Start Sweating the Small Stuff

February 27, 2013

In his recent New York Times article, “That Daily Shower Can Be a Killer,” renowned geographer Jared Diamond observes how Americans tend to greatly exaggerate risks that are sensational and beyond our control—like plane crashes and nuclear radiation—yet underestimate the mundane, but more common risks that we can control—like slipping in the shower or falling from a ladder.

In my geek-centric mind, I immediately drew a corollary to computer security.   We’ve all met the engineer who will spend weeks obsessing over which password hashing algorithm to use, but fail to implement a solid password policy.

If you find yourself being hyper-paranoid about dangerous, but implausible attacks…stop!  Do a quick risk/frequency gut-check to determine whether you’re wasting time.  You shouldn’t be debating the strength of SHA-256 while your employees are emailing trade secrets to a Nigerian Prince.

XKCD: Security

What are some of the fall-in-the-shower type risks when it comes to data protection?  Our State of Data Protection Report from last year highlights a few:

  • Only 26% of companies are very confident their data is protected
  • 18% weren’t confident at all
  • 23% of companies were not confident or unsure where their critical business data resides
  • 27% of companies did not monitor any access activity on file servers and SharePoint sites
  • 13% of companies never revoke access to data when an employee leaves the organization
  • 61% do not scan their environment for sensitive data

Based on our results, there’s clearly a lot of room to tighten up these fundamental areas of day-to-day risk.  Just as Mr. Diamond’s goal is to reduce life’s common accidents to 1 in 1,000, we should strive to minimize common data security risks, like insider theft, by implementing soundsecurity programs.

Want to learn more about risk analysis?

Here are some good resources:

Leave a Comment » | Application Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , , , | Permalink
Posted by david ricketts

IBM Survey: Social Media Impacting Threats From Reputational Risk

September 21, 2012

 

So here’s a question for you? What is your organization doing to more effectively manage its risk profile?

IBM recently released its 2012 Global Reputational Risk and IT Study, and the findings suggest that companies are viewing their IT investments through a new lens.

First, some background, and then a summary of the findings.

This study is an investigation of how organizations around the world are managing their reputations in today’s digital era, where IT is an integral part of their operations and where IT failures can result in reputational damage.

The report was written by the Economist Intelligence Unit, which both executed an online survey and conducted client executive interviews.

That included 427 senior executive responses from around the world, 42 percent of those being C-level, with 33 percent of respondents coming from North America, 29 percent from Europe, and 26 percent from Asia-Pacific.

The survey included industries that ran the gamut, including banking, IT, energy and utilities, and insurance.

Impact of Social Media On Risk

Corporate reputations are especially difficult to manage in an era when anyone with a smartphone and Internet connection can file their complaint with a single touch.

With social media sites like Facebook and Twitter boasting over 1.4 million people combined, there is now a highly visible and immediate alterative to a company’s own communications regarding its reputation.

Because of that, more organizations have introduced reputational risk as a distinct category within their enterprise risk management frameworks.

The study suggests that companies have begun to pay closer attention to the links between IT failures and reputational damage, and also examines how executives are attempting to protect their brands from what could arguably be called “a preventable glitch.”

So, drum roll, please. Here’s a summary of some of the key findings:

  • IT risk management and investment directly supports a company’s reputation. Reputational risk has evolved into an asset that is fundamentally supported by IT planning and investment. 78 percent say they included reputational risk in their own IT risk planning, and 75 percent say their budget will grow due to concerns for such. Eighteen percent indicate that spend will increase by more than 20 percent in the next 12 months.
  • The CEO owns it but shares it. When asked to name the top 3 C-level execs who owned reputational risk, close to two-thirds say it was shared across the C-suite. 80 percent of CEOs indicated it was theirs to win, followed by 31 percent of CFOs, 27 percent of CIOs, 23 percent of CROs (Chief Risk Officers), and 22 percent of CMOs.
  • Five characteristics of highly effective companies — they get reputational risk and invest in it. Of those who do, 83 percent indicated they have integrated IT into their reputational risk management regimes. They also perceive stronger links between IT threats and key elements of reputation (especially customer sat and brand reputation), and they also say they have strong or very strong IT risk management capacity (84 percent). Seventy-seven percent indicated they have well-resourced IT risk management functions, and are more likely to require vendors and supply chain partners to meet the same levels of control as they require internally.

