Why trust is overrated...
12 comments
Lucky, what are you writing there some of you may think! Trust is the foundation of every social structure that ever has existed and all that will ever exist.
Yep, this maybe true but in InfoSec (information security) we have to deal with the good, the bad and the very ugly and in my experience I'll have to say trust is overrated, at least in the workplace!
What can be of existential importance for an enterprise should concern you also!
Data breaches happen on a daily basis. Some of them due to technical vulnerabilities that aren't known of by the general public or even infosec specialists, others due to human error like inefficiencies in your ITSM (information technology service management) or straight up sabotages or selling data by own employees of a given organization or enterprise or small business.
Yes, you can make a buck or two by selling sensitive personal identifiable data out the in the dark web.
To some this my seem very appealing if they can get their fingers on such data.
Or they might be simply disgruntled employees that got struck by the last bad work performance report, an smashed down call for more pay, or because of their bad parking space at work or for some other reason... believe me there are a lot of these self excuses out there why such things happen. We are all just human.
The question becomes would you even be able to tell if someone had his fingers in the cooky jar?
Bigger corporations and organizations usually got their ducks in a row in that regard.
They've done the data classification, restricted access to sensitive data to only those who qualify through their function to access this data and who were closely looked at by human resources not to have a record of any kind of anomaly, and last but not least have the technical means to log every data access that has happened for audit purposes.
One way you can make sure that another set of eyes looks at an oncoming data access request is to only give access through your change management and have such a change request classified as important enough that the change management board decides over such an request.
But in practice, especially when a lot of such access request come up the change manager will maybe declare these as "low priority" and soon when just one other person, usually the manager next in line to the person requesting this access, checks such CRs he'll start to wave these through without really checking and making sure that these requests are valid.
So, even the big guns that have all there processes and methods nicely arranged can be subject to some wear off effects in this regard and it can happen that invalid data access happens.
The only way such an anomaly would be seen is by audits, where someone looks closely at all the given sensitive data accesses that happened to find those that slipped through.
But to be honest often you can only find when you have in depth knowledge what to look for and so many of such "finds" happen after the fact, when a data breach already has happened and someone stumbles over personal identifiable information for instance somewhere out there in the wild!
So, what can you do to protect "your crown jewels"?
I'm sorry there is no easy answer to this!
You will have to do all of the work needed from the first steps down to organizing recurring audits and of course you want to do this without making your whole operation spin around your infosec and data protection demands without ever doing their "real" job which maybe producing and selling something or taking care of data in some other important function.
This is why I say trust is still overrated in most organizations!
You should at least adjust this mindset to trust but verify and let everybody know that you are looking closely at the "verify" part!
When it's too late and a breach has happened they'll surely take the time to find all of those who dropped the ball to let this happen.
Usually not only the person that took the data will be made responsible but also all other's that didn't do their job to prevent this will very likely have to take their hat also!
...and always keep in mind the higher you go in management the more likely you'll meet people who made it through a bunch of anomalies without a scratch. Why is that you might think? Well, maybe because they stand on a little pile of heads that have rolled so they can stay untouchable. If you are in infosec fgs. please make sure that you stay in line with your escalation processes and information chain requirements!
So,
* think about what is most important and critical to your business.
* Then start thinking about restructuring and limiting access on the need to know/need to access basis.
* Check if you can introduce an automatic logging/auditing service into your IT operations.
* Take a close look at your change management and find those recurring cr's that aren't looked at any more and that are approved without the needed diligence.
* You've found holes in what you are doing at the moment? No matter in which level of the hierarchy you are, think at least at the basic cma (Cma = cover my ass) and make known what you think is an issue to secure operations in your neck of the woods!
Take a look at an recently discovered data breach at Nebraska Medicine and that's an organization that already was HIPAA compliant!
via Threatpost.com:
So, what do you think?
Pah, that's only interesting for the big corporations and municipal services.
Hmh... sorry to break it to you but no... most of the data breaches still happen to persons like you an I and to small and medium businesses.
How do you handle the "trust" and hopefully "but verify" for yourself or in your organization?
Do you think this is sufficient?
Let me know in the comments!
Cheers!
Lucky
Comments