5 Steps to Get Data Owners Started : What to do with my data

April 8, 2013

During a recent conversation a customer asked if we had a Getting Started Guide for Data Owners. After using Varonis to identify and assign owners, one of the new data owners asked, “What am I supposed to do now? What do data owners do?”  In order to help him—and anyone else in this situation—I created 5 high-level steps business users can follow to get started as a data owner.

Step 1: Take inventory of your data and confirm ownership

One of the first things data owners should do is review the data for which they are responsible; IT should provide them a report listing all the folders, SharePoint sites, etc. that they own. Owners should carefully review this report and confirm with IT that they are, in fact, the correct owners of this data. It is also important that they understand which, if any, of these folders contain sensitive data, which folders are open to other groups in the organization, and which teams they expect to collaborating with.

Once they have reviewed their data assets, they will be able to start governing and protecting their data effectively. In addition, they should determine if other users will need to be involved in the authorization process (delegated “authorizers” for specific folders), and coordinate with them on how access requests will be processed.

Step 2: Review permissions/users with access

Once they’ve confirmed ownership and they understand the types of data contained in these folders, the next step would be to perform an initial Entitlement Review.  These can either be done manually with IT provided lists of people to review, or with automated solutions, like Varonis DatAdvantage and DataPrivilege.

During an initial entitlement review, data owners will review which users have access to which data and make decisions about which users should be removed or added. Solutions that provide automated entitlement reviews, like DataPrivilege, automate this task end to end, providing actionable information to data owners, (e.g. recommendations based on access activity and cluster analysis) and effect changes to the appropriate ACL’s and groups without IT intervention.

It is important that this step be carefully performed, whether manual or automated, as this will be the first step in cleaning up excess access and ensuring that only the right people have access to data.

Step 3: Ensure all requests are processed for the appropriate reasons

Once owners have performed their initial review, they should now be in “maintenance mode” and ongoing data ownership activities shouldn’t take much time– they’ll mostly need to approve/decline access requests as they come up, either with an automated solution (like DataPrivilege) or through a manual process. As a best practice, every access request should ask the requestor to enter a reason for requesting access, either selected from a menu of legitimate reasons, or manually entered.

Data owners should consider access requests carefully, especially when the data they’re managing is sensitive:

  • What data are they requesting access to?
  • If I grant access, is there anything in that folder that they should treat as confidential?
  • Should access be granted permanently, or temporarily?
  • If access should be granted temporarily, how will we remember to revoke it? (Manual process or with automation like DataPrivilege)

Step 4: Do periodic entitlement reviews

On a regular basis—once a quarter, every 6 months, etc.—IT should require owners to complete an attestation, or entitlement review. This will ensure data owners review any changes or new recommendations made since their last review and ensure that organizational changes have not granted unwarranted access. Owners should have the option to specify where access should be restricted or stay the same, and a record of their decisions should be kept. Entitlement reviews help organizations efficiently maintain a least privilege model.

Step 5: Review access statistics on your data

If available, data owners should have the ability to access a dashboard which includes permissions and access activity relevant to their data, as with DataPrivilege’s Self-Service Portal. Data owners can make better decisions if they are able to see who is accessing their data, which folders are most accessed, least accessed, or stale, and who is accessing folders that hold sensitive data.

Conclusion

While there are a lot more details on data ownership, we hope this list provides a starting point for Data Owners on how to govern their data effectively. For more information you can visit our collection of blogs on data ownership or download our whitepapers from our resource center.

Leave a Comment » | Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , , , , , , , | Permalink
Posted by david ricketts

Intrusion costs are expensive. Why do you ask?

March 15, 2013

According to the folks over at Identity Theft Research Center (ITRC), US companies, governmental agencies, universities, and other non-profits last year reported almost 450 breaches and over 17 million personal records exposed.  This was not nearly as bad as 2007, in which the number of stolen records reached a breathtaking 122 million. One metric that’s a bit harder to pin down is the direct cost of a data breach. These expenses typically don’t show up in breach stats. Public companies will eventually expense the intrusions–if it’s “material”–but you’ll have to do some digging into annual reports.

