Focusing on Soft Skills
Most of the time in this column, I focus on technical topics—this is Practical 365, after all. However, in this column, I wanted to talk about soft skills, training, and investment as tools to minimize the harm from data breaches. These topics aren’t as sexy as discussing the latest Defender improvements or ransomware threats, but they’re important too.
The July 25, 2023 edition of Risky Business News had two factoids nestled together that gave me this idea:
- IBM said the average cost of a data breach so far in 2023 is US$4.45 million. This cost includes detection, remediation, and post-breach cleanup. You can imagine that a larger breach, or one in a country with strong data protection laws, might cost significantly more than that.
- KrebsOnSecurity points out that only 5 of the Fortune 100 companies list an information-security executive as part of their leadership team.
It’s tempting to assume that there’s no relationship at all between these two facts. And, in truth, you’d be hard-pressed to prove that there is one. In his column, though, Brian Krebs points out that the CISO/CSO role should be important enough to be considered part of the executive leadership team in most organizations, just like the chief marketing officer or even the chief technology officer. His full column’s worth a read to get the full flavor of his argument, but I think he’s right.
Wait, What?
What does executive leadership have to do with the average cost of a data breach? Again, there’s no provable super-obvious connection here, but I think there is a link: the more extensive the breach (where “extensive-ness” can be measured by the scope, duration, and/or importance of the breach), the more it’s going to cost. Is a lack of executive focus on information security contributing to an increase in the average breach cost? That’s a pretty solid theory, I think.
Now for the “Practical” Part
Why is any of this pertinent to Microsoft 365 administrators? Simple. Your organization probably doesn’t have $4.45 million saved up to cover the (average) cost of a data breach, so it’s worth discussing what you might want to do to reduce the risk of one and/or the impact and cost if a breach does occur. Even spending 1% of that figure is probably justifiable if it will mitigate the risk of a breach—and you might be surprised at what you can get accomplished by spending 0.1% of that amount if it’s well-planned and executed.
Attacking the Two Ends of the Breach
Think of a data breach like a pipe: your data goes in one end and flows through to the other end. Just like a water pipe, if you plug either end, the flow stops. It’s probably not possible for you to guarantee this, of course, but whatever you can do to reduce the diameter of the pipe will be to your benefit. What does that look like in practical terms?
Let’s start with the input side. You can invest in finding out:
- What interesting or sensitive data do you actually have (in other words, what might an attacker want to steal or disclose as part of a breach?)
- Who has access to it?
- Are there accounts with access that don’t need it or have excess access?
- What auditing is in place, and is the audit data actually useful?
None of the above actually requires you to give money to any vendors or consultants. You may need to allocate some internal labor to it, depending on what tools and skills you already have internally, but the basic Microsoft 365, Windows server, and Windows/macOS desktop tools are good enough to let you answer these four questions. The biggest expense, in fact, is likely to be writing up the results of what you find, then getting roped into long discussions about what to do about it. (Maybe in a future column I’ll share tips for getting out of meetings you don’t want to be in!)
If you want to plug the exit end of the pipe, your job will be harder. One of the glories of SaaS applications such as Microsoft 365 is that they are broadly accessible from nearly any endpoint; with that said, Microsoft 365 conditional access policies give you a strong set of tools to restrict which endpoints can access your data, and what they can do with it. Applying a robust set of policies is a good start. You should also consider whether activity auditing or anomaly detection would be useful (hint: the answer is probably ‘yes’). Data loss prevention is worth investigating too, but deploying it from scratch is probably going to cost more than the 1% target I mentioned above, and in any event, DLP isn’t what will give you the biggest return on your investment.
You also can expect a good return on investment from time spent digging into your software and hardware supply chain. You probably have unpatched (and maybe even unpatchable or unsupported) devices lurking in your network. Harden them or get rid of them, then spend the minimal amount of time required to ensure that they get regularly patched in the future. Any time you invest in reducing your overall attack surface will pay disproportionate dividends down the road.
“Soft” Doesn’t Mean “Easy”
It may seem like it’s easier to just go to the Microsoft 365 admin center and buy a bunch of licenses for whatever shiny new security capability they’re selling. In reality, though, the time you spend on these “fuzzy” or “soft” security tasks will be paid back with high returns in improved security and reduced hassle for you and your users. As a welcome side benefit, it will also help you and your team develop and flex some valuable practical leadership skills—and I’ll have more to say about developing security leadership in future Practical Protection columns. Until then, stay watchful!
