not necessarily address loss of consumer and partner confidence.
Mitigation
Once the benchmark evaluation is complete, companies can evaluate and adopt the necessary strategies to mitigate business and information security risks. For example, by leveraging technology to embed and enforce regulatory compliance procedures, the audits and controls become a catalyst for improving security operations effectiveness. In the long run, adopting the proper technology can help both lower costs and simultaneously reduce risk.
The three most common vulnerabilities exploited by hackers are configuration errors, user errors and software defects. Patch management tools can prevent attacks on software defects, but configuration errors are the responsibility of the security managers, information technology personnel, and even the individual user. Additionally, security software cannot protect companies from users making mistakes, such as leaving a laptop containing sensitive company data unattended in a public establishment.
Security configuration errors not only threaten compliance mandates to protect data, they add the expensive potential for civil litigation or fines. The ability to manage and automatically mitigate these types of issues is critical. A successfully implemented security configuration management program can reduce the demands on IT staff, ensure the highest level of system integrity, and proactively manage critical system and security configuration attributes.
Plan and Prioritize – Develop and maintain an audit-able set of internal controls to ensure the accuracy, security and availability of corporate information. A poorly configured system puts an organization at just as much risk as a system that is poorly patched. Compliance mandates reinforce the need for greater control and audit ability. Once security settings are set, check them regularly. Security settings often weaken over time. Automated solutions will help the administrator manage the state of the network quickly and easily.
Assess – Centralize management tasks to streamline efficiency and provide better overall accountability. Today’s corporate networks continue to grow in both size and complexity and the task of managing and controlling the configuration of these environments is becoming more difficult. Centralization and automation are the foundation of doing more with less.
Implement and Maintain – Utilize firewalls, anti-virus solutions, spyware management, intrusion detection systems, patch management and vulnerability scanning to protect the network. Provide an audit-able method of tracking system security configuration changes to enforce and support compliance requirements. As the need to subscribe to or comply with industry best practices or industry regulations continues to increase, the ability to track, control and report on device configuration changes – past, present and future – is imperative. Integrated solutions are also growing in importance, as more security products become required.
It is important to acknowledge that risk can never be 100 percent mitigated, no matter how much planning goes into a company’s business risk assessment, or how many strategies result from the process. Unknown factors can always change the game, but once an asset, threat or risk is known, assessment and mitigation can begin. This is the reason policies are essential to properly implement and enforce mitigation techniques. Review security risk policies annually to ensure they are still consistent with the organization’s business goals.
Managing the information security of a business through risk assessment and mitigation should also be viewed as an ongoing function. Risk is not a problem that can be solved, but it is a problem that can be managed in a cost-effective way.
About the Author:
Mark Shavlik is President and CEO of Shavlik Technologies, offer a unique, market-driven approach to security application design and development.
Go Back
|
