Being in transit can be a risky venture when it comes to information, suggests Brian Huntley, senior information security advisor for IDT911 Consulting.
“Information is especially at risk of breach when it is in transit on public networks, and when it is shared with third parties, such as vendors, service providers and resellers,” Huntley told Canadian Underwriter via email.
Huntley shared his thoughts in advance of the RIMS Canada Conference 2015 in Quebec City this week, where he spoke Monday about how companies experience data breaches despite having in place strict security protocols.
“As the knowledge base and population of information security professionals expands, so, too, will the understanding and awareness of what strict security protocols look like,” Huntley suggests. Among the leading essential security protocols, he notes, are Internet host configuration, vendor management, physical security, risk assessment, encryption, remote access security, third-party access, firewalls, record retention, patch management, password management, incident response, vulnerabilities management, information classification, awareness and training, and intrusion monitoring and detection.
To ensure the ongoing effectiveness of strict security protocols, Huntley advises every company to continuously monitor and test its effectiveness to keep pace with its ever-changing risk profile being shaped by “the continually shifting threat spectrum and significant technology change.”
All this effort, however, will only lead to true protection if both a company and the third-party providers it uses are on the same page. To make that happen, Huntley says a company must have in place rigorous due diligence processes to pre-qualify and continuously verify the security protocols employed by third-party vendors, service providers and resellers. In addition, he notes, a company’s required protocols must be indicated as “user controls” or “user control considerations” in third-party service agreements and test reports.
Absent that, “companies may confront undue data breach risk as a result of the actions and errors of others, or their own failure to act in accordance with guidance provided by these third parties,” Huntley cautions.
Beyond companies and third parties being on the same page is the potential negative impact on the human side. “Systems breach tactics increasingly target the human factor as the weakest link in the security protocol chain, as means to enable placement of information theft-enabling technology, and as means to establish apparent trust accreditation for nefarious activities,” Huntley reports.
His expectation is that “pure-play technical attacks will continue descendency in direct response to the development and market availability of effective technical preventive controls embedded in security technologies and network equipment.”
Huntley argues it is generally accepted larger organizations are at greater risk of data breach and, as such, have greater need to implement strict security protocols. Among other things, scale and diversification of larger organizations typically means they have custody of more information, and it is generally more difficult to centrally control information in a way that promotes consistent, reliable security control management in all areas and at all levels of the organization.
That said, “smaller companies also have their own host of issues and are often targeted due to their absent or inadequate security procedures and personnel, meaning thieves may face less resistance when trying to breach the company,” Huntley cautions.
“Data security breach threats should be focused on in direct proportion to the relative risk they represent,” he advises, adding that it would be short-sighted to rule out any one threat type versus another: say, external versus internal.
For example, Huntley says “accidental, ‘non-malicious’ breaches resulting from human error or insufficient competency are best addressed through increased employee training, as well as quality-insistent business process management, integrated around an IT/business processing environment that embeds automated technical preventive, detective and corrective breach controls.”
Huntley suggests the phrase, “Good enough never is,” represents a truism around data breach prevention.
“Just as no business environment, nor performing organization, ever remains stagnant or static, so, too, should organizations’ security protocols be continually monitored, tested and updated to ensure their ongoing efficacy,” he maintains. “Security program monitoring, program management and continuous improvement are the critical success factors toward achieving this.”