The total liability for breaches often goes beyond basis fraud costs–merchants and companies who were falsely billed — to include investigation fees, credit monitoring expenses, legal fees, court settlements, and civil fines. To get a sense of how costs may break down in a particular case, I looked at one of 2012’s largest breaches, involving a credit card processor. While the actual exploit is still a mystery, it is assumed that at least 1.5 million credit card numbers were exposed–although the true number is likely higher

In their 2012 annual report, the company had incurred about $94 million associated with the breach incident. A little over one-third or $35 million represented “total fraud losses, fines and other charges that will be imposed upon us”. The facts about this breach are a little sketchy. Experts believe that though this card processor publicly reported the incident in early 2012, the hackers may have entered their servers in June 2011. In other words, there was plenty of time for a lot of false credit card charges to pile up–that may explain the high fraud expenses.

There’s also a $60 million expense for “professional fees and other costs” associated with investigation and remediation, business partners payments, and credit monitoring.  To understand that last category, check out my post on the national credit reporting agencies that maintain consumer credit information.

When a consumer suspects identify theft, the law says she can put a hold on her information so that creditors are alerted that an identity theft incident is in progress. With a large breach, a company will pay for a service that freezes millions of reports and monitors unusual activity—e.g., change of address or new accounts based on existing credit information. It’s another expense that needs to be considered in the intrusion cost equation.

What about legal costs and law suits? To get a feeling for how enormous this can be, I went back to look at one of the worst breaches of 2007. That year a major retailer reported the theft of 45 million customer records. It can be challenging to get an exact accounting of all legal expenses in corporate financial reports, and in this particular case the costs were expensed over several years.

But here’s what we do know. In their 2007 annual report, executives told investors they established a pre-tax reserve of almost $200 million to cover all their breach liabilities–with most of this amount dedicated to legal-related matters.

There are too many suits for me to cover in such a short post. But the retailer settled a class action suit with the credit card companies, who had to re-issue millions of new accounts to their customers. There were also several class-action suits pending with one based on the Fair and Accurate Credit Transaction Act (FACTA), which covers data protection and privacy of consumer credit information. At the time of the annual report, several attorneys general were investigating whether the retailer violated state consumer protection laws. And the FTC was involved and examining whether other federal laws were violated.

There are some well publicized numbers for the total cost of a breach —about $200 per record. This includes indirect costs, such as loss of customers, brand damage, loss of employee productivity, and other intangibles. When I looked at direct costs—legal, remediation, administrative, etc.—the amounts were more in line with the breach cost data I covered in this post, say, between  $4 to $10 per record.

Even if you find the indirect costs a bit of stretch, the direct costs alone, especially for large companies, should make executives think more strategically about paying to protect their data. After all, a file with one million account numbers may end up costing $10 million—a lot of money to pay for poorly configured file permissions!

Leave a Comment » | Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , | Permalink
Posted by david ricketts

Cybersecurity Now Top of Mind Around the World and Network Security is Taking Center Stage

February 26, 2013

It’s no surprise that in the wake of the rapid increase in cyber attacks, governments around the world are moving towards strengthening their cyber security, and even taking steps to mandate better collaboration on security issues between the private and public sectors. Here is a sample of the most recent initiatives:

  • US – Feb-2013: Obama Orders Cybersecurity Standards for Infrastructure
  • European Union – Feb-2013: EU Unveils New Cybersecurity Policy
  • Italy – Jan-2013: Italian Government Approves Cybersecurity Measures to beef up strengthen online security and protect critical infrastructure from increasing cyber assaults
  • India – Jan-2013: India Developing National Cybersecurity Architecture. India is in the midst of developing a national cybersecurity architecture aimed at preventing sabotage and espionage of its core IT systems and networks
  • Australia – Jan-2013: Australia toughens stance on cybersecurity
  • Russia – Jan-2013: The Russian Federal Security Service gets empowered to create a state system for the detection, prevention and liquidation of the effects of computer attacks on the information resources of the Russian Federation

