In the wake of so many security breaches, each news report seems to always focus on two things and two things only: The number of people/credit cards/passwords etc affected and the cause of the breach. Take a database breach at Comixology – the “cause” was a hacked database. Not surprising, as the 2013 Verizon Data Breach Investigations Report cites 92% of breaches involve outsiders and 52% of those breaches involved hacking.
Like most breaches, we’re never given more detail on exactly what facilitated the hacking. Was it an unpatched server, an insecure password or too little permissions assigned? Regardless of the reason, IT’s involvement or lack thereof (as in the case of not patching a server) comes into play in the case of establishing insecure passwords or security settings.
IT is making changes to systems and security at a rapid rate. In our 2014 State of IT Changes Survey, we found that 40% of IT organizations are making security impacting changes daily or weekly. It’s important to note that 57% of respondents admitted to making undocumented changes. That’s huge! IT organizations are making completely undocumented changes every day in your company.
While it may not be you, someone in your IT department may be leaving you exposed to hackers by way of the changes to security they are making. So, what can you do about it?
1) Establish a change auditing process – put something in place. It doesn’t even need to be fancy – an Excel Spreadsheet, anything.
2) Create a review process – Beyond just documenting changes, be sure that you have a formal review of changes periodically.
3) Realize you need accountability – 34% of our survey respondents said they were using the same change management process or system to check to ensure all changes are documented. With the prior admission of IT pros making undocumented changes, this is craziness – there will obviously be a large number of undocumented changes so you can’t use the documentation process to provide accountability. If you want accountability, you’re going to need change auditing in place to watch the systems in question and provide an unbiased view of the changes.
Blaming hackers is only scratching the surface. Coming to the realization that IT may be the unwitting helper by means of changes to security will only make your security stronger.