How to determine who’s at fault for a data breach

In addition to preventing data breaches, companies also must make sure they learn from incidents to improve their protection in the future. Part of that requires knowing who or what is to blame for a breach, as George Hillston discusses in this guest post. 

_____________________________________________________________

The number of data breaches has doubled since last year, as reported by the Open Security Foundation, which runs the international DataLoss database. According to the group’s reports, hackers exploiting system vulnerabilities were the most common culprits behind these events, followed by malicious insiders. These types of statistics should act as a warning to business managers to keep their data safe and secure from potential abuse, theft or loss.

Data breaches can occur in many ways:

  • Human error where one naively clicks on e-mail attachments or goes to download sites opening the door to spyware
  • Theft of personal or company data obtained in a file cabinet left unlocked
  • Data compromised by exposure or left in disposal bins which could be smuggled out with ease
  • Improper storing of a flash drive carrying unencrypted files
  • Disclosing information to the wrong person
  • Lack of data destruction services, unsecure data protection or inadequate security measures
  • A system glitch or business process failure
  • Lost or stolen devices, and
  • Data stored, sent and used that is unprotected and can be exposed to unauthorized parties.

When a security breach occurs, who is at fault? A challenge that many business face today is understanding who is to blame for data breaches (human mistakes, system problems/failures, or money-hungry organized criminal groups).

Fingers, normally, tend to be pointed at end users, business IT managers, CISOs or hackers. As per a recent study by the Ponemon Institute, a research center dedicated to data protection and the business impact of lost or stolen data, the leading cause of these data breaches has been the result of malicious or criminal attacks (41%), followed by human error (33%) and system glitches (26%).

Many threats have come through malware or hacking where access was gained via backdoors or other means, but employees should also be aware of IT security policies and practices, as humans are often the weakest link in the security chain. Constant advances in technology can also make it hard for IT departments to stay ahead of hackers and therefore, IT teams could be blamed for not properly securing the systems they administer.

Determining who is at fault is not always clear-cut. From a technical point of view, the causes of a data breach could be traced to a particular action performed improperly by an end user, to a security patch not applied or to the unauthorized disclosure of particular information. In order to pinpoint the source of the breach, constant screening and logging of all information exchanged in the network needs to be applied. Essential security controls and data protection practices (encryption and strong authentication solutions), proper access control lists (ACLs), as well as solutions like intrusion detection systems on data-bearing networked devices can provide fast detection to a CISO investigating the incident.

In reality, however, others can also be blamed in such incidents. IT managers and CISO are ultimately responsible from a data access and IT compliance standpoint. They are responsible for data assurance and information security using the following three processes: prevention, detection and response. They are also responsible for creating data breach and assurance policies in direct response to businesses’ policies on the use of data.

Company business owners and managers in charge of departments where secure data is used and exchanged, are also directly responsible. They need to work with their IT managers to convey what data needs to be protected and which employees can have rights to use this information. They need to be more conscientious about preventing data breaches and ensure that security training and awareness become standards in their office.

Managing data security risks and preventing future breaches is an on-going process. As no organization is ever completely safe from a data breach, it’s paramount to strengthen one’s information security process by applying needed security tools and controls (passwords and firewalls to prevent data exfiltration) across their organization. It is also important that in addition to technical measures, managers establish clear policies on the use of and access to data. Without these safeguards in place, potential financial and reputation loss from a security breach could result.

About the author: George Hillston is a former IT consultant for many mid-to-enterprise level businesses.  He also likes to blog about business technology in his spare time. Check out Shred-it Blog to find more information security tips.