Chief Information Security Officers are tasked with preparing their organizations and themselves for any number of impending apocalypse scenarios. Whether it’s ransomware, a phish, or an insecure API resulting in a career-ending data breach, almost every one of these scenarios has the organization’s data at its center.
Similar to the fabled four horsemen of the apocalypse, these scenarios can be symbolically portrayed through four distinct and increasingly disastrous events—The Four Horsemen of a Data Breach.
The point of this symbolism is not to sow fear of a pending data breach apocalypse, but to provide a useful metaphor to understand the risks and to reinforce what CISOs should be looking out for when designing a comprehensive data security program.
The first horseman is always unauthorized access. Unauthorized access to data occurs way more frequently than even the steady stream of data breach headlines imply. Data access issues seem to be mainly a result of either failing to restrict access in the first place or credential compromise through phishing and social engineering. It can also occur when data is accidentally or maliciously disclosed to unauthorized individuals or entities. Unauthorized access and even disclosure can often seem benign, since it is not uncommon that unauthorized folks can access or inadvertently receive data that they shouldn’t without setting off an apocalypse. But you shouldn’t be fooled, as this particular horseman is one of the most common and ultimately most dangerous signs of a disastrous breach.
The second horsemen is non-compliance. It may not be apparent at first, but when data is not handled in accordance with relevant laws, regulations, and mandates, organizations are exposed to significant and potentially apocalyptic penalties and legal liability. The most relevant regulations and mandates include:
- General Data Protection Regulation (GDPR)
- California Consumer Protection Act (CCPA) as amended
- Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry Data Security Standard (PCI DSS)
The third horseman is alteration, which can occur when data is maliciously or accidentally altered in a way that renders it unusable or inaccurate. Ransomware is the most recognizable form of alteration—if the encryption is reversible; but other data alteration can be more subtle and harder to detect, such as social engineering or the change of account details to divert payments for current suppliers.
The final horseman is destruction of data. Data can be destroyed accidentally or maliciously whether it’s deleted, corrupted, or otherwise rendered unusable. However it happens, it’s definitely the sign of a bad day ahead.
I remember as a young lad, accidentally deleting an entire folder of my dad’s important files. I still have flashbacks of MS-DOS and typing del *.* into a command prompt.
Tackling the Four Horsemen
Once a CISO understands the four horsemen, they can begin to assess the risk of each scenario and the types of data security controls needed to protect against each scenario both individually and collectively. This starts with visibility to allow organizations to spot the signs of the four horsemen.
But First, What Exactly Is Data Security?
Data security is defined by Symmetry Systems as the combination of people, processes, policies, and technologies implemented to protect data from unauthorized access, destruction, and/or alteration. The level of protection required is determined by the value of the information being protected and the consequences if it isn’t, balanced against the cost of protection. Effective data security requires a comprehensive approach that focuses not only on preventative measures, but empowers organizations to detect and respond to security incidents, minimize the impact of a breach, and reduce the risk of financial loss, legal liability, and damage to their reputation.
The definition implicitly recognizes that data privacy laws and data protection mandates (such as PCI, HIPAA, etc.) and compliance with these laws and mandates, are powerful forcing functions for data security, given the heftiness of the consequences for non-compliance.
It should be relatively easy to see that data security by definition is designed to protect organizations from our mythical four horsemen, so let’s examine this in more detail.
Five Types of Data Security
While data security refers to the overall practice of protecting data from all threats, it tends to be grouped into distinct types of data security measures aimed at:
- Identifying and classifying data to inform other data security practices;
- Preventing, detecting, and responding to unauthorized access to data;
- Detecting alteration of data;
- Managing non-compliance of data; and
- Preventing and recovering from the destruction of data
At its most simple, data security can be broken into:
- Data Visibility: Provides insight into the data that an organization collects, processes, and stores. These measures can include data discovery tools, data classification and tagging, and log monitoring to track who has accessed or modified the data.
- Confidentiality Measures: Ensures that data can only be accessed and viewed by authorized users. These controls can be further broken down into:
- Data Access Controls: A combination of controls, including encryption to authenticate, authorize, and audit the identities with access to read data.
- Data Minimization Controls: A combination of approaches, including data masking and data deletion that is used to reduce the confidentiality of the data.
- Data Compliance Management: Ensures that an organization is in compliance with applicable laws, regulations, and industry standards around data and data security. These measures can include audits, continuous control monitoring, assessments, and third-party certifications.
- Data Integrity and Activity Monitoring: Ensures that data has not been subject to unauthorized changes. The measures include backup and recovery policies and processes, disaster recovery planning, and redundancy.
- Availability Measures: Ensures that data is readily—and safely—accessible and available for ongoing business needs, and recoverable in the event of an apocalypse. The measures include backup and recovery policies and processes, disaster recovery planning, and redundancy.
Where do you start?
When I was at Gartner, I would often get questions about where to start. The pithy answer of “it depends,” just doesn’t cut it. The reality is that you’ve already started. You first need to figure out what you have and what you don’t have in place. While there is no magic formula for data security, a data security posture management (DSPM) solution can be an immense help in understanding your datascape and enable your teams to implement controls that stave off data incidents. A DSPM solution can tell you:
- Where your data is located.
- What kind of data do you have?
- Who can access your data?
- How is your data being used and by whom?
- What measures you have in place or not.
To learn more about DSPM or see a DSPM solution in action, please reach out. We’d love to show you how DataGuard can help keep the four horsemen as fiction.