The last part in a series of 4: The what, why, and how of securing storage and backup
In part 1 of this series, we discussed the need to protect the storage and backup systems. In part 2, we provided more details on the risk and showed how hackers can get in. In part 3, we talked about improving your storage and backup security posture. In this fourth chapter, we’ll cover the economics of storage security.
Now that you read the previous chapters in this 4-part series, you’ll know how hackers can penetrate storage systems, and do significant damage to your enterprise data.
But, there is much that can be done to plug the holes and safeguard your most valuable asset: data.
It takes an investment to reach storage security nirvana. To justify it to yourselves, your CFO, and the CIO – and perhaps even your CEO – you must do the following:
(1) do your due diligence to calculate the storage security price tag or price range
(2) measure the price against the costs that come with breaches (even a single breach) and the likelihood of a storage attack to occur in the near future. Here are some points to help you:
- The impact on your business if you lose your core data and your backups, with no way to restore them
- The costs of extensive breach notifications and public awareness on:
- Reputational damage
- Stock prices
- Fines and penalties:
- The SEC, the PCI Council, Health and Human Services, and other regulators for non-compliance on PII, PHI/HIPAA-HITECH regulations, the GDPR, the CCPA, and financial data.
- Regulators and merchant banks enforcing SOX, PCI-DSS, and other financial services requirements
- Joint, cross-state, HIPAA lawsuits in federal court
- Lawsuits from consumers and business customers
- Financial judgments and civil penalties
- Loss of customer confidence, with customers taking their business elsewhere
- Costs for premium credit and identity theft protection for affected consumers
Oh what a joy… Sorry for being all ‘doom & gloom’ and creating FUD but…
if you believe you never had a breach and never could have one, time to take your blinders off
Neglecting storage security can take its toll as it may come up in your next audit. Organizations have started reporting that auditors are asking tough questions – and failing to provide convincing answers can result in severe penalties. These questions include:
- Can you produce an inventory of your storage devices?
- Can you show me your evaluation of the requirements to secure storage devices and backups? Auditors request details about storage protocol vulnerabilities (IP and Fibre Channel), encryption, CVE management, protection of backup copies, utilization of ransomware and DoS prevention features, and more.
- Can you show me the decisions you made based on your evaluation?
- Can you share your storage security plan and actuals?
- What are your controls for storage system authentication and authorization?
- Do you know who may access what systems with what rights and privileges?
- Does your incident response plan cover in detail how you recover from storage-related attacks?
“Securing central storage is an area that I personally have been harping on about quite a bit, and I’ve been telling people that just aren’t aware of how much risk exists in storage environments. It’s your responsibility. You, the CISO, have to take some responsibility here. I get really emphatic about it. And then I just give them a few of the horror stories.”
Dick Wilkinson, Former CISO, New Mexico Supreme Court
Closing the storage loopholes and buying the management in
Up to 30 percent of financial services organizations are aware and concerned about new audits that include storage security requirements.
Remember the list of potential-breach costs you’ve made? It’s time to share it with your CFO and CISO (if you aren’t one of them) .
Don’t forget to include costs of audit failure.
Show your numbers in big-picture expenses and have the subtler details ready when they ask you for them. Underline the differences between paying for security now and paying all these other costs plus the cost of security later.
There is ROI in the CFO’s peace of mind for not sticking their head in the sand and pretending there are no storage threats or penalties. There is measurable ROI in the competitive advantages you gain by marketing your security savvy as a selling point, along with your organization’s products and services.
See how secure your storage systems are with this one-time assessment. You’ll also receive recommendations on resolving any risks that are identified.
*** This is a Security Bloggers Network syndicated blog from Continuity™ authored by Doron Youngerwood. Read the original post at: https://www.continuitysoftware.com/blog/securing-enterprise-storage-and-backup-systems-how-to-establish-an-effective-business-case-and-get-management-support/