How GRC Can Prevent Breaches Like Skype's and Snapchat's

By Larry Slobodzian

Recently, Skype and Snapchat were hit with massive security breaches that exposed millions of users information. Unfortunately, similar hacks are in the news almost daily it seems, but the discussion often centers on response to the breach, rather than prevention. Experts talk about forensics, intrusion detection/prevention, and solving the specific cause of the breach, but we should be taking a more proactive approach to prevent the next one. 

To do so, organizations should look holistically at their programs and processes to ensure that theyre up-to-date and comprehensive, starting with a governance, risk and compliance (GRC) strategy. Surprisingly, many organizations both large and small do not have mature GRC programs. While regulations and standards such as Sarbanes Oxley and PCI-DSS have required programs, the initiatives often exist as a microcosm within the organization, focusing on minimum requirements. 

A mature GRC program should address relevant regulations and risks, and regularly monitor each process relating to security and compliance in order to take a proactive security stance. Dedicating one program and one team to oversee GRC ensures that every department is maintaining the same high standards, collaboration takes place among teams and gaps are visible and easily fixable. The GRC program dictates and maintains the policies based on governance and compliance requirements, best practices and risk assessment. These policies would establish processes, procedures, standards and guidelines that are implemented within each division, department, and function team. The GRC program then establishes reporting requirements, key performance indicators (KPIs) and key risk indicators (KRIs) that they use to monitor the program’s progress.

Below are the most likely causes of data breaches and how an enterprise GRC program can mitigate them:

1) People: Many data breaches are caused by social engineering, compromised passwords, inadvertent exposure and malicious intent. In fact, the 2013 Verizon Data Breach Investigations Report found that social tactics cause roughly 29 percent of all attacks. A GRC program sets the policy for employee behavior and ensures that processes are adhered to and employees are educated. It should also perform ongoing risk assessments and audits to expose gaps and identify new risks to address.

2) Vulnerable Software: Software that is not configured correctly and updated regularly may allow malware and hackers to gain access to sensitive data. Security tools that scan and manage software vulnerabilities often require a combination of functional teams and create data silos, making it difficult to enforce and track efforts to manage software vulnerabilities. A GRC program sets the expectations for identifying software vulnerabilities across the enterprise and can provide a single view to the current risk, trends, and process performance.

3) Unencrypted Data: It may not always be possible to prevent a committed and resourceful hacker from compromising a system. But if they find a way in, they can be thwarted from breaching sensitive data by ensuring that sensitive data is encrypted both in transit and in storage. A GRC program establishes policies for classifying data that needs to be encrypted, as well as methods of encryption and managing encryption keys. By supervising the people responsible for managing sensitive data, continuously monitoring the risk picture and performing regular audits, the GRC leadership team can ensure that sensitive data is protected throughout the enterprise.

4) Port and Service Vulnerabilities: Open ports and services have allowed hackers to compromise systems even when the software is properly configured and updated. Again, detecting and mitigating these vulnerabilities often requires a combination of tools and people that makes efforts difficult to manage. A GRC program consolidates the policy enforcement and monitoring of these efforts and oversees the risk assessment and audit processes.

5) Vendors: The four causes of data breach above are compounded as vendors are allowed to access sensitive data. A GRC program enforces the same standards for vendors that exist internally for sensitive data. This is accomplished through policies and standards for vendor contracts, as well as a process for regular assessment and/or audit of vendors. 

Data breaches are a growing threat with increasing costs and risks. We can no longer assume that they only affect other organizations, as every enterprise is at risk of a major data breach. Companies should take a proactive, holistic approach to security and compliance by commissioning a strong GRC program that can enforce and measure efforts within every functional team.

Larry Slobodzian is a senior solutions engineer for LockPath, supporting the sales and implementation of GRC solutions. He also is an adjunct professor of information systems at Baker University as well as a veteran Marine, making him the most dangerous Dr. Who fan in the security industry.