Why are their still so many data breaches ?
Asks a board member to his CIO.The question is of course a poor one.
Borne out of lack of clarity in the identification and understanding of technology risks. But lets play along. When does a data breach occur? Is it when -- a former employee's remote access is left on? No, but we audit for this says the "Risk Based Audit Program", Partner
- a file is not encrypted when it is stored? No, but we audit for this.
- a firewall fails to stop malicious software from landing on the corporate network? No, but we audit for this.
- intrusion detection software fails to detect an intrusion? No, but we audit for this.
- the malicious software, having found sensitive information sends this file to the author of the malicious software? Yes, but we don't audit for this.
How can this be?
It is a rather simple human story. In the late 70's corporations were using mainframe computers on what we now call a private network basis. It occured to management that there were profitability risks if these machines stopped working - the Disaster Recovery Plan movement started. Then a clever programmer took the round off error from the accounting program and credited that amount to a personal account - whether this actually happened or not, the story made the point and management got budgets for Computer Auditing.But what to test? Where were the risks? The industry looked to Coopers and Lybrand and their Handbook of EDP Auditing by Stanley D. Halper and published by Warren, Gorham & Lamont, Inc. for answers. Their risk assessment lead to the concept of IT General and Application controls. Extreme focus was put on ensuring only employees had access to the computers and reports. There was no way to save data "off line" at that time, no thumb drives, no email, no Instant Messaging - in short the only data egress would be if an employee physically stole a printed report or data tape - and access to these items was controlled - so this exposure was managed.
The AICPA embraced the approach as gospel, the concepts were replicated in audit programs, regulatory standards and became unquestioned common sense approach for anyone in the know. To this day GLBA, PCI and HIPAA models are based on the access control models of C&L's 1980 assessment of risks! But the risk have significantly changed with the advent of the Internet and easy connectivity between computers!
The Solution - True Risk Identification and Mitigation
IT Risk assessments need to ask can we identify sensitive data that someone or a software program is attempting to send off our computers - yes or no? Without a well designed Data Leak Prevention approach the answer is no, we can't. Starting with the identification of where sensitive data is kept, and then "tagging" this data when it is copied, or saved to a different location. Then the Firewall, augmented with an outbound traffic sentinel called a data egress filter looks for these tags and when necessary, blocks these outbound transmissions. Sounds simple and in fact it is, but one must be strong to fight the tide of conventional wisdom that has been accepted as truth since 1980!
