Identity at the centre of GRC cyber security programme
Identity lies at the centre of building a strong foundation for cyber security within any organisation.
This is according to Peter Hunter, territory manager, SA and Africa at SailPoint Technologies. He addressed delegates at IT Web's Governance, Risk and Compliance 2016 Summit in Hyde Park, Johannesburg yesterday.
In his presentation titled: Identity at the Centre - Building a Strong Foundation for Cyber security, Hunter said identity of users is a critical aspect of a company's Governance, Risk and Compliance (GRC) cyber security programme.
He added it's all about putting in place proper governance and control automation to give an organisation data control and visibility.
"In order for this to be well executed, every organisation needs a GRC structure which will include an element of identity.
"This identity consists of transparency of employee access to certain sensitive data within a company. It's important for organisations to implement user control of certain data irrespective of where and how that data is stored," he advised.
Whether the data is sitting in unstructured data storage sources or if it is kept in a formal structure on a cloud, he explained the aims of how data is stored should be to prevent a security breach and to conduct business with confidence.
He referred to the Verizon 2015 data breach report, which focuses on the world's biggest data breaches in 2015 and details their financial damage to companies.
"The estimated financial loss due to data breaches globally last year amounted to $400 million and the number of compromised records due to data breaches was 700 million."
According to hunter, just a few years ago, data breaches were much less public than they are today.
"Rarely a week goes by that we don't hear about the next data breach somewhere in the world.
"As you can see, no one is immune, every major sector, company size, and geography has been impacted by data breaches in some way."
He adds that in SA, we have had our own incidents of data breaches over the past three years, although not all are reported.
"Some of the notable SA examples are Postbank, Eskom, Gautrain, Alstom, Telesure and others.
"At an Isaca presentation recently, the SAPS Cyber security unit confirmed many of these instances were due to privileged user abuse from IT professionals within these organisations," he noted.
The Verizon data breach report found there were 79 790 security incidents in 2015 and 2 122 confirmed data breaches globally.
"Data breaches impact more than the bottom line, in additional to direct financial loss, the impact to an organisation's reputation and trust can be irreparable," warned Hunter.
He noted 2015 as the year of the realisation that the world has changed and IT security as we know it had to change too.
"Previously, network security was all we needed, employees would come to the office, access the network, do their jobs.
"In most cases, intruders had to either come into the physical location or hack from outside the network. As they became more creative, Firewalls became Next Gen Firewalls, with intrusion prevention, anti-malware and anti-bot, sandboxing against zero-day malware," he explained.
However, he warned that although network security will help keep the bad guys out, this is not enough.
Discussing the three main causes of breaches globally Hunter said miscellaneous errors account for 29.4% of overall breaches, these, he explained are situations where information has been accidentally sent out of the company i.e. through e-mail communication.
Accounting for 25.1%, crimeware is the second most common type of company breach and insider misuse ranks in third place with 20.6% incidents.
As a solution, Hunter proposed companies should have a risk model that underpins a data security programme and apply a standard control of data use among employees.
"There are different population users in any organisation and they range from low-risk users to medium-risk users to high-risk users.
Activity monitoring and access control of all groups should be implemented with low-risk groups being monitored less frequently than high-risk groups.
Review access and preventative control of data within an organisation will ensure that nobody has access to certain types of information unless they have gone through a formal approval process and access request procedure from management.
"When organisations have those two things in place, they can close the loop of unsafe user activities taking place," he concludes.