There are important common factors in all the above:

First, a global appeal for stronger collaboration between the public and private sectors to share intelligence on cyber attacks. Under existing EU rules, telecommunication companies are already required to report significant security incidents. Wade Williamson, one of our in-house experts on cyber threats recently wrote in this blog about “Combating Emerging Threats Through Security Collaboration”

Secondly, a shared understanding that the global economy is highly dependent on critical infrastructure that might not be as secure as initially thought. For example, the U.S. executive order specifically mentions power grids, pipelines and water systems.

Finally, full awareness that much of the critical infrastructure supporting a thriving, modern economy relies on a set of interconnected networks and systems that must be closely monitored and protected. The proposed European directive calls out the need for resilient, safe, and stable networks and systems.

One takeaway for our customers is that network security is being more systematically called out in cybersecurity discussions worldwide and is even taking center stage. Some analysts have commented that network security will remain the largest cybersecurity submarket for the next 10 years.

Why? Even as SaaS applications, social networking, mobile devices, or cloud-based computing become mainstream and push the limit of the traditional enterprise perimeter, the network and the firewalls remain the one place where organizations in both the public and private sectors can see all traffic and actually enforce security policy.

via cybersecurity, cyber security, network securityPalo Alto Networks Blog.

Thanks to http://www.thethreatvector.wordpress.com

1 Comment | Managed Service Hosting, Marketing | Tagged: , , , , , , , , , , , , | Permalink
Posted by david ricketts

The New Risks Facing Healthcare Providers

January 30, 2013

In a clip from the session “Beyond Med Mal: The New Risks Facing Healthcare Providers” from the 2012 PLUS International Conference, panelists Genevieve Alexander (NAS Insurance Services, Inc.) and Kieran Dempsey (Sapphire Blue, Ryan Specialty Group, LLC) discuss the costs of a data security breach in the healthcare industry.

For more on the big issues in medical professional lines, don’t miss the PLUS Medical PL Symposium, April 10 & 11 in Chicago.

The interesting figures are : Average breach $2.24 million and $194.00 cost per record breached.

Leave a Comment » | Managed Service Hosting, Marketing | Tagged: , , , , , , , , , , , , , , , , | Permalink
Posted by david ricketts

The Biggest Hacks of 2012

December 19, 2012

With 2012 coming to a close, I decided to take a look back at some of the year’s more significant hacks. Two of the largest heists involved thefts of millions of records of personal data. In March, Global Payments, a credit card processor, revealed a breach in which at least 1.5 million credit card numbers were exported. And the year began when hackers targetedZappos, the online shoe retailer, and relieved this e-tailer of over 24 million rows of email addresses and other data.

Based on these gigantic incidents, I thought this was the year of the Big Hack and a unique turning point. For perspective, I reviewed two years’ worth of Verizon’s indispensable Data Breach Investigations Reports. The DBIR is based on data collected from the US Secret Service and the Dutch National High Tech Crime Unit. For 2011, Verizon reported over 855 incidents and 174 million records compromised. Last year was the second highest data loss recorded since Verizon began this study in 2004.

I’m not sure if 2012 hacking levels will surpass 2011, and neither of these two years will come close to the 360 million records compromised in 2008. However, there are other trends that seem to have remained relatively constant.

In recent years, the top three industry sectors breached have been hospitality (read: restaurants), retail, and financial services. No surprises here.

Another common theme in the report is that poor authorization monitoring and procedures often broaden the damage done by attackers. Verizon suggests that companies should constantly be on the lookout for new files, especially growing archive and log files, with unusual attribute settings. These often indicate an attack in progress.

The DBIR also tells us that straightforward hacking—using default passwords, stolen login credentials, or backdoor attacks—is still a very effective way to extract protected data.

