Think Beyond Compliance-Driven Security

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.cutimes.com/2015/10/30/think-beyond-compliance-driven-security

The financial services sector is often regarded as a benchmark of IT and
security. This leadership position, however, also comes at a price:
Financial services was one of the first industries to be impacted by
cybercrime. That comes at little surprise – as the tall tale of Willy
Sutton (a prolific bank robber) tells us, when asked by a reporter why he
robbed banks, he simply replied, “Because that's where the money is.” The
latest research from PwC shows that cybercrime accounted for 39% of
financial services economic crime, compared to 17% in other industries.

One estimate suggests financial services companies will spend $2.6 billion
by 2016 on protecting networks and other cybersecurity efforts. The cost of
compliance, when graphed alongside security spending, represents a similar
trend. Namely, the effort and resources exhausted on compliance is also on
a steep incline, and compliance costs are as unavoidable as cybercrime.
However, we will need to expand the scope of our security thinking.
Focusing on compliance alone as a security strategy is not enough anymore.
Just because an item doesn't fall under a regulation doesn't mean it's not
sensitive data. If compliance is the only basis of a data protection
strategy, it risks not being secure even though it might be in compliance.

A compliance-driven view of data security simply does not equal a more
secure environment. When we look at data through a compliance lens only, we
often only see two types of data: Regulated or not regulated. But the
reality is not that simple. Sensitive data exists beyond the realm of data
that falls under compliance. Corporate secrets, customer preferences, sales
contacts, the timing and planning of a new product launch, financial data –
all of these are sensitive and need to be protected because, in case of a
breach, they can be the source of significant post-breach losses.

The intersection of cybercrime and compliance occurs at the very source of
our security efforts – protecting sensitive data. And the necessity of that
protection continues to evolve beyond “hacking.” Current threats include
data manipulation, reputation damage and loss of competitive advantage.

Let's take a step back. What exactly makes data sensitive? By definition,
sensitive data is information that must be protected from unauthorized
access to safeguard the privacy or security of an individual or
organization. What does that mean to you, the person tasked with protecting
the privacy and security of your organization, and the privacy of your
members, partners and employees? It likely means that sensitive data is any
data that if lost, stolen or exposed could financially harm an
organization, cause reputational damage or be a reason for termination.

Financial services organizations have established themselves at the
forefront of monetizing technology and protecting their systems and
information within. The speed and velocity of sensitive data creation poses
a new challenge to this sector. The increasing premiums of cyber insurance
along with newly introduced limits reduce the effectiveness of risk
transferal as a viable means of managing cyber risk. In plain language, the
2013 Target breach cost the company an estimated $264 million, only $90
million of which Target will recoup from insurance policies. Similarly,
Home Depot incurred an estimated $234 million in expenses, with insurance
covering only about $100 million of that. And both companies are facing
steep increases in premiums along with everyone else also seeking cyber
insurance.

While non-insurable, post-breach damages continue to skyrocket,
organizations’ ability to locate their sensitive data is not keeping pace,
as is illustrated by another high profile incident, the Sony breach. It
highlights just how much most organizations may not know about where their
sensitive data resides: There were 601 files that contained Social Security
numbers, 523 of which were Excel spreadsheets. More than 3,000 of those
Social Security numbers appeared in more than 100 locations. This
represents just a snapshot of the company's sensitive data footprint. That
large a footprint would challenge even the best information security team.

The lessons from these examples point not to a lack of security controls,
but mostly to the challenges of understanding where sensitive data resides.
Our ability to place the proper security controls on and around data begins
with knowing all of the places where data resides and understanding what
the data is. These are the pillars of a solid financial data security
program.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!