Data breaches: plan ahead

Dealing with data breaches can't be an afterthought if companies want to keep their data safe.

Johannesburg, 18 Oct 2017
Jerome Benting, Account Executive, JMR Software.
Jerome Benting, Account Executive, JMR Software.

In the 21st century data breaches are an expected occurrence that can and will harm the reputation and interfere with the business processes of any organisation, regardless of where they're located on the globe. Jerome Benting, Account Executive at JMR Software, says: "All too often organisations make the mistake of thinking that their business-critical data and systems cannot be breached and exposed by modern day data attackers."

Today's large audience of attackers have easy access to advanced, sophisticated techniques and tools that are readily available online and in forums. And as data breach threats evolve, it's becoming increasingly important for business leaders to understand the mindset of attackers. The overwhelming majority of data breaches are malicious in nature with criminal or financial intent, compared to data loss as a result of human error or hardware glitches.

Benting continues: "These attackers are fully aware of the value of the highly sensitive, business-critical data they seek to acquire, and will find any system access loophole to exploit. They're usually very patient and stealthy in their approach and will strike when least expected."

The scale of data breaches can vary, but a material data breach is when 1 000 or more records containing highly sensitive personal information are lost or stolen. Benting says: "An example would be a retail company's database containing individuals' names associated with credit card information and other personally identifiable information. Or a health insurer's record of the policyholder with doctor and payment information. From a compliance perspective alone, businesses need to ensure that this sensitive data is kept secure."

Recently, US consumer credit rating agency Equifax disclosed that 143 million of its customers had been exposed to a data breach. "This equates to almost half the size of the population of the USA, and is going to prove a very expensive lesson for Equifax," says Benting. It's the 7th largest ever data breach known and how it occurred is under investigation.

The statistics don't lie

A data breach study published in June 2017 by the Ponemon institute and IBM Security showed that organisations in South Africa, India and Brazil are most likely to experience a material data breach involving 10 000 or more records over the next 24 months. At 41%, South Africa has the highest probability of experiencing a data breach in the next 24 months. The country with the lowest probability of having a data breach was Canada, at 14.5%.

In 2016, cyber attacks and data breaches increased by 40% globally, with Yahoo experiencing the largest reported data breach in history also in the same year.

What does the future hold?

It's fair to say that these incidents will undoubtedly occur with more frequency and become even more serious for business leaders and organisations not prepared to adopt an aggressive proactive approach to identifying, isolating and protecting business critical data against breaches before they occur. Today's business leaders are also tasked with ensuring that their organisations comply with all the relevant data protection compliance laws to protect sensitive information.

Benting says: "With every attack there's something to be learnt, and businesses are well advised to build on the basics (which are oddly enough often neglected) by perfecting processes to develop a more solid and offensive security detection and intrusion policy that can best counter any possible data breaches. Identifying patterns and methods of attack will always be an ongoing task, so investing in the necessary proactive technology is a positive step in the right direction."

Steps to success

Benting says that many organisations are investing in an ISOC (Information Security Operations Centre). An ISOC is a centralised facility where enterprise information systems such as Web sites, applications, databases, data centres and servers, networks, desktops and other endpoints are monitored, assessed, and defended. This function can be done as an outsourced service or set up on the business's premises. "Budget and the size of the organisation often dictate whether this is outsourced, so a large financial institution, for example, might prefer to have an in-house facility."

Another response to the increasing cyber threat, says Benting, is the formation of what he refers to as "technically dynamic teams". These are teams comprising a wide assortment of IT skills, including security analysts, systems analysts, network analysts, consultants and even CTOs or CSOs whose ambit is to keep abreast of threats and attacks and know how to defend against and deal with them.

However, according to Benting, one of the strongest defences against any type of cyber threat is access to real-time data, allowing for faster and more efficient responses to threats and attacks. "Organisations deploying a SIEM (security information and event management) solution as part of their core cyber defence strategy can find themselves ahead of the game when it comes to avoiding possible data breaches and attacks."

The underlying principle of a SIEM system is that it centralises relevant data about an organisation's enterprise security from multiple locations. Being able to view all the data from a single point of view makes it easier to detect trends and see patterns that are out of the ordinary. The information gathered can be used to deploy proactive enterprise cyber alerting and defence strategies.

He explains: "Attackers leave traces behind, and SIEM systems collect a wealth of security-related and system event information for analysis. Most SIEM systems work by deploying multiple collection agents in a hierarchical manner to gather security-related events from end-user devices, servers, network equipment and even specialised security equipment like firewalls, antivirus or intrusion prevention systems. The collectors forward events to a centralised management console, which performs inspections and flags anomalies."

The organisation gains insight into various aspects of an event, including why, when, how, IP address, location and user ID. The information gathered can then be subjected to analytics capable of revealing otherwise clandestine activity. "SIEMs are playing an increasingly important role in enterprise security," says Benting.

While compliance traditionally drives SIEM adoption in large enterprises, organisations with mainframes in their enterprise should also be gathering mainframe activity data to a SIEM. Historical enterprise-wide activity data is essential for long term analytics and cyber defence strategies.

The financial costs of being prepared and able to quickly identify and stop any potential threats, far outweigh the costs of a post data breach investigation to identify where mistakes have been made and require rectifying. Identifying the root cause in post data breach investigations can prove time consuming and very expensive, especially without the correct information at hand.