“An organization’s size plays a vital role in determining the type of crime that it’s likely to face”
Bryan Sartin, Director, Investigative Response, Verizon, co-author of the DBIR series, talked to Jasmine Desai about the impact of security attacks on Indian enterprises and the security measures that could be considered in order to prevent such breaches
When a security breach occurs how much should an organization reveal?
Revelation of information has to occur on different levels Firstly, you give out information due to your responsibility to customers, employees etc. An organization has to check the legal definition of disclosure as jurisdiction varies from country to country and, accordingly, the ways in which information should be disclosed legally also varies.
How do organizations deal with breaches occurring due to BYOD.
Regarding mobile devices and BYOD, CIOs across the world are facing the need to trade off security against convenience. CIO and CISOs are in a fix as they cannot say no to these devices and there is no good way to support them either. Generally, Identity Access Management (IAM) can be a good solution. For tablets and smart phones, SSL-based VPNs give greater control. They help in keeping track of who gets access to what and when. Cloud computing and virtualization bring their own set of problems when it comes to mobile devices.
Does the use of virtualization lead to an additional threat vector such as malicious code that can be transmitted from VM to hypervisor or VM to VM?
There are not many examples of threats in a virtualized environment. What companies are doing is to create separate virtual machines with a security and management structure around each. Creating such islands in a virtualized infrastructure is an effective security strategy for virtualized environments.
What can organizations do to reduce complexities in a security setup?
One needs to ask which complexities are the ones that pose major problems. The greatest deficiency today in any organization exists in the area of instantaneous protection. Breaches do not play out in minutes or seconds. They go on for months on end. 96% of the time, these breaches are pointed out by third parties and the answer is right there in the log files, which haven’t been seen by the in-house staff.
We keep on bringing this up in DBIR every year. Perhaps, organizations are fighting modern era electronic crime with outdated tools. In nine out of ten cases, the answer is right there in the logs. The fundamental problem is that people have too many logs in the first place.
How does a breach in a small organization play out as opposed to one in a large company?
Hactivism and financially motivated crimes are increasingly targeted at smaller organizations. We have sufficient data on the table to define hacktivism or cyber espionage. Although, it is not as common as people think, it does exist. The size of an organization plays an important role in determining the type of crime that it is likely to face. All hacktivism victims have a thousand employees or more while most financially motivated crimes are targeted towards organizations with 10-100 employees.
In what way can a company avoid security breaches?
It is vital to have a legal framework according to which, in case of a data breach, the third party provider should undergo an investigation. E.g. if a retailer has a POS operated by a third party vendor, it could be that the network through which the vendor connects to the provider is infected and this leads to a breach at the retailer’s end. While investigating the issue, the POS vendor must also undergo an investigation. For this, a legal framework is necessary along with the policies and processes that will help create a dividing line that clearly states the responsibility of the retailer from a security angle and the supplying vendor.