Is there a relationship between organization policies and data breaches?
There is a strong correlation between organization policies and data breaches. Here we consider the three most common causes and how corresponding organization policies, if well-implemented, can reduce the attack surface and prevent data breaches.
Spoiler alert - yes, they are very much related. Organizations that do not follow and enforce a well-documented set of security policies and business procedures are susceptible to data breaches. Let’s consider the three most common causes and how corresponding organization policies, if well implemented, can reduce the attack surface and prevent data breaches.
Most of the breaches are caused due to weak, multiple and stolen passwords. Access Control Policies (ACP) and Acceptable Use Policies (AUP) can enforce complex, rotating passwords and access only from registered devices. However, overly restrictive, static policies can become counterproductive and open up avenues for data breach. Adaptive access control policies that can learn and adapt to user behavior and deny access or prompt for additional authentication factors as needed can improve user experience without compromising security. In addition, Compliance Policies mandating frequent security awareness training can prevent some of the main causes of compromised credentials - phishing, social engineering and credential reuse.
Improper configurations to systems like firewalls, VPN, web, database servers and application vulnerabilities like SQL Injection and Local File Inclusion contribute to this attack. Info-security policies can mandate use of robust security vulnerability tools for continuous configuration and patch monitoring, detection and prevention of unsanctioned software (Shadow IT), use of secure development practices and conduct occasional penetration and vulnerability assessments.
A disgruntled employee or contractor is the worst of the nightmares that organizations can face. A combination of HR, Access Control and Regulatory Compliance policies that define how users are to be on/off boarded, what access privileges they are entitled to and how malicious behavior is continuously monitored, can to some extent prevent insider threats.
Though employees are ultimately responsible and obligated to follow organizational policies, a layered, defense-in-depth approach to security with various controls and procedures defined to mitigate security threats will allow organizations to be proactive in a constantly evolving threat landscape.
This post originally appeared in a Quora Q&A session hosted in January 2020. Our CPO Archit Lohokare was asked to discuss the state of cybersecurity, Zero Trust, artificial technology and machine learning and working in the security field, among other things. Stay tuned as we share more of his answers in our blog!