An employee skims his email box. 

In his junk mail folder is a subject line that seems out of place.  The title says “2011 Recruitment Plan.” 

He opens the attached Excel file.  It doesn’t seem interesting, so he closes it and goes on his way. 

man-notes-macbook-computer.jpgIn the meantime, the Excel file, which contains a Trojan, takes advantage of a vulnerability in Adobe Flash to install a backdoor.  From there an attacker takes control of the computer and starts to look around and traverse the network. 

This is how the RSA breach of 2011 happened, arguably one of the most impactful compromises of crown jewels data the world had seen at that point.  Because the breach reportedly involved IP critical to the effectiveness of RSA’s SecureID tokens, the company was forced to replace more than 40 million tokens.  In the meantime, their customers were left vulnerable to attackers that could exploit multi-factor authentication systems that had been stripped of their effectiveness.  Simply put, hackers stole from RSA the secret sauce that their flagship SecurID product depended on.

Breach Prevention is a Myth

Fast forward to 2017 and breaches are only causing more damage.  All sorts of data are in the wind, including transaction data, personal identity information, health records, even confidential business plans. These security incidents have taught us an important lesson:  Breach prevention is a myth.  The rise of new techniques such as ransomware demonstrate that attackers have the upper hand and organizations are left to be reactive. 

The reaction for most organizations is to redouble efforts, increase spending, double down on IT audits and control frameworks. Fearful executives make reactive moves, buy “miracle cure” software packages, or delegate responsibilities for security to anyone that will take them. It’s not that these moves won’t help secure an enterprise, because they may.  But this approach is not an efficient way to build sustainable security at an organization.

Reducing Data Breach Impact

Compliance and control frameworks are great in concept.  Check these boxes and you are free from worry or risk.  Except it’s never been that simple. Compliance doesn’t ensure breach prevention.  It doesn’t ensure detection, or response, and it certainly doesn’t reduce the impact of a breach by itself. The only thing compliance guarantees is compliance.

man with beard working woman showing him papers.pngLet’s revisit the RSA breach – what if all the attackers could get was an encrypted blob of data, useless without a key?  Or if in the Target breach, the attackers only stole partial credit card numbers, worthless on the black market?  These are still breaches, but the impact is blunted, probably not even rising to the level of breach reporting in some cases.  But most organizations lack a strong knowledge of what constitutes their data crown jewels, where they are stored, how they traverse the network, how they move in and out of the public cloud, who touches them, and when they leave the protection of the organization to a third-party vendor. In some organizations, there isn’t even clear responsibility for who owns the crown jewels data.  Without this information, a control-oriented security process is like trying to nail Jell-O to a wall. A heavy detection posture lets the organization know that the breach has occurred and what data has been stolen, but it won’t reduce the impact of the breach either.

Most traditional control or compliance audits pay only cursory attention to data. Sometimes organizations are forced into a data mapping exercise to demonstrate compliance with a directive like GDPR. But at the end of the day, if you can’t answer the important questions about your crown jewels data, your efforts go toward a losing cause.  By taking a crown-jewels-first approach, identification informs security strategy, not the other way around.  Preventing the breach is no longer the objective – instead, you reduce the possible impact of a breach so it becomes a non-event. If you are using audits to measure compliance, you should carefully consider shifting some budget to a crown jewels assessment, so your security program can get right-sized and center on the data that matters.

From the Server Room to the Boardroom

Board_Confidence_in_Cybersecurity_Program (2).gifEnter the Board of Directors. The constant stream of news reports about breaches has Boards of Directors on edge. In many cases, these Board members do not have extensive security experience but will absolutely hold their executives accountable should something happen. Our Cyber Balance Sheet Report shows a massive disconnect between boards and management when it comes to confidence that security issues are under control.

But certainly, executive management can demonstrate leadership by keeping a close inventory of crown jewels data and showing the Board how they are being protected.  When a Board can see that all critical data has been accounted for and protected, and that progress is being made on plan, trust is built. The value of trust when it comes time to discuss investments in security is the difference between success and failure.

Conducting a Crown Jewels Assessment

At Focal Point, crown jewels have always been a point of emphasis.  To that end, we have created a special assessment that will scour an organization for crown jewels data and assess the security posture around those assets.  If requested, we can also perform a threat assessment to help design an optimal use of security resources to minimize risk. In many cases, these assessments will uncover wasteful security spending that does little to minimize real-world risk, freeing up resources to provide better protections to crown jewels (and cover the cost of the assessment itself).

As a security leader, going with a crown jewels assessment over a traditional IT audit will give you a leg up with leadership. 

  • You’ll be able to pitch a better and more resilient business instead of more compliance remediation
  • You’ll be able to demonstrate a long-term reduction in compliance costs
  • You’ll be able to find security program cost savings
  • And you’ll have management’s trust when it comes to funding the right security initiatives

Focal Point has experts standing by to discuss how to get started focusing on your crown jewels.