One revealing stat is that most of the records hacked in the last few years have not involved credit card numbers. The winner in the most-hacked-data category instead goes to plain old PII—name, address, and social security number.

So how do Global Payments and Zappos match up with the overall trends? Depressingly, these two incidents fit it like a glove. Financial or retail? Check. External attack? Yes.  Straightforward hack? It seems so, and no malware was involved that we know about.

For both Global Payments and Zappos, the actual exploits used are still a  little fuzzy. According to Gartner Research’s Avivah Litan, the Global Payments attacker may have been able to get through the company’s knowledge-based authentication layer by answering questions correctly. This is still just speculation. Here’s what we do know: Global Payments was PCI-DSS compliant.Visa and Mastercard have since revoked their certification.

Zappos, which is also PCI-DSS compliant, kept their credit card numbers encrypted and separated from other personal information. Hackers were not able to access the “PANs”—PCI lingo for the card numbers. Zappos has kept their certification.

The most eye-opening part of Verizon’s DBIR can be found in their conclusions. Not to put too fine a point on this, but companies are simply not making the attackers work very hard. It’s not that they are so clever; it’s that IT has been a bit lax.

Here’s some of their all-too-familiar advice:

  • change default credentials
  • review user accounts on a regular basis
  • restrict and monitor privileged users

On that last point, I’ll quote the actual text from the DBIR:

“Don’t give users more privileges than they need (this is a biggie) and use separation of duties. Make sure they have direction (they know policies and expectations) and supervision (to make sure they adhere to them). Privileged use should be logged and generate messages to management.”

Speaking as a Varonis blogger, I couldn’t have said it better.

Let’s hope some of this advice takes hold, and 2013 will be a more forgettable year in hacking annals.

Related articles

Leave a Comment » | Application Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , , , , , , | Permalink
Posted by david ricketts

8 out of 10 employees turn to ‘stealth cloud’ for quick IT fix, putting company data in danger

November 1, 2012

84 per cent of employees are putting company data at risk as they secretly access consumer cloud solutions such as DropBox and SkyDrive in the workplace, says Computacenter research, Europe’s leading independent provider of IT infrastructure services. With no visibility of files available to IT managers, employees are opening networks up to potential security threats.

The research, conducted amongst 150 IT decision makers highlights that employees are being forced to turn to consumer cloud products to share files as current business systems simply cannot offer the same level of service.

“Stealth cloud is a major issue for organisations,” says Paul Casey, Cloud Practice Leader Computacenter. “These cloud products are very convenient, easy to access, simple to use and perfect for remote working. Unfortunately, most IT departments don’t offer similar file sharing tools which are secure and as a result are losing the battle to keep company data on the office network.

“The second an employee stores files and data using a solution such as DropBox, IT managers lose all visibility of what is going on and potentially confidential information and intellectual property is open to security threats and breaches.”

These threats are understandably keeping IT managers awake at night with 56 per cent worried about possible security breaches and a further half wishing they had full visibility of what data is stored within the cloud.

Casey concludes: “It is imperative that businesses address this problem now. It is clear that everyone knows the risks of consumer cloud products, but until the correct solutions are put in place or alternative sanctioned solutions, employees will continue to turn to consumer clouds to get the job done – no matter what the consequence might be.”

If you would like advice on the creation of private ‘dropbox’ type technology please contact http://www.c24.co.uk for more details

Thanks to http://www.cloudcomputing-365.info/news_full.php?id=23373#

 

 

Leave a Comment » | Managed Service Hosting, Retail IT Solutions | Tagged: , , , , , , , , | Permalink
Posted by david ricketts

European Data Protection Reform Update: Summary of the 25 January 2012 Announcement

May 30, 2012

I know we are a few months out, but we spotted this information refernece European Data Protection Reform that is really interesting:

Summary of the Changes

The following key areas of the reform will impact on privacy and data protection compliance for organisations:

