Though many states have adopted data breach notification laws, notification is a far cry from prevention. In fact, a recent state-by-state analysis published by researchers at Carnegie Mellon University showed that notification laws have not reduced identity theft.
This fits with the current reactive model of governance, risk and compliance (GRC) that most organizations are leaning on to solve data breach issues. The current mindset seems to be:
- Step 1 – Wait for a data breach to occur, hoping it doesn't happen to your organization;
- Step 2 – Get breached and notify consumers;
- Step 3 – Get money and get focused post-breach, and try to catch up and fix the problem.
Consider the recent LendingTree incident. This breach occurred for many of the same reasons behind the massive Société Générale breach and the multitude of celebrity medical records breaches – lack of control over access to information. At LendingTree, this occurred through a common breach in control known as orphaned accounts – an access point to proprietary data and applications belonging to a user who no longer is employed by a company.
According to a letter LendingTree released following the breach, some of the company's former employees shared passwords and access to proprietary data with friends in the mortgage lending industry. This occurred as much as six months after the employees stopped working at the company. When someone no longer works at a company, common sense says that their access to privileged information should be terminated as well.
If you think that your company is safe, as yourself two questions:
“Can I reliably connect all system, application and data credentials to a specific individual (employee, contractor, partner or customer)?”
“Do our systems, application and data owners reliably know when a relationship changes with any one of these individuals?”
If the answer to either question is “no,” then you have an orphaned account problem and your company is a perfect example of reactive GRC – you may sense that there are risks, you might even have policies for disabling access on termination, but without control, you will never have governance or compliance.
There has been a proliferation of detective GRC capabilities, including data loss prevention (DLP), segregation of duties (SOD), regulation analysis, and security and incident event management (SIEM). While these technologies are important, they're reactive to the threats facing organizations today, much like intrusion detection solutions. These technologies are great at telling you what happened, but on their own, cannot be solely responsible for stopping the threats facing corporate data.
Companies must break free from the reactive model of GRC and move towards a preventive model of GRC that focuses on evaluating the risks associated with sensitive data and establishing a set of clear and enforceable IT controls around all user access. Preventive GRC pulls together the detective GRC solutions like SOD and DLP and combines it with the management of the complete lifecycle of business and access policy, ensuring that people, access and actions are all consistent with business policy.
Through the practice of preventive GRC, organizations are able to:
- Define policy to manage corporate data;
- Apply policy evenly throughout an organization;
- Detect any and all actions or access rights that are inconsistent with policy;
- Remediate any misuse or non-compliance with policy;
- Assure that policy is appropriate and has been implemented effectively.