As breaches dominate the headlines, it’s more important than ever for organizations to pursue a data-driven security strategy.
Has your organization had a major data breach?
If not – congratulations! Data breaches have been on the rise for years. In the 2019-2020 annual report to Parliament, the Office of the Privacy Commissioner (OPC) of Canada received 678 breach reports, under the Personal Information Protection and Electronics Documents Act (PIPEDA), affecting an estimated 30 million Canadian accounts. In this era of remote work, Canadian IT leaders point to IT security as a top priority and 72% of organizations are accelerating their digital transformation plans to accommodate long-term WFH.
Assessing risk, not security
While security assessments are important, they provide an inadequate amount of information for creating a security strategy. Rather than basing your strategy solely on the findings of your security assessments, also conduct a risk assessment that takes a more holistic view of the entire organizational and IT infrastructure before deciding on a security posture.
Assessments can help explain why a breach occurred, and areas where your organization’s security may be lacking – valuable information, indeed. However, they do not adequately assess the risks involved with a data breach. For example, a data breach that obtains the financial and personal information of your entire customer base would be much more impactful than a data breach resulting from corporate espionage, perhaps attempting to steal plans for a new product.
A risk assessment allows organizations to classify their information – both critical and not. It should include a quantitative analysis of this data, which places a value on each type of information and what would happen if that data were breached. In this light, a risk assessment should be complimentary to a security assessment.
Protecting what’s important
An approach focused on assessing risk first has several benefits. First, it lets organizations’ tailor their security solution to their unique needs, without spending more than they must. Most vendors offer a one-size-fits-all package (or tiered packages, with more features available, the more you are willing to spend) that provides equal protection across your entire network. However, conducting a risk assessment allows an organization to understand both where they might be vulnerable and what information is most valuable, allowing them to choose the security solution that best suits their needs.
Second, a risk assessment is the best means with which to protect your critical business information. Without knowing what information is valuable and what is not, IT admins must defend the entire network equally all the time; a very tall task indeed. By identifying the value of information, organizations can shift resources to the defense of more important data, so that even if they do become the victim of a data breach, their critical information remains safe.
Finally, this approach is significantly more holistic in scope than a security assessment. The larger the organization, the greater the risk. I recommend all organizations bring in an outside partner to conduct the risk assessment, rather than doing it themselves. Individual departments generally don’t have the infrastructure capable of quantifying risk, and organizational efforts can often get bogged down in internal politics. An objective, outside view is necessary to understand the big picture, and how to best protect your organization from external threats through a data-driven security strategy.