Maksim Kabakou - Fotolia

Security Think Tank: Data custodians likely to be top targets of integrity attacks

What types of organisation are likely to be targeted by data integrity breaches and how best can they detect and mitigate against such attacks?

The topic of data breaches is fast becoming top of mind for CISOs and executives. However, the level of exposure and risk will vary depending on the organisation itself, with some being bigger targets than others.

The threat may be influenced by the data these organisations hold or by the nature of how they use it, with top targets likely to be data custodians that hold significant financial information about their customers. Retailers with large customer bases are high risk, and this is exacerbated by the digital marketplace, which means it is often necessary to store payment details.

However, retail customers may choose to make one-off cards payments only. In contrast, contractual agreements usually use direct debits or direct bank transfers, so organisations offering contract billing to customers are also targets. Utility providers fall into this category as they have a higher-quality dataset for their customers to ensure regular payments are made and also correlate these consumer details with supply address details. This could also apply to telecommunications providers and internet service providers (ISPs).

A further target pool for data breaches would be known holders of personal details. Banks and local governments or town councils, for example, hold highly accurate financial information as well as significant personal data. However, if personal data is the target for an attack, social media is one of the greatest sources of information.

It is important to recognise the risk, and quantify it appropriately. It is therefore critical to understand the nature of the data the organisation holds and then seek to understand the purpose of keeping it.

Depending on the data held, there may be particular requirements to comply with regulations. The Payment Card Industry Data Security Standard (PCI DSS), for example, mandates particular controls over payment cards, while the European Union’s General Data Protection Regulation (GDPR) requires a particular set of controls on personal data. Where these apply, organisations can follow the guidelines within the frameworks to put in place a coherent response to that risk.

Using these frameworks and regulations as a starting point, organisations can design their own controls to ensure data is kept safe. This will not be a single and simple solution, but may involve multiple strategies employed in combination, such as appropriate entry point checks, access checks, obfuscation, encryption and regular housekeeping of redundant data.

Strategies and policies may then be put in place, but to actually protect the organisation from data leakage threats, these need to be embedded into operational practices and monitored effectively to detect anything suspicious or just out of the ordinary. Each control should be subjected to appropriate testing of both the design and operation.

It is easy to think that most of these controls should be system-embedded, but in most cases the greatest vulnerability is the people performing the tasks. All organisations, but particularly those that are at high risk of data breaches, should focus on enabling their staff to detect threats and understand the risks they introduce. Regular phishing tests are an effective way to remind employees of the ease with which they can be compromised and will help to educate employees accordingly.

However, even with the most stringent control environment, a breach can occur and it is also important to have incident management processes clearly documented. In today’s market, an organisation’s response to an attack often makes more headlines than the actual breach. Those that are transparent and appear to be genuinely seeking to put in place appropriate customer-focused solutions while understanding the root cause are far more likely to emerge from a data breach with their integrity intact.


Simon Persin is director of Turnkey Consulting ............................................................................................................................................ ......................................................................................................

This was last published in February 2017

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

Read more on Privacy and data protection

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close