Assessing and Reducing Information Exposure
With companies of all sizes increasingly dependent upon information to enable their business, protecting critical data has never been a higher priority. After all, the risk of a data breach is real; in 2008, 285 million electronic records were breached, which is more than the previous four years combined. Data breaches are also expensive, with the average cost estimated at $6.7 million, or $202 per consumer record.
Yet, identifying and addressing priority data loss and data exposure concerns can be difficult. Information exposure assessment is a collaborative process that requires organizations to answer several key, foundational questions. For example, where is the companyís critical and sensitive information, who is using it, and how vulnerable is it to breach? Where is this information being stored, is it classified appropriately, what data retention policies apply to it, and what controls are in place to protect it? What critical and sensitive information is exposed to threats, which threats represent the greatest risk to the organization, and how should information be protected against these threats?
As organizations answer these questions, they will gain invaluable insight and visibility into their current information exposure risks and can begin to proactively manage that risk in a coordinated approach.
A Challenging Environment
Intellectual property, personally identifiable information, credit card data, Social Security numbers, and other sensitive data have become the targets of choice in an era of organized information warfare. From all corners of the world, todayís well-funded and highly-equipped cybercriminals are making their way into companies of all sizes to find and extract information to sell in a thriving underground economy.
But external cybercriminals are not the only threat to information security. Organizations must also protect against the threat from insiders, whether from well-meaning employees who inadvertently put data at risk or from malicious employees who intentionally expose critical information.
Consequently, organizations must not only understand their exposure to internal and external data breaches, they must also be able to measure actual data loss risk across networks, web applications, storage, and endpoints.
Yet, while organizations may acknowledge the need for information protection, the complexity of their own environment often undermines their best security efforts. Siloed programs together with the challenges of distributed resources, limited budgets, and outsourced teams often result in misaligned objectives, incomplete security activities, and holes in data protection and security.
To develop a comprehensive risk mitigation plan, organizations must review and prioritize their most critical information and data assets, and identify how that sensitive information is being used across the business. Once this information is in place, organizations must pinpoint key systems and applications associated with this data, and conduct an analysis of vulnerabilities and data loss risk in their environment. Organizations can then develop a remediation plan to address both internal and external threats.
Identifying Critical Information and Systems
The process of assessing information exposure begins by reviewing key information classification levels, such as public, private, confidential, and top-secret. Organizations then assign specific data asset categories--for example, merger and acquisition communications, network diagrams, or marketing plans--to the appropriate levels. In doing this, organizations define where data should be stored, how it should be protected, where it can be sent, and who should have access to it.
Similarly, organizations can also pinpoint the various systems--from internal departmental file shares to databases, centralized document repositories, collaboration sites, email servers, transaction servers, and web servers--where their critical information may potentially be stored, processed, managed, or viewed.
Once critical information and systems have been classified, organizations can then locate and quantify the amount of critical information that is actually residing on systems across the enterprise. As this data is discovered, organizations may find that the surface area on which sensitive information is located is much greater than they thought, and that much of their critical information is on unprotected systems.
Assessing Internal and External Exposure
After accurately locating critical information, organizations can then assess the risk of data loss based on where sensitive information is being sent, who is sending it, and how often it is happening. During this phase of an information exposure assessment, it is common for organizations to also uncover broken business processes that can lead to vulnerability.
For example, many organizations find that the majority of data loss risks are associated with well-meaning employees inside the organization who inadvertently put information at risk in the course of their day-to-day activities at work. This may include the employee who copies confidential information onto a USB drive in preparation to work at home or emails confidential work information home using a personal email account.
To assess the risk from malicious individuals who are either inside or outside the organization, network and application security and penetration tests can be performed. Whether conducted by security professionals inside the organization or by outside consultants, these tests model specific attack vectors that may be used by malicious users to gain access to critical information and, in turn, identify and validate potential vulnerabilities that could lead to data loss.
At the conclusion of an information exposure assessment, organizations should develop a mitigation plan based on their risk tolerance. The plan should detail the findings of the internal and external information exposure risks and explain the estimated business impact should a vulnerability be exploited. It is also helpful to include an assessment of the security measures that are currently in place in comparison with industry best practices. Most important of all, organizations should also formulate a prioritized action plan for remediation together with a list of recommendations for enhancing security and reducing risk.
With information now widely recognized not only as a companyís most critical resource but also its most valuable asset, protecting data has become a business priority. To reduce the risk of information exposure, organizations must understand where their most critical information is, where it is used, who is using it, and how it is vulnerable to internal and external threats.
Armed with this data, organizations will then have an accurate understanding of where their exposures are and can leverage this information to take a risk-based, prioritized approach to creating a more secure environment.
Data Loss Prevention: Where Do We Go From Here?
Enabling a Productive, Mobile Workforce with Data Loss Prevention
Best Practices for Protecting Critical Business Data
Implicit Trust Can Lead to Data Loss
About the Author
Samir Kapuria is Senior Director, Enterprise Security Practice at Symantec.