Data has become the most valuable commodity and today, most organizations know more about an individual than ever before. Unfortunately, our information it not being handled appropriately given the number of data breaches we see in the news. In fact, in 2020, it was reported that there were 37 billion records breached, a significant rise of 141 percent with household brand names like Facebook, Google, and Zoom all suffering data breaches.
With so much information exposed across online, many people feel that personal privacy has become almost non-existent. Some would say it is an illusion. Yes, technology certainly has its benefits and conveniences, but given the amount of data being harvested, never has there been a time where people have felt, rightly so, more vulnerable.
Indeed, the fact remains that cybercriminals are continuously phishing and trawling the Internet, forever seeking weaknesses that will lead them to that digital pot of gold: our data. While many may feel our grip on protecting our online identities is already lost and that we are nearing a dystopian online future, having the right mindset, culture and technology can be the necessary catalyst to resurrect the hope in defending privacy and protecting ourselves on the Internet.
The continued encroaches to our personal data have led to several important privacy laws, including the broad General Data Protection Regulation (GDPR), which governs the digital records of EU companies and citizens. Its passage has forced many organizations, even located outside of the EU, to adopt stricter data and privacy handling procedures. Even most non-EU nations have at least one, or if not many, similar data protection regulations. Privacy and data protection regulations creates a floor of what is acceptable for privacy and data control. Any company ignoring recommended best practices is at increased risk of non-compliance, and potentially subject to civil and criminal liabilities.
Turning compliance into real security
With that said, it’s far too easy for an organization to turn compliance into a checklist exercise with little actual real improvement in security. It’s important for all organizations involved to recognize the difference between compliance and security, and how they might deviate. It’s incumbent on every organization to ensure that they are doing both good governance compliance and decreasing overall security risk at the same time.
Risk-rank threats and defenses
Clearly, the most significant improvement that can be made to any compliance guideline is risk-ranking the various threats and using them to align the right defenses against the right things in the right places in the right amounts. Nearly every compliance guideline has many dozens to many hundreds of recommended or required controls. Every compliance guideline is trying to stop all threats, and in doing so, they end up recommending that its followers implement every mitigation, seemingly all at once. Most compliance guidelines, on paper, apparently, see all threats like bubbles in a glass of champagne - all bubbles of equal size. But some bubbles (i.e. threats and risks), in the real world, are much larger than the rest.
For example, for nearly the entirety of computers, just two root causes - social engineering and unpatched software - have been responsible for the majority of the successful malicious breaches. Every other possible root cause added up all together doesn’t equate to those two threats.
Every organization needs to look at the threats and risks they face, rank them by likelihood of occurrence, and then focus on mitigating the most common and potentially damaging threats first and best. If more organizations did this, there would be a bigger focus on fighting social engineering and better patching as the top priorities. But in any given compliance document, fighting social engineering and better patching are treated as just two of the hundred things any following organization needs to do. The single best thing any organization can do to turn compliance into the best risk reduction, is to figure out what the top threats are and fight those first and best. Real-world threats aren’t like bubbles in a glass or champagne. Make sure your mitigations are right-aligned against the size of the risk they are facing.
Devil’s in the details, get the details right
Many compliance guidelines have recommendations with broad requirements like, “read all security logs daily” or “patch critical vulnerabilities in a timely manner”. The recommended controls are so general that they can read a bunch of different ways by different readers. For example, what is “timely” patching? Is patching within one day of the vendor’s patch release, three days, one week, or one month? Clearly different organizations have different interpretations.
Every general compliance recommendation should be converted into an explicit, easy-to-measure, requirement; based on best security practices for the risks the involved organizations face. For example, continuing the patching scenario, an organization may turn the general requirement into something like this “Apply all patches ranked as critical by the vendor or MITRE CVE evaluation metric within 5 calendars days of release by the vendor.” When in doubt about how to interpret, fall back to the more secure setting.
Exceed compliance requirements when better security demands it
Compliance regulations are often the bare minimum security that any organization should follow. For example, many regulations, like GDPR, don’t mention password policies and the ones that do have older recommendations (e.g. “At least 6-characters long). Every computer security defender needs to ascertain if meeting the control “to the letter of the law” is really good security. And if not, exceed the requirement. For example, concerning password policy, most computer security experts would tell you that a password needs to be at least 8-characters long, contain some complexity, not be composed of something that an attacker might easily guess (like the user’s name), and be periodically changed. Or better yet, move your organization to multifactor authentication (MFA). Don’t just do the bare minimum when the bare minimum really isn’t enough.
Pay attention to changing malicious trends and technology changes
Compliance regulators are notoriously slow to recognize new malicious trends, which means regulations are slow to change. For example, most regulations do not mention or require MFA. Most do not mention cloud computers or how to secure them. For at least a decade, phishing and social engineering, which have gotten past policy and technical defenses and to employees, have been a top cause for malicious data breaches. Yet, most regulations are just now (or only within the last year or two) recommending that security awareness training and simulated phishing exercises be used to educate employees on how to appropriately recognize and treat social engineering and phishing threats.
Malicious techniques can change on a dime. Cybersecurity regulations rarely do. All organizations need to pay attention to those changes, especially the ones that are still building, and take the appropriate precautions.
Turn your auditors into partners
Most organizations’ IT staff are scared of their auditors. They think the auditor is only there to find exceptions, which get turned into a report, which details their weaknesses to management. And traditionally, this is what many auditors only did. The key is to turn auditors into trusted business partners, seen as on the same team, there to help decrease cybersecurity risk. Instead of just finding weaknesses, auditors should be invited into more cybersecurity discussions to help everyone make the appropriate risk decisions. Change the way auditors are involved and interact with people in your organization so that they are seen as the trusted business partners they really are. Auditors aren’t the enemy. Hackers are! Help you auditors to be seen and used as crucial cogs to keep hackers out. That means involving them into more than just compliance checklist checkers.
Our personal data is everywhere and the sheer amounts of massive data breaches prove it often isn’t been protected nearly as well as it should. Many privacy and data protection guidelines and requirements have been created in response. Compliance can be more than checklist security. It can be used as catalyst for real cybersecurity risk reduction. And that’s good for all of us.
Roger A. Grimes, Data-Driven Defense Evangelist, KnowBe4