Any security software company touting protection against data theft always has some amazing ROI to show how much a potential buyer will save. But what is the real cost? Insurance underwriter company Darwin has a specialty insurance product - Tech//404 - that addresses "the technology and information risks of providers and technology-dependent organizations." This special policy protects against exposure in the areas of network security, data privacy, compliance, and more all revolving round data loss.
As part of their value proposition, thay have built a data loss calculator using numbers of records as the basis for calculation. I used the smallest number yielding results, 1000 records, and found the results to be surprising as to the amount of loss, and impressive in regards to Tech//404's attention to the detail of a loss.
Just 1000 records yields an average loss of over $166K, or $166 per record! Forrester Research did a survey of 28 companies and found the cost per record to span from $90 to $305 per record! So what is an organization to do? First, let's discuss where the security breaches exist in a typical organization:
- Lenient permissions to resources
- Unmanaged group memberships providing access
- Convenient access to writeable and removable data mediums (USB, CDR, etc)
- Insecure endpoint open to external malicious attack
To protect against these points of security failure, you will need a good security plan. I look at security as three basic processes:
- Assess - Determine the state of your security: see who has access to what resources, who has membership in groups with access, what resources are exposed to "everyone", determine which endpoints provide access to steal data (via USB, CD/DVD burners, bluetooth, FireWire, etc), and determine the security of endpoint OSes from malicious attack.
- Assign - Based on your assessment, establish appropriate levels of security: Lock down permissions to resources, restrict group memberships, eliminate access to "Everyone" and "guest" groups and users, lock down endpoint devices and protect endpoints from malicious code with antivirus, antispyware and antiphishing solutions.
- Audit - Watch (or at least be alerted to) the activity on sensitive systems. This includes auditing the usage of sensitive data, the management of group memberships, management of resource permissions, auditing access to removable storage, and monitoring the state of your patching and virus/spyware/phishing scanning efforts.
One of the many value propositions we make at ScriptLogic is the protection against data theft. Following the security lifecycle of "Assess, Assign, Audit", our solutions help in the areas of:
Assessment:
- Active Directory - Active Administrator searches for permissions in AD to determine who can make changes that affect access to data, such as the ability to change passwords or modify group memberships.
- Windows File Servers - Security Explorer searches for in appropriate permissions on NTFS Volumes. Enterprise Security Reporter reports on groups and their membership that have been granted permissions on NTFS Volumes.
- Windows Clients - Desktop Authority scans managed systems for the latest patches and the presence of spyware.
Assignment:
Auditing:
- Active Directory - Active Administrator centrally audits the management of AD, making IT aware of changes as they occur.
- Windows File Servers - Enterprise Security Reporter reports on security changes using its' "Delta Reporting" capability, making you aware of inappropriate modifications to security.
- Windows Clients - Desktop Authority audits access to endpoint devices, informing IT of inappropriate activities.
In the world of Microsoft Windows it is possible to proactively protect your network from data loss by establishing a simple security plan of "Assess, Assign, Audit" and using the right solutions to put that plan comprehensively into action.
