2021 was tough, and not just in terms of cyber security. The pandemic has forced companies to put entire workforces into remote working mode. This has presented IT teams everywhere with major operational challenges.
The degree of uncertainty is significant, but it is manageable from a data management perspective – provided a little planning is done. It’s a bit like trying to train a specific muscle. in this case, a muscle capable of improving privacy policies across the organization. Even if we say today that basically every company is a software company, data is still the real driving force.
Operations With Data
Consequently, one of the overriding priorities must be to mitigate or eliminate risks affecting operations involving data.
The first step is to take an accurate inventory of the data elements that are collected and used as part of business processes.
Poorly protected data may contain just the kind of information that is most valuable for an attacker to get to their target. When one is in the process of taking a full inventory of one’s data, it’s equally important to identify the points at which data is created, modified, and consumed. These points can be people or processes, and in all likelihood include third-party systems. At this point at the latest, security teams start to think in terms of threat models and risk profiles. But that preempts the process a bit. At this stage, the goal is simply to understand the flow of information in the organization and how it is managed.
Data management then specifies the next questions. For example, a frequently asked question is who can see a customer record and what information is displayed. The much more interesting question, however, is why a specific person in a specific role can see exactly the data they see – and moreover, whether they have permission to change that data.
Such business arrangements around data operations are often based on decisions made years ago, often under completely different business assumptions and conditions than the current ones. Nevertheless, these assumptions are fixed points. At the same time, the business climate is developing dynamically. Decreasing business risk requires a basic understanding of exactly how past decisions affect what is expected of current processes and software.
Software Patch Management
Putting this in a different context, every IT organization recognizes that software patch management is a fundamental part of effective cybersecurity practice. Virtually all modern software contains open source components. It is important to develop an understanding of where in the company open source software is used and then to consider this within the patch management strategy. Data is an asset to the same extent as software or physical assets – the data must be managed accordingly.
Just as you can’t patch software you don’t even know you’re using, you can’t protect data you don’t even know you’re using. Modern business practices are increasingly dependent on third parties and their services – in one form or another. As a result, failures at a service provider often have a disproportionate impact on ongoing operations.
Data Mapping Models Combined With Threat Models
The degree of automation in development teams and within the entire IT also increases the potential for access that is too far-reaching, which in turn increases the potential extent of damage in the event of a cyber security incident. However, by using data mapping models in combination with threat models, organizations are better able to focus their cybersecurity efforts and related investments on the areas where the impact of an incident is likely to be most severe.