  • A Single Set of Rules: The Proposed Regulation provides for a single set of rules for all organisations processing personal data in the European Union. It will replace the first Data Protection Directive (published in 1995), which will be repealed. This Proposed Regulation will have direct effect in all Member States and, as a result, will achieve greater harmonisation than if the reform was made by a revised Directive, which carries with it a risk of inconsistent implementation by Member States, as witnessed with the implementation of the Data Protection Directive. In addition to the Proposed Regulation, there will be a new Directive on protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities.
  • Fines: National data protection authorities will be allowed to impose fines of up to 2% of the worldwide gross revenue of an organisation. The 2011 proposal had set this amount at 5% of worldwide gross revenue.
  • “One-Stop Shop”: The Proposed Regulation implements a “one-stop shop” approach to data protection compliance in the European Union, meaning that an organisation only needs to comply with the data protection laws in place in the jurisdiction in which it has its main establishment. This is similar to the passporting system and principle of home state supervision, which is already reflected in European financial services regulation. In addition, the Proposed Regulation will have extra-territorial effect. This means it will apply to organisations (such as many U.S. businesses) that are not established in the European Union, but are active in the European Union market and offer their services to European Union citizens.
  • Data Breach Notification: The Proposed Regulation imposes a general requirement on all businesses to notify data protection authorities and data subjects in the event of a data breach. Notice of data breaches must be provided to the data protection authority “where feasible” within 24 hours, and to affected data subjects “without undue delay.” While breach notification has recently become a requirement for telecommunications and internet service providers, the Proposed Regulation extends this requirement to all organisations. Given the increase in global cyber risks and the reputational impact and associated costs of data losses and breaches, this aspect of the reform is likely to have a significant impact on organisations.
  • Consent: Where consent is to be used as a justification for processing personal data, the Proposed Regulation requires that it must be given explicitly, rather than assumed. This will cause particular concern for e-commerce organisations worried about how to obtain consent without detrimentally affecting the user experience.
  • Data Portability: The Proposed Regulation also introduces a new individual right of data portability, which is designed to facilitate an individual’s access to personal data. This requires organisations to permit customers to move their data to new organisations offering similar products or services. This is also intended to improve competition among services. While this may sound relatively straightforward, in practice the costs of migrating data from one system to another can vary significantly, and may be particularly burdensome for cloud providers and social networks.
  • The “Right to be Forgotten”: The Proposed Regulation also adds a new “right to be forgotten” which allows an individual to require an organisation to delete personal data where there is no longer any legitimate reason for keeping it. This new right is more stringent in nature to the existing obligation for data controllers not to keep data for longer than is necessary.
  • International Transfer of Data: The Proposed Regulation provides for a shift in the rules to reflect the way that data is currently transferred internationally. They seek to address the problem that current data protection laws function only within a given territory, usually defined along national borders, and do not reflect the reality of international business. In particular, organisations making use of the cloud will be collecting data in one territory and subsequently processing it in numerous other territories. The Proposed Regulation will simplify the requirements for organisations seeking to do this. In addition, it also aims to improve the current system of “binding corporate rules” to make compliance less burdensome – “binding corporate rules” are typically a set of intra-corporate global privacy policies that satisfy the European Union standard of adequacy when organisations are seeking to transfer the data outside of the EEA. The Proposed Regulation would require all data protection authorities to recognise “binding corporate rules” approved by an individual data protection authority.
  • Data protection by design and by default: The Proposed Regulation requires data controllers to only collect and retain personal data to the minimum extent necessary in relation to the purposes for which they are intended by design to be processed. This will be particularly controversial for organisations seeking to undertake data analytics of their mass repositories of data.
  • Accountability and Data Protection Officers: The Proposed Regulation seeks to increase the accountability of data controllers and data processors, including by requiring that they carry out data protection impact assessments prior to risky data processing activities. In addition, organisations with over 250 full time employees will be required to have a Data Protection Officer.

 

Related articles

Leave a Comment » | Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , | Permalink
Posted by david ricketts

Follow

Get every new post delivered to your Inbox.

Join 753 other followers