This post was originally published on DataOps Zone
Have you ever wondered how you could reduce security threats and risks against your data assets? Or even better, how you could eliminate threats to your organization's data entirely? If so, this article is for you.
We'll discuss some of the main challenges organizations have when they try to mitigate or eliminate data security threats. Then, we'll move on to risk assessment as the first piece of the threat mitigation puzzle. We'll discuss how to eliminate risks and threats and how to mitigate them using security controls. We'll also answer the question of how effective security controls are. Lots to talk about—let's get started!
Protecting Your Data Assets Is an Uphill Battle
Back in the old days, we only had to worry about viruses and trojans as the main threats to our data. If we weren't careful, some of these programs could format hard drives or erase data. The data threat landscape was simple, and organized cybercrime wasn't a thing. Because the threat landscape was simple, managing those threats was also easier—you just had to make sure your antivirus software was up-to-date and follow common data security practices. Organizations were just starting to realize the benefits of the internet, but soon our lives changed forever. The internet became mainstream, and we entered a new digital era. Our society had transformed, for better or worse (you decide), and organizations had to change the way they operated.
Cybersecurity threats have evolved and become more advanced. In addition, organizations have started to use new technologies to launch new products and deliver value to their customers. These technologies—like big data, mobile technologies, and artificial intelligence solutions—bring additional data security challenges and threats you need to deal with. Let's also add the security issues of legacy platforms and technologies to your to-do list.
To keep on top of all these challenges, you need the right skills, but those are hard to come by these days. There's a lot to do, and I recommend you start with risk management, which we'll discuss next.
Start Managing Your Risks
If you want to eliminate threats to your data, start with risk management as soon as possible. You don't have to start from scratch; just use one of the few well-known risk management frameworks, like NIST Risk Management Framework, ISO 27005:2018, ISO 31000:2018, or COSO Enterprise Risk Management. These frameworks will save you time and recommend specific steps to follow through your data protection journey.
Your first step in this process is to assess your risks and data threats. This means you'll also need an up-to-date data asset register. If you can't find it, just ask around because your organization should have one. Laws and regulations mandate an up-to-date information asset register (e.g., GDPR), and you could use these as a starting point in your risk assessment. Do some digging, and if you get stuck, engage with your data architects and key stakeholders to build an asset data register.
With your risk assessment completed, you're ready to present your risks and threats to senior management, and they'll need to decide what your next action will be. Their decision could be to accept, transfer, avoid, or mitigate those risks. Let's discuss these next.
Accept or Transfer Risks and Threats
Let's start with risk acceptance that's really simple. In this case, you don't need to take any actions other than to document this decision and move on.
Transferring the risk means you'll transfer the risk to a third party through a contractual agreement. For example, you could transfer the threats and risks of server hard drive thefts to a third-party cloud service provider. In this case, the service provider would be responsible for securing the servers, not you. Another common example is buying cyber insurance. These products protect organizations from specific cybersecurity threats like data theft, data destruction, and extortion.
Let's move on and learn how we can completely eliminate data security threats.
The Perfect Way to Eliminate Data Security Threats
The perfect way to eliminate data security threats is not to have them in the first place. In other words, avoid the risk and avoid the threat. What does this mean? Say, for example, that your organization has an old legacy website with millions of customers' data stored in a database. When I say "legacy," I mean the website has been nominated for "longest-running retro website on the internet" for 10 years in a row on Internet Archive. Your team has completed a risk assessment of this website and highlighted the high risk of a potential customer data breach. Senior management decides to avoid the risk. What do you do next?
You could decommission the website or get the customer data removed from the website database. Avoiding risks is a great way to eliminate data security threats. However, risk avoidance sounds almost too good to be true, and not something you hear often from senior management. Let's face it, organizations couldn't make a profit by avoiding risks. By doing that, they could potentially miss great business opportunities, lose their first-mover advantage, and fail to innovate or beat the competition. That's why we need to mitigate risks and threats, which we'll discuss next.
Risk Mitigation With Security Controls
Risk mitigation means lowering or reducing the data risks and threats to an acceptable level. You can achieve this by implementing security controls. Security controls have two components: security category and security control type. Let's dive into each of these, starting with the security category.
The Security Category
Security categories are administrative, technical, and physical controls. Think of the category as the "nature" of security control. For example, the administrative category refers to controls related to policies and procedures that organizations define and employees should follow. Laws and regulations are other kinds of administrative controls that organizations should follow. Technical controls are all the software and hardware devices that protect data, and they always restrict logical access to data assets. Physical controls are implemented using physical devices, such as data centers or walls, and they restrict physical access to data assets.
Security Control Type
Security control types can be preventive, detective, corrective, recovery, deterrent, and compensating controls. Think of these types as the "purpose" of the security control. A preventive security control prevents actions, threats, and incidents from occurring. Detective security controls help monitor and alert organizations when security incidents happen.
Corrective controls correct the damage or fix issues when security incidents happen. Recovery controls are similar to corrective controls, but their main job is to recover systems and data to previously known good states. Deterrent controls warn and deter people. Compensating controls are additional security controls you need when your existing security controls aren't effective enough. They're like the "next best thing," but use them wisely and be prepared to explain their usage to your auditors.
Let's illustrate how we can combine control categories and control types together.
Security Controls = Security Category + Security Control Type
The first example is technical preventive security controls. These could include antivirus software, firewall devices, and two-factor authentication technologies. A good example of a technical detective security control is an IDS device. Physical preventive security controls are physical devices, such as data centers, fences, walls, gates, or even security guards. Physical detective security controls could include CCTV and building alarms. You get the idea.
If security controls still sound a bit complicated, I couldn't agree more. That's why my next tip for you is to use a security standard to simplify this topic. These standards will guide you through the security controls and also show you how to test each security control's effectiveness. A few great security standards are ISO27001/27002, NIST SP 800-53, and FIPS 200. These will help you and your team immensely.
Are Security Controls Effective?
Security controls can be effective, but they're not silver bullets in data security. As cybersecurity threats constantly evolve, attackers will always find new ways to work around your defense and defeat your security controls. That's why your data security strategy should use the "defense in depth" approach, which means that you need to implement multiple security controls. The more you implement, the more effective your data protection will become.
So, in summary, we talked about the challenges organizations face with data protection and the importance of risk management. We learned about security controls as your main line of defense against data risks and threats, with the conclusion that these controls may not be effective and can only reduce risks. This is why "defense in depth" is your best data security strategy. As your homework, I'd like you to start assessing your risks and pick a security standard you'll need to implement. Remember to monitor your progress and always test the effectiveness of your controls. Until next time!