How to avoid becoming the next big data breach in 2016

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.itnews.com.au/blogentry/how-to-avoid-becoming-the-next-big-data-breach-in-2016-412791


2015 was a big year for data breaches.

Ashley Madison’s takedown, the US Office of Personnel Management breach of
millions of US government employees’ personnel records and the gigantic
healthcare record theft from Anthem were just a few of the stories that
captured international media attention.

Closer to home, we saw David Jones and Kmart get hacked within a few days
of each other, while other smaller companies similarly weren't able to keep
attackers out of their systems.

The past twelve months have shown that it doesn’t matter how much companies
spend on controls, if you’ve not pasted over all the cracks, determined
hackers will find a way to breach the castle walls.

Here are a few suggestions of things you can do next year to bolster your
organisation’s defences, fend of the attackers and make sure you aren’t in
the headlines for being the next David Jones or Anthem.

Implement security standards

There are a lot of security guys that berate a security management
approach, espousing the only way to be secure is to invest in technological
defences. This may be partly true but you need to look at the big picture.

If you get executive buy-in to implement ISO 27001, you’ll have begun to
build security awareness across the enterprise, combining people, process
and technology, including the security management of facilities, suppliers
and business continuity considerations.

Adoption of a standard doesn’t mean you are ignoring the technical
weaknesses in your systems, but it does mean that you’ll be adopting a more
structured approach to management of business risk, something that
ultimately helps you get further investment in security controls based on a
solid business justification.

Patch your systems and applications

Most organisations struggle with basic systems hygiene, keeping operating
systems and applications patched up to date.

It’s also true that most successful attacks start with a simple phishing
email that entices users to run malware that searches for vulnerabilities
and which can be further exploited by the attacker.

If your systems and applications are always patched and up to date, a
successful attack will be significantly harder to achieve, so consider
re-prioritising patching as one of the most critically important security
processes your organisation manages.

Build an effective team

If you don’t have a security team, start by creating a business case to
build one and lobby senior management with the evidence of what it will
bring to your organisation.

Security is a massively underestimated problem and requires specialist
managers who have one foot in the technical world while the other firmly
planted in the executive.

With new hires, look for certifications and relevant experience, but if in
doubt, consult a professional body to make sure you understand the job
roles you are hiring.

In the interview, cross check the candidate’s CV but also try to make sure
the candidate understands what you need and they can actually do what you
need – one man’s security architect is another man’s firewall engineer, but
neither will be pulling well considered quantitative risk assessments out
in their weekly operational presentations.

Make sure you define the roles properly and align with industry definitions.

Implement training and awareness

I’m sure you’ve heard it many times: security is everyone’s responsibility
and people are the weakest link.

It’s true, uneducated staff will not consider security risks when going
about their daily business unless you graft it to their DNA. The ISO 27001
standard doesn’t include a security awareness program as a mandatory
control for no reason.

By teaching your staff about the risks and reinforcing positive security
messaging through bulletins, ad-hoc chats, management town hall
discussions, posters and lunch and learn sessions, you build a culture of
awareness where staff will question everything that poses a risk.

Consider implementing a training program that provides expert security
knowledge to staff who are not in the security team. If your network
administration team understands how to keep your network security and your
WinTel engineers understand the security aspects of group policy, they will
make better decisions.

Test, test and test again

It’s unfortunate, but the threat landscape is forever changing so
yesterday’s audit is out of date by the time you got into work this morning.

A mature approach to security is to employ a dedicated team of security
penetration testers to continually work on locating and eradicating
vulnerabilities in your people, processes and technology.

This is one of the least accepted approaches to the management of security
within a business as is deemed too expensive and invasive.

However, there is no better way of keeping on top of the threats than
making this someone’s fulltime job. They will locate the security
weaknesses in your systems quicker and easier than attackers as they know
your systems inside out.

This means you’ll have a remediation program in less time than the
attackers take to start their initial reconnaissance.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!