enterprise data blog

Enterprise Data is Increasingly in Peril: It’s Time to Improve Governance

Data-driven insight is increasingly the foundation on which successful companies are built. Giving the right people access to the right information at the right time can drive productivity, streamline operations and enhance the customer experience. But success in this space first requires data to be managed and secured effectively. Recent research reveals that 57% more organisations rate data management as one of their highest priority initiatives today versus last year.

Over recent years, these efforts have gained extra urgency as information security risk has surged. To understand more, the latest Verizon Data Breach Investigations Report (DBIR) is a great place to turn.

What’s New for 2023?

The DBIR is a long and detailed read, but that’s because it’s one of the most thorough annual reports out there on the state of the current threat landscape. This year’s insight is based on an analysis of 16,312 incidents, of which 5,199 (32%) were confirmed data breaches. Some of the headline findings this year are:

Financially motivated attacks from malicious third parties dominate: External actors are present in 83% of breaches, and financial gain accounts for 95% of cases. That’s primarily due to the influence of organised crime gangs, who are responsible for most attacks. Nation-state operatives are relatively uncommon, less common in fact than the inside threat.

Stolen credentials are the top entry point for breaches: Nearly half (49%) of breaches analysed involved stolen logins, while phishing was present in 12% of attacks and vulnerability exploitation in 5%. 

Employees remain a serious risk: In three-quarters (74%) of breaches, the human element is a factor. That’s evidenced by the large share of breaches made possible by stolen credentials and phishing. But it also indicates that staff might misconfigure systems or accidentally send sensitive data to the wrong person. 

Business email compromise (BEC) doubles: BEC or “pretexting” isn’t often a direct threat to enterprise data, as the end goal is usually to trick an employee into wiring large sums of money to an attacker-controlled account. But it’s relevant to the discussion as a critical form of social engineering and a threat type in which the most sophisticated attacks can involve stolen credentials and/or phishing first to hijack email accounts. BEC accounts for over 50% of social engineering incidents—more than phishing—with cases doubling in a year.

Ransomware is still a major threat: Ransomware is present in a quarter (24%) of breaches. That’s because attacks now use “double extortion” techniques where data is stolen before being encrypted in order to force payment. Although the share of ransomware in breaches is virtually unchanged from last year, the threat remains pronounced for organisations of all sizes and across all verticals. The median costs resulting from these attacks more than doubled to $26,000, although the actual figure is likely to be much higher.  

Why Data Governance is Critical

The bottom line: the high-level story of threats is not much changed from last year. Threat actors remain a persistent bunch, and human error, credentials and software vulnerabilities remain among the main ways they compromise data. As organisations continue to double down on digital transformation, the opportunities to steal and/or encrypt data will only increase.   

This is where data management, and the sub-category of data governance, is increasingly important. Why? Because, amongst other things, it’s about putting together consistent policies and processes to securely manage data throughout its lifecycle, wherever it is in the organisation. In so doing, it’s a critical component of any compliance strategy.

ISACA Chief Global Security Officer, Chris Dimitriadis, tells ISMS.online that data governance effectively builds a “complex protection system around stored data”, which makes it harder for threat actors to compromise.

“The bottom line is that you can’t establish cybersecurity in digital ecosystems in which data quality is low, data location is uncertain, data isn’t classified based on criticality or current data copies are not maintained towards recovery,” he adds. “Data governance tackles all of these aspects.”

There’s increasingly also a global dimension to governance for many organisations, according to Cloudera EMEA Field CTO Chris Royles.

“Over the past few years, regulations like GDPR and Schrems II have changed data governance, sovereignty and privacy requirements. Today, data leaders must ensure governance is ‘always-on and everywhere’,” he tells ISMS.online. 

“This means having a set of globally defined data policies in place so that enterprises can easily replicate standards across all of their environments. This will drive consistency, which reduces risk, saves time and limits the opportunity for human error.”

Good data governance initiatives also need senior buy-in, says ISACA’s Dimitradis. “Senior management support is key for defining policies, procedures and improvement methodologies, for providing the necessary funding, resources and training and for identifying data and information related needs and controls,” he explains.

“Regularly measuring the maturity and capability of the data governance program is also key to success—allowing businesses to continuously improve and reduce uncertainty in the digital ecosystem.”

What Should Data Governance Programmes Contain?

There’s no one-size-fits-all for data governance. But looking at this year’s DBIR, a few specific focus areas from a cybersecurity perspective become clear. Here are the three most popular methods for hackers to compromise enterprise data and recommended Center for Internet Security (CIS) controls to consider.   

System intrusion (including ransomware):

  1. Securely configure enterprise assets and software.
  2. Deploy anti-malware and email and browser protection.
  3. Establish and maintain continuous vulnerability management and data recovery processes.
  4. Protect accounts with strict access controls.
  5. Run security awareness and skills training initiatives.

Social engineering:

  1. Protect accounts with access controls and account management (including account inventory and prompt user de-provisioning).
  2. Run security awareness programmes with a focus on BEC.
  3. Establish processes for reporting and managing incidents.

Basic web application attacks: 

Focus efforts on protecting accounts (i.e. via access control management), requiring multi-factor authentication (MFA) for remote network access and externally exposed applications. Mitigate vulnerability exploitation through continuous vulnerability management: including automated patching and remediation.

To find out how ISMS.online can help your data governance and management initiatives, speak to one of our experts today.

Explore ISMS.online's platform with a self-guided tour - Start Now