Improving Reputational Risk Management: Best Practices

So what’s a concerned C-level exec to do? The study revealed several core strategies:

  • Be proactive rather than reactive. That is, be prepared to invest in developing comprehensive reputational risk management strategies that include robust controls on IT risks, particularly those related to security, business continuity and tech support.
  • Create an organization where IT managers collaborate with other risk management specialists. Together, they should be tasked with presenting a comprehensive profile of organization-wide reputational risks to senior management.
  • Engage in scenario analysis, especially with new and emerging technology. Don’t wait for the worst to happen — there are plenty of case studies to be used as a basis for “what-if” planning.
  • Assess risks across the entire supply chain. A failure by a downstream supplier can be just as devastating as an internal problem, and risk controls can be harmonized among key players.

A More Integrated, Holistic Approach

This more integrated, enterprise-wide approach to risk management — led by the C-suite on down — can help your organization increase the attention being paid to the direct reputational impact of IT risks, and help you mitigate those risks (including those stemming from the use of new technologies).

To learn more and to gain access to the full study, go here.

 

Leave a Comment » | Application Hosting, Marketing | Tagged: , , , , , , , , , | Permalink
Posted by david ricketts

5 Step Guide to Reducing the #1 Data Security Risk

September 20, 2012

Last week I had the opportunity to attend an event on 3rd party data security and risk. Throughout the event, I talked with folks from many different industries and in many different roles. I spoke with auditors, general IT managers, storage administrators, CIOs, and of course, security professionals.

What is the Top Priority for Reducing Risk?

Everyone shared one common concern:

How can we reduce risk and protect our clients’ data?

One executive was asked, “Which area would you consider your number one priority for reducing risk?” His decisive answer was that, of all the areas of risk his massive enterprise faces, priority number one is unstructured data security.

This shocked me a bit at first, but when you think about it, it makes perfect sense. According to Gartner, unstructured data accounts for more than 80% of all organizational data, and it’s growing approximately 50% every year.

Even data that is normally stored in databases or apps is regularly being dumped into spreadsheets for analysis, PowerPoint slides for presentations, PDFs for reading, and email for sharing between teams.

When you think about it this way, it becomes very easy to see why unstructured data is the highest risk area for many IT departments.

Compliance and Regulations

In addition to the intrinsic motivation for securing unstructured data, external regulations such as SOX, HIPPA, and PCI are forcing organizations to put processes in place to ensure the protection of 3rd party data. Unfortunately, most organizations don’t have an efficient and affordable way to put these controls in place and prove that they’re being enforced.

An auditor I spoke with mentioned how difficult and time-consuming it is to perform attestations, and how, for most companies, entitlement reviews are manual and painful processes that don’t really accomplish the end goal of protecting data.

Where Do We Begin? A 5 Step Guide

If you are trying to start a risk management project in your organization, here are some actionable ideas on what to focus on:

1. Identify your most valuable assets

All 3rd Party data is valuable. Our clients trust us to manage and protect all of it. But it is critical to pick a starting point. To do this, talk with data owners and key stakeholders to find out which types of data are the most sensitive or most valuable.

2. Locate your most valuable assets

You can’t protect sensitive data if you don’t know where it resides. Is it in the CEO’s mailbox? Is it propagated across all your Windows file servers and NAS devices? In order to do this at scale, you’ll need a data classification framework that can scan files on your network for sensitive content indicators.

3. Identify where sensitive data is overexposed

 

You probably found a ton of high value data in step #2. Now you have to figure out who can access that data and prioritize data sets that are wide-open to everyone.

Many of us, when we move to a new home, we tend to change the locks. Why? Because we don’t know who has had a key in the past – the owners, realtors, past owners, builders? This represents a big risk for us and our families.

The same principle applies with 3rd party data. We need to identify who can access it, and what type of access they have. Then we can identify which data is overexposed, and where permissions need to be tightened up and assigned owners.

4. Monitor Data Access

As my good friend @rsobers says: Context is king. Part of reducing risk is monitoring who is actually accessing the data and what are they doing with it. If we’re constantly monitoring access, we can identify patterns in user behavior and alert when suspicious activity occurs. And if we store the audit data intelligently, we can use it for forensics, help desk, and stale data identification.

5. Use Automation

Are you ready to implement steps 1-4? Do you have an army of IT staff with nothing planned for the next 50 years? Luckily, that won’t be needed. You can use automation to identify the most critical data, understand who can access it, and monitor what they’re actually doing with.

By leveraging automation to provide your security intelligence dashboard, you can spot problems and then use automation (again) to simulate changes and automatically execute the remediation.

There you have it! Go forth and protect your customers’ data! Oh, and by the way, there’s a 6th step that doesn’t require IT involvement at all. Ask us about it.

Are you curious to see how your company measures up? Get a free data protection assessment. We’ll scan your infrastructure for holes and help you plug them with automated data protection and management software from Varonis.

1 Comment | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Follow

Get every new post delivered to your Inbox.

Join 751 other followers