Is there a relationship between organization policies and data breaches?
There is a strong correlation between organization policies and data breaches. Here we consider the three most common causes and how corresponding organization policies, if well-implemented, can reduce the attack surface and prevent data breaches.
Spoiler alert - yes, they are very much related. Organizations that do not follow and enforce a well-documented set of security policies and business procedures are susceptible to data breaches. Let’s consider the three most common causes and how corresponding organization policies, if well implemented, can reduce the attack surface and prevent data breaches.
Compromised Credentials
Most of the breaches are caused due to weak, multiple and stolen passwords. Access Control Policies (ACP) and Acceptable Use Policies (AUP) can enforce complex, rotating passwords and access only from registered devices. However, overly restrictive, static policies can become counterproductive and open up avenues for data breach. Adaptive access control policies that can learn and adapt to user behavior and deny access or prompt for additional authentication factors as needed can improve user experience without compromising security. In addition, Compliance Policies mandating frequent security awareness training can prevent some of the main causes of compromised credentials - phishing, social engineering and credential reuse.
Backdoor Attack
Improper configurations to systems like firewalls, VPN, web, database servers and application vulnerabilities like SQL Injection and Local File Inclusion contribute to this attack. Info-security policies can mandate use of robust security vulnerability tools for continuous configuration and patch monitoring, detection and prevention of unsanctioned software (Shadow IT), use of secure development practices and conduct occasional penetration and vulnerability assessments.
Insider Threat
A disgruntled employee or contractor is the worst of the nightmares that organizations can face. A combination of HR, Access Control and Regulatory Compliance policies that define how users are to be on/off boarded, what access privileges they are entitled to and how malicious behavior is continuously monitored, can to some extent prevent insider threats.
Though employees are ultimately responsible and obligated to follow organizational policies, a layered, defense-in-depth approach to security with various controls and procedures defined to mitigate security threats will allow organizations to be proactive in a constantly evolving threat landscape.
This post originally appeared in a Quora Q&A session hosted in January 2020. Our CPO Archit Lohokare was asked to discuss the state of cybersecurity, Zero Trust, artificial technology and machine learning and working in the security field, among other things. Stay tuned as we share more of his answers in our blog!
Archit Lohokare
Archit Lohokare is Chief Product Officer at Idaptive, where he is responsible for product strategy, driving innovation, and bringing new products and services to market. He transitioned over to Idaptive as it was spun-out from Centrify, where—as Vice President of Product Management—he led the Identity-as-a-Service (IDaaS) and Unified Endpoint Management product portfolio. Prior to Centrify, Archit was Vice President of Products at Optymyze, where he led the product management team responsible for the company’s Sales Performance Management and Sales Platform-as-a-Service SaaS and PaaS solutions, securing a Leadership position in the first Gartner Magic Quadrant report on Sales Performance Management along the way.
Earlier in his career, Archit led Symantec's Cloud Information Protection Security-as-a-Service offering, and IBM's Access Management product line, comprised of Web Access Management, Identity Federation, Enterprise Single Sign-On, and Risk-based Access and Entitlements Management products. Archit joined IBM through the acquisition of Encentuate, a leading Bay Area start-up in the security software space; as an early employee, he had the opportunity to contribute to its successful exit.
Archit has an MBA from UC Berkeley-Haas School of Business, and a bachelor’s degree in Computer Engineering from NTU, Singapore, where he was awarded the SIA-NOL undergraduate scholarship by the Ministry of Education, Singapore.
Archit is an avid history buff, enjoys reading in his spare time and running breathlessly after his one-year-old, hyperactive son.
CHAMELEON-LIKE SUPERPOWER
If Archit could have any Chameleon-like superpower, it would be the ability to change colors quickly and adapt. “Actually, it would be like the ability of our IAM solutions to adapt instantaneously to a customer’s environment and user behavior. Anomalous user access? A snap! Presto, change-o – like a chameleon from green to red in an instant, adapt to the change in user behavior and request user to assure their identities using multi-factor authentication...”