The press, over the last few years, has been full of news stories reporting the theft or loss of key, sensitive data. All have had a major impact on the brand and the reputation of the organisations concerned.
Many have seen management exposed to potential legal action, fines recorded against the organisation, loss in market confidence and loss in shareholder value as a result of controls not being in place to either detect or prevent a data breach taking place.
The average cost of a data breach has now been calculated at £4.4 million*. New legislation and revised regulatory powers in the area of data protection and information security are now being put in place to address the vulnerabilities, and security weaknesses, highlighted in the data breaches which have taken place.
Alan Greenspan, former Chairman of the US Federal Reserve, said of the recent global banking crisis :
“It’s human nature. Unless somebody can find a way to change human nature then we will have another crisis. This crisis will happen again” (Reuters September 9, 2009).
The same risk which exposed the banks to the abuse of “human nature” – Greed, Temptation, Opportunity, Desire, Ability, Economic Hardship, Revenge – also applies to the data held within every organisation today.
Databases are now the main target of cybercriminals and rogue insiders. They know that the key financial information, corporate secrets and intellectual property they are looking for is stored in the enterprise databases of the organisations they are targeting.
Audit Committee Chairmen and Board Directors with Corporate Governanace sign off and responsibility to data security plus Internal Audit, Risk & Compliance, Data Protection, Financial Crime, Fraud and IT Security need to have independent controls in place -separate from the operational side of the organisation – to immediately alert and report on any potentially suspicious behaviour taking place on the security structure of their data, or the content of their data, before it has a major impact on the integrity of the organisation.
Cervello Consultants help our clients address the 5 main weaknesses in database controls –
1) Lack of Privileged User Activity Monitoring
– the authentication of the actions of trusted internal staff, and external contractors, who have unfettered access to all areas of an organisations data as part of the roles they play within the organisation AND who have the ability to bypass all areas of security as a result of the nature of their roles
2) Inadequate Review of Audit Logs
– lack of polices, rules and procedures to provide a continuous review of all activities taking place on an organisations data
3) Timely Identification of Anomalous Activity
– immediate alerting and reporting to management of any suspicious activity taking place on an organisations databases which could have a potentially detrimental effect on the organisation
4) Managing User Account Entitlements and Terminations
– being able to see how access rights to an organisations databases are being added to, deleted or changed which could majorly impact on the security levels of an organisation databases
5) Separation of Duty
– independently derived management information, away from the IT and security function of an organisation, of the activity taking place on the databases
* Source : Ponemon Institute / Symantec Data Breach Cost Annual Study, March 2011