We might not be surprised when we read about another data breach but it does turn heads when it is a well-known brand like Twitter. Recent reports about a significant breach at Twitter were stunning. High profile accounts were hacked in an attempt to solicit bitcoin. Florida police have now arrested a 17-year old male and two others have been charged by the Dept of Justice in connection with the incident. It is reported that the teen allegedly convinced a Twitter employee that he worked in the Twitter IT department and tricked that employee into giving him the credentials.
This type of attack highlights why an IT-centric security program is clearly insufficient. Too often companies focus on IT controls and fail to also include comprehensive operational controls. Without a fully operationalized security program, companies will continue to suffer such breaches. In fact, Security Boulevard is reporting a significant increase in data breaches in Q1 2020 with 8.4 billion records exposed. The importance of looking at more than just IT controls is shown by the fact that “80% of data breaches have occurred either because of stolen credentials or brute-force attacks.”
In our blog last week we looked at how the use of real-time data can play an important role in showcasing your security and risk management program. Companies need to stop using out-of-date information to make security investment decisions and instead learn to track their data and to use it to keep their organization safe. Investing in a tool that shows your organization’s data real-time, in a ubiquitous/comprehensive manner and one that is easy to maintain is a great start to any security program. When your employees have real-time data at their fingertips they will be able to act faster and use that data to benefit your security program.
[Read more: How data sets you free (and keeps you safe)]
CEOs and CISOs will be wondering how they can prevent the same thing happening to them.
Here are 7 steps you can take to protect your organization:
1. Use real-time data to locate and investigate your weakest link.
Conduct a thorough risk assessment and maintain an ongoing risk review process. You are only as strong as your weakest link so it pays to identify it and work to strengthen it. A risk assessment is a great starting point as it clearly lays out for the IT department and senior management where the weaknesses are so that they can be addressed. The key to a successful risk assessment is to continue to use real-time data to develop an ongoing risk management process so you are always aware of where your risks lie and you can make plans to handle those risks.
2. Invest security dollars in the areas of weakness, even if it does not result in buying cool tech.
Everyone loves cool new technologies but sometimes you have to allocate security dollars to some basics like training or risk assessments in order to ensure you know where your risks lie. By investing your security budget in areas of weakness you are shoring up your whole cybersecurity program.
3. Offer comprehensive and frequent security training to all employees.
Learn from the Twitter breach where Twitter said “This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems. This was a striking reminder of how important each person on our team is in protecting our service.” Organizations must run regular training for all employees, especially on how they should handle sensitive data. Conducting annual training is insufficient. It is better to train for shorter time periods, more frequently. Use a risk management tool that will track this training and ensure all employees, plus new employees, have taken the required training.
The Ostendio MyVCM collaborative, integrated risk management platform helps companies build, operate and showcase their security and compliance programs. It offers real-time data views across your organization with easy-to-read dashboards that show either an individual security score or an organizational security score. It is a simple to read graphic format which gives information at a glance plus the ability to dive in deeper to understand the exact data used to attain that score. And it engages all employees in the solution. If you would like to learn more about how the MyVCM platform could help your business, talk to an expert at Ostendio who is happy to help.