Over 90 percent of data breaches in the first half of 2014 could have been prevented if businesses rethought their risk cyberstrategies, according to the Online Trust Alliance.
The Online Trust Alliance (OTA), a non-profit geared towards enhancing online trust and assisting businesses in their best practices and risk assessment, released its 2015 Data Protection Best Practices and Risk Assessment Guides on Wednesday. The organization says that in January to June last year, only 40 percent of data breaches involving the loss of personally identifiable information (PII) were caused by external intrusions -- while 29 percent were caused either accidentally or maliciously by employees.
OTA says a lack of internal controls, lost or stolen devices and documents, as well as social engineering and fraud were to blame for almost 30 percent of data loss incidents suffered by businesses.
In OTA's Risk Assessment Guide, the organization asks questions that IT decision makers must ask themselves if they are going to assess the risk of business practices against cyberthreats. Not only does a modern-day business have to ask if its own security practices are up to scratch, but whether third-party vendors -- such as those in the supply chain or providing outsourced IT services -- constitute a threat to security.
Some of the questions corporations need to ask themselves are detailed below:
Do you understand the international and local regulatory requirements and privacy directives related specifically to your business based on where the customer or consumer resides?
Do you know the specific data attributes you maintain for all customers? How and where is this data stored, maintained, flowed and archived (including data your vendors and third-party/cloud service providers store or process)?
Are you prepared to communicate to employees, customers, stockholders, and the media during a data loss incident?
Do you understand the security, privacy and notification practices of your vendors?
Do you have a data breach response vendor that can have experts on call to assist with determining the root-cause of a breach, identifying the scope of a breach, collect threat intelligence including all data potentially impacted by an incident?
After analyzing over a a thousand breaches involving PII, the non-profit has put together 12 'critical' security practices in another guide that companies should follow in order to lessen the risk of a cyberattack -- as well as minimize potential damage in a threat landscape which is becoming more dangerous by the year. OTA says that if the practices listed below were adhered to, the 2014 hacking of celebrity photos and the data breaches suffered by major US retailers such as Target may not have occurred.
In summary, OTA recommends that the enterprise:
Enforces effective password management policies.
Keep all user accounts running on the lowest privilege and access level as possible.
Shore up client devices by deploying multilayered firewall protection, anti-virus software and make sure default locally shared folders are disabled.
Conduct regular penetration tests and vulnerability scans.
Require email authentication on all inbound and outgoing mail.
Implement a mobile device management system.
Monitor in real-time company network infrastructure.
Deploy web apps and firewalls to detect and prevent common Web attacks.
Permit only authorized devices to connect to wireless networks.
Implement Always On Secure Socket Layer (AOSSL) protections for servers.
Frequently review server certificates.
Develop, test and refine a data breach response plan.
Craig Spiezle, Executive Director and President of OTA commented:
"Businesses are overwhelmed with the increasing risks and threats, yet all too often fail to adopt security basics. Releasing the Guides and best practices in advance of Data Privacy Day will provide businesses with actionable advice. When combined with other controls, these can help prevent, detect, contain and remediate data breaches."
The OTA's guides are due to be presented at three upcoming OTA Town Halls in Silicon Valley, New York and Washington DC, where executives and leaders from groups ranging from the FBI to PayPal and Twitter will be present.