We might not be surprised when we read about another data breach but it does turn heads when it is a well-known brand like Twitter. Recent reports about a significant breach at Twitter were stunning. High profile accounts were hacked in an attempt to solicit bitcoin. Florida police have now arrested a 17-year old male and two others have been charged by the Dept of Justice in connection with the incident. It is reported that the teen allegedly convinced a Twitter employee that he worked in the Twitter IT department and tricked that employee into giving him the credentials.
This type of attack highlights why an IT-centric security program is clearly insufficient. Too often companies focus on IT controls and fail to also include comprehensive operational controls. Without a fully operationalized security program, companies will continue to suffer such breaches. In fact, Security Boulevard is reporting a significant increase in data breaches in Q1 2020 with 8.4 billion records exposed. The importance of looking at more than just IT controls is shown by the fact that “80% of data breaches have occurred either because of stolen credentials or brute-force attacks.”
What can your company do to protect data?
In our blog last week we looked at how the use of real-time data can play an important role in showcasing your security and risk management program. Companies need to stop using out-of-date information to make security investment decisions and instead learn to track their data and to use it to keep their organization safe. Investing in a tool that shows your organization’s data real-time, in a ubiquitous/comprehensive manner and one that is easy to maintain is a great start to any security program. When your employees have real-time data at their fingertips they will be able to act faster and use that data to benefit your security program.
What are the lessons to be learned from the Twitter breach?
CEOs and CISOs will be wondering how they can prevent the same thing happening to them.
Here are 7 steps you can take to protect your organization:
1. Use real-time data to locate and investigate your weakest link.
Conduct a thorough risk assessment and maintain an ongoing risk review process. You are only as strong as your weakest link so it pays to identify it and work to strengthen it. A risk assessment is a great starting point as it clearly lays out for the IT department and senior management where the weaknesses are so that they can be addressed. The key to a successful risk assessment is to continue to use real-time data to develop an ongoing risk management process so you are always aware of where your risks lie and you can make plans to handle those risks.
2. Invest security dollars in the areas of weakness, even if it does not result in buying cool tech.
Everyone loves cool new technologies but sometimes you have to allocate security dollars to some basics like training or risk assessments in order to ensure you know where your risks lie. By investing your security budget in areas of weakness you are shoring up your whole cybersecurity program.
3. Offer comprehensive and frequent security training to all employees.
Learn from the Twitter breach where Twitter said “This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems. This was a striking reminder of how important each person on our team is in protecting our service.” Organizations must run regular training for all employees, especially on how they should handle sensitive data. Conducting annual training is insufficient. It is better to train for shorter time periods, more frequently. Use a risk management tool that will track this training and ensure all employees, plus new employees, have taken the required training.
4. Conduct phishing, vishing and smishing simulations regularly.
Learn about the dangers out there for your employees and know that the hackers and criminals are always trying to be one step ahead of your organization. Alert employees to the dangers of current scams so they will understand what to look out for and be ready to act appropriately to protect company data. If you conduct simulations of cyberattacks using various methods, employees will be ready to handle a real situation when, not if, it occurs.
5. Flag critical data access and restrict access to essential employees only.
Ensure that your critical data access is limited to essential employees only. Do not allow sharing of credentials. Use a tool that will flag access to that data and ensure a review process due to the alert. By restricting access to critical data you reduce the chances of that data being accessed by intruders or unauthorized users.
6. Create alerts that flag suspicious access or use.
Organizations should use a tool that creates alerts to flag suspicious activity or use on their system. However, it is not enough just to have the system create the alert if no one ever looks at it! Make sure there is also a review process that looks at the logs regularly and analyzes the use of the critical data. Use a tool that shows real-time data to help your employees notice unusual activity faster so they can act faster to stop a data breach.
7. Create a culture of security.
When employees see something suspicious are they encouraged to speak up? Reward employees for vigilance. Provide incentives for breaking things or exposing loopholes. Your employees are your first line of defense. They are effectively the infantry in your cyber army. Make sure to use them.
The Ostendio MyVCM collaborative, integrated risk management platform helps companies build, operate and showcase their security and compliance programs. It offers real-time data views across your organization with easy-to-read dashboards that show either an individual security score or an organizational security score. It is a simple to read graphic format which gives information at a glance plus the ability to dive in deeper to understand the exact data used to attain that score. And it engages all employees in the solution. If you would like to learn more about how the MyVCM platform could help your business, talk to an expert at Ostendio who is happy to help.
Not sure where to start?
The NIST Guide can help. We can also provide you with a free copy of Ostendio’s password policy, as an example. Just contact us at firstname.lastname@example.org.
Save Time and Money
At Ostendio we are happy to have transparent pricing available on our website. The pricing tool shows the three plans available, with a cost saving tool so you can see how much you can save. Check it out!