Be prepared for breach disclosure and a magnitude assessment
Organizations need to take a proactive approach to monitoring data stores continuously, and in the case of a breach, assess the magnitude quickly and accurately. DSPM can help you.
Updated Securities and Exchange Commission rules that require rapid breach disclosure are causing heartburn for some enterprises and bring to mind the Boy Scouts' "Be prepared" motto. Knowing where your data stores are located and what sensitive data is inside them is fundamental to data security. And in the case of a breach, it's integral to promptly analyze and understand the magnitude of it.
Organizations need a proactive approach to monitoring their data continuously. Data repositories crop up and evolve over time as new applications and services are rolled out. A data store initially created without sensitive data might subsequently have data added. And some individuals might take the initiative to create data without IT and IT security having visibility into that data. Having an accurate understanding of your data assets helps mitigate cybersecurity risk, meet compliance obligations and control the damage if something happens.
SEC breach disclosure rules
The Securities and Exchange Commission (SEC) announced revised rules for disclosing material cybersecurity incidents in June 2023. Those rules require mandatory reporting of material incidents within four business days of determining materiality. Every company has a different equation when it comes to gauging materiality because every business is different. You need to understand what compromised data you are dealing with to help inform that materiality determination. And you need to know which data stores were affected and what is inside them. That is where data discovery and classification come into play.
Data discovery and classification tools might be homegrown, meaning developed internally, or commercial off-the-shelf offerings. Tools run the gamut from backup and restore tools for data protection, data loss prevention tools, cloud access security brokers and data governance tools. When it comes to large data repositories in the cloud or on premises that might have data with more scale and variety, enterprises typically gravitate toward data security posture management (DSPM) tools.
Whatever your approach, being prepared by understanding where your sensitive data stores are located and categorizing the data inside of them will enable you to quickly evaluate the magnitude of a potential breach so you can make an accurate determination of materiality. While reporting a data breach will result in negative PR and reputational damage, accurately determining the magnitude of a breach helps you avoid having to publish multiple notifications to publicly revise the number and type of compromised records.
Overestimating the magnitude of a breach: Marriott International
The hospitality conglomerate Marriott International reported in November 2018 that hackers had breached its Starwood reservation systems and stolen the personal data of up to 500 million guests. The breach affected customers who had reservations with Marriott-owned Starwood properties, such as Sheraton, Westin, W Hotels and St. Regis. The breach started in 2014 and went unnoticed by Starwood for four years. Then, in January 2019, Marriott International subsequently reported the breach had affected 383 million records -- duplicates reduced the number -- and disclosed the breached data included 5 million unencrypted passport numbers, something it had not previously disclosed.
Underestimating the magnitude of a breach: MarineMax
Yacht retailer MarineMax reported a cybersecurity incident to the SEC on March 12, 2024, for an incident that occurred earlier the month. The company indicated it did not maintain sensitive data in the environment affected by the breach. Then, on April 1, MarineMax amended its SEC filing to indicate financial and personally identifiable information (PII) data had been compromised and reported that data affecting more than 123,000 customers and employees had been exposed during the cyberattack. The promptness of this disclosure could be due to the new SEC rule, which was already in effect.
In the case of Marriott International, the initial breach record count was reduced, but the company subsequently disclosed that passport numbers were included in the breached data. In the case of MarineMax, the company initially thought no sensitive data was compromised but subsequently had to disclose that financial data and PII for more than 100,000 people was compromised. The way these cases played out, both companies had to make multiple disclosures over time.
While I have no inside knowledge of either breach, my observation is that quickly conducting the most accurate inventory of where your sensitive data is located and what types of sensitive data are inside your data stores can minimize the reputational damage and compliance risk resulting from a breach.
Data discovery and classification dynamics
In the heat of the moment in a data breach, analysis and reporting missteps can happen. The consequences of not knowing where your data is located and what it contains makes a bad situation even worse when analyzing and reporting on the breach.
While you might have an internally developed tool to identify your data stores and categorize the data inside, the tool can be brittle and miss sensitive data. Internal tools frequently don't locate shadow data outside the control and oversight of IT and IT security teams. Maintaining a homegrown tool can also divert scarce resources from more impactful projects.
DSPM technologies are relatively new and are designed to discover, classify and monitor data stores at scale. Constituents I have spoken with typically uncover previously undiscovered sensitive data when they test a DSPM tool and compare it to their existing, homegrown or legacy tool for data discovery and classification.
While DSPM technology can help to accurately assess the magnitude of a breach, its major value is to help prevent a breach in the first place -- the posture management in data security posture management. Such tools also contribute to improving data governance and regulatory compliance. Understanding what sensitive data you have, where it is located and who is accessing it enables you to take action to mitigate risk and better secure the data. Remediation actions can take many forms, from encrypting or masking the data to revoking outdated access to sensitive data to decommissioning unneeded or deprecated data.
Getting ahead of the problem: Locate and categorize sensitive data stores
You can't secure and report on something you don't know exists. In the same way you might scan a network to understand what devices exist and their security posture, you need to scan for sensitive data repositories and understand what is inside of them.
Your data is dynamic. Lines of business and staff create, update or combine existing data stores. Some of this might be sanctioned, with IT having visibility to the data store; however, some might be unsanctioned, with someone taking the initiative to use data without the IT and IT security team having visibility to the new repository -- the shadow data problem. This data is ever changing and moving, and it requires continually rediscovering and reclassifying sensitive data across your environment, both on premises and in the cloud. Accommodating this data dynamism is where DSPM products shine and homegrown options frequently stumble. As I learned in scouting, the bottom line is to be prepared. Locating your sensitive data stores and categorizing the data inside them on an ongoing basis will enable you to better secure that data, recover it in the event of a ransomware attack and recover more quickly should a breach occur.
Todd Thiemann is a senior analyst covering identity access management and data security for TechTarget's Enterprise Strategy Group. He has more than 20 years of experience in cybersecurity marketing and strategy.
Enterprise Strategy Group is a division of TechTarget. Its analysts have business relationships with technology vendors.