Significant data breaches in both government and industry are in the headlines at an unrelenting pace. Some of these breaches are enormous in scale and impact, and all have the potential to damage consumer trust. Why are so many of these breaches disastrous?
Data security expert Kent Schneider believes that an answer lies in ineffective rights management – a lack of robust, enforced security policies that limit access to only what employees, contractors and partners need to do their jobs. Employers have not adequately defined the applications and data to which employees will have access, either by position requirement or role.
Schneider, a 26-year veteran of the U.S. Army Signal Corps and former senior executive at Northrop Grumman, is executive vice president and chief operating officer of SolPass LLC, the Denver-based developer of data security solutions.
"Recently, we've heard of major breaches across a broad spectrum of industry – breaches against large, sophisticated organizations. These companies take cybersecurity seriously and have invested in protective systems and software," Schneider says. "The problem is they have put too much faith in defending the perimeter. That is important, but not enough."
Most data breaches occur as a result of someone impersonating a valid user to gain entry to a network or system. If there is inadequate rights management, that person can then roam the system looking for data to steal—intellectual property, passwords or credit card/financial data. Assured rights management is necessary to prevent these costly breaches.
Here are six steps enterprises can take to assure effective rights management:
Tighten up security policies to ensure employees have defined application and data access based on their roles. Include rules about what they can do and see.
Impose rigorous biometrics-based identity verification at the enterprise level, including employees, contractors and partners. No one with access to enterprise networks, systems, applications and data can be anonymous.
Take humans out of the security loop to the extent possible. Do not make security dependent on users always remembering to follow the rules. Don't give undue access to insiders that later may become a threat. Make security enforcement an integral part of the system and make it as transparent to the user as possible.
Implement strict rights management across the enterprise that fully enforces a sound security policy. This must include access control for applications and data, as well as control of user actions—whether a user can read, write, edit, insert executables, remove data, etc. Such controls are necessary to address insider threats as well as external actions. They also make the insertion of malware far more difficult.
Consider restricting rights of users operating remotely, as the potential threat is greater for these users.
Conduct continuous monitoring and auditing to ensure adherence to the security policy. Rigorous observation, along with alerts for any irregular activity, will help mitigate insider threats and help identify penetrations if they occur.
"Enterprises that take these steps and fully integrate them can prevent most penetrations and virtually all major data breaches," says Schneider. "But let us not trivialize this—for most organizations, we are talking about a fundamentally different way of doing business."
According to Schneider, temporary or partial fixes will not stand up to today's persistent and sophisticated threat. Only a comprehensive, enterprise-wide approach to cybersecurity will change the current trend toward more frequent and disastrous data breaches.
"We have a clear choice between taking dramatic steps to protect our data and losing significant amounts of intellectual property, personal information and money," Schneider says. "The real question is: can industry afford to continue bearing hundreds of millions of dollars in losses due to ineffective rights management?"