By E.K. Koh, VP of Solutions at NextLabs
There has been a lot of talk about how data breach is exponentially increasing. In a recent NIST cyber security framework, there is an entire segment on “Protecting” Data.
To be effective against cyber-breach, we all agree that implementing all elements of the NIST framework is the most effective and the best course. Yet, how would you prioritize the implementation of the elements given limited budget and resources?
I would guess that your priority would depend on the company and what you deem are the most critical vulnerabilities. Below are some industry trends that might provide useful guidance for your decisions.
In the 2014 Ponemon Cost of Data Breach Study, 43% cited the “loss of information” as the greatest impact of a cyber-breach:
In a separate study of leading causes of loss of information, Ponemon and IBM conducted a survey of C-Level executives to discover the leading causes of loss of sensitive data. The findings revealed that the leading causes are:
- Negligent insiders
- Lost or stolen devices
- Insecure 3rd party (such as partners and contractors)
- Internet and social media
Many enterprises already have disk encryption in place to guard against lost or stolen devices. What enterprises do not have are solutions to protect sensitive data against negligent insiders, insecure 3rd parties, or from being inadvertently shared on the Internet or social media.
While APTs and DOS attacks get headline news, the biggest impact of a cyber-breach incident is loss of sensitive information, probably due to negligent insiders or insecure 3rd parties such as your contractors or partners. While it varies with companies, the industry trends would suggest that protecting your sensitive data against unauthorized access should be your highest priority. And we believe that Attribute-based access control may be the best bang for the buck to protect against cyber breach.
What is your vote if you get to pick one technology to implement? Which has best bang for your buck?