How to Execute Your Data Security Risk Assessment

Originally published by New Context.

It may seem counterintuitive, but a data security risk assessment is really about reviewing an organization’s assets from the attacker’s perspective. Most people within the organization are a bit too close to it to get into this mindset. The best risk assessments come from the outside because only a third party can look at a business’s data in the same way a hostile actor would—by seeking out exploitable gaps.

That’s not to say that internal assessments should never take place. Instead, they should occur frequently, on a continuous basis if possible. This strategy ensures that security grows as the organization does, and it allows analysts to make decisions based on current threats, rather than historical ones. Any data security risk assessment should be modeled off the same kind of assessment that a professional third-party provider would offer.

The Three Stages of the Data Security Risk Assessment

An organization’s data security needs are vast and difficult to categorize. Companies can establish their data security risk assessment by looking at three critical stages so they can build a timeline and decide on priorities. These stages are:

While these stages may appear to be linear, there’s always room for improvement. As a result, a cyclical approach can work well. This approach rolls out solutions and identifies and assesses the effects. Lather, rinse, repeat. This continuous approach ensures risk management is always up-to-date.

Threats are ever-evolving. There were 3.2 billion reported malware cases in the first half of 2020, and many of those were unique, never-before-seen threats. Additionally, IoT attacks are on the rise as bad actors discover the potential in unsecured networks. Every new piece of technology or software comes with a new threat vector.

As threats are continually changing, risk assessments remain in a state of flux where programs need to respond at the drop of a hat. Solutions to these security issues must be flexible and consistent in managing an array of risks.

Tips and Tools for Improving Assessments

The key to a data security risk assessment is not completing one at a single place or time, but instead, creating a system that provides risk assessments on a near-continuous basis. After all, bad actors access a system every 39 seconds—they don’t wait to attack once a year when the annual risk assessment occurs. The ability to stay on top of these threats requires proactive security that works as threats change and emerge. The most important features of dynamic, effective risk assessments are:

• Attribution: Attribution is a method of tracking and identifying the bad actors who cause cyber attacks in the first place. Analyzing forensic evidence and historical records can help to discover not just the methods of cyber-attackers, but the motive behind them. Once an organization understands why data is accessed, they’ll be better prepared to defend against attacks.
   
• Auditability: Auditability centers on making all data access observable. That includes the monitoring of the entries and exits of customers and employees. Through detailed surveillance, security professionals understand what normal behavior is and can establish parameters for what qualifies as abnormal.
   
• Data lineage: Sometimes called data provenance, this is a method of tracking data from its creation and monitoring how it changes and moves over time. Data changes are an often overlooked problem that requires careful consideration. Consider the vast emergence of ransomware, where data is encrypted and changed by bad actors in exchange for a ransom. Monitoring changes creates an audit trail in the event of an error or malicious act.
   
• Immutable logs: Changeable records aren’t useful because they lack integrity. Immutable log files keep a record of access and events while also preventing tampering. Timestamps, along with unique number identifiers, ensure the integrity of logs by making it incredibly difficult to change them without detection. Forwarding and storing logs in a central location with limited and controlled access will also help with forensics on your systems.

All these steps together create observability that can further security automation for users. Standard data provides a model for normal behavior, so alerts can be established when that behavior falls outside these standard parameters. This proactive program ensures data risk assessment isn’t just a one-time thing: it’s an ongoing process that allows organizations to pivot as needed.

Of course, a third party should still complete data security risk assessments regularly, but an internal, continuous approach ensures those assessments will be much more effective. Built-in data governance and protection is a lynchpin of Copado’s Lean Security program where continuous improvement is key. Through it, analysts stay up to date and minimize risks created by bad actors using novel means.