A Data Breach Risk Assessment Checklist

Krystal Wang
Senior Security Solutions Manager
November 6, 2018

When it comes to data security, there’s no such thing as too big to fail. Chances are, if you’ve switched on the news recently you’ve heard of at least one high-profile data breach. Perhaps of even greater concern is that a few large organisations have fallen victim to multiple data breaches in the past few years. This is a surefire sign that corporate security practices are not evolving fast enough to outpace the increasing sophistication and ambition of attacks.

Safeguarding against compromised credentials

Stolen credentials arising from reused passwords and phishing attacks pose the most significant data breach risks these days. While it’s important to educate your workforce, it’s also crucial to realise that phishing lures have become so sophisticated and personalised that they are almost impossible to identify. Good password hygiene and security training alone will only get you so far.

It’s important to back these initiatives with effective identity and access management (IAM). Instead of relying on security controls at your perimeter, you should focus on identity-driven security that accurately identifies people as the new perimeter. You’ll then be able to take an approach that Gartner calls continuous adaptive risk and trust assessment—in other words, evaluating the threat of activities in real time.

We’ve put together a checklist that identifies some of the top causes of data breaches and suggests steps you can take to secure your organisation and keep your people safe.

A checklist for identity success

1. Centralize identity and access control

First, reduce the complexity of account management by making use of a single IAM solution.

  • Passwords will likely still be a reality in your organisation, but make sure users have strong, unique passwords. Single sign-on solutions free users from having to juggle multiple usernames and passwords, which in turn makes it less likely that they’ll use simple or recycled passwords.
  • Aim to go passwordless completely. We’re finally at a stage where we can say goodbye to simple usernames and passwords and adopt authentication that’s more secure.
2. Adopt strong authentication

Using knowledge factors, like passwords and security questions, means you’re vulnerable to data breaches via stolen credentials. Authentication should be based on possession or biometric factors.

  • Adopt Multi-Factor Authentication (MFA) and consider the factors that best suit your organisation
  • To reduce login friction, it’s important to base these factors on the context of a login request—the location, device, and network associated with it. When the risk associated with a request is high, the solution will prompt for a factor with a higher assurance level
  • Use step-up authentication for critical systems and apps, regardless of the context of a request
  • Create unified policies across your on-premises and cloud apps to ensure that a single oversight doesn’t lead to a breach
3. Reduce your attack surface

The easier it is to see exactly who has access to what, the less the chances of a data breach.

  • Create a dedicated space to manage access and permissions for all your users, groups, and devices
  • Automate provisioning, onboarding, and other tasks to reduce IT’s workload and prevent human errors that naturally come with administrative tasks
  • Set up reports that flag orphan accounts, unassigned users, and other anomalies that could signal or lead to a data breach
4. Be ready to respond
  • Proactive responses prevent data breaches. Use all the information at your disposal to respond to red flags.
  • Set up centralised, real-time reports for all authentication events—get your team ready to deal with any unusual and suspicious behaviour
  • Integrate your identity management strategy with existing security information and event management (SIEM) solutions. Okta solutions can be combined with software like Splunk to offer detailed insight into network activity and prepare you to respond quickly

Found this helpful? Read Checklist: 12 Key Steps for Protection Against Data Breaches for more proactive steps to prevent data breaches.

Krystal Wang
Senior Security Solutions Manager

As a Senior Security Solutions Manager at Okta, Krystal works closely with customers and product teams to deliver security-focused identity solutions. Prior to Okta, Krystal worked in product and evangelist roles at leading cybersecurity firms in areas of threat prevention, email and web security, and network security. Krystal has over a decade of experience in the security space and holds a bachelors in Information Science.

Tags

data security MFA Multi-Factor Authentication
Previous
Next

April 17, 2024

What Is Single Sign-On (SSO)?

By Okta
Single sign-on (SSO) is a user authentication tool that enables users to securely access multiple applications and services using just one set of credentials…

Read now

March 14, 2024

The State of Inclusion at Okta: Working to integrate equity

By Lindsay Ward
Today, we released our fourth State of Inclusion report, an annual report in which we share an overview of our current workforce demographics and Okta’s…

Read now

March 7, 2024

Businesses at Work 2024: Fundamentals in focus

By Sagnik Nandy
For the first few years of this decade, organisations everywhere had to grapple with wave after wave of remarkable change. Sudden developments like lockdowns,…

Read now

February 28, 2024

Introducing the Okta Secure Identity Commitment

By Todd McKinnon
Earlier today, Okta CEO Todd McKinnon sent the following email to Okta employees.  Hi Everyone, Last month Okta celebrated its 15th birthday. As I’ve reflected…

Read now

February 13, 2024

Transforming enterprise operations with Okta Workflows and OpenAI

By Mick Johnson
In today's world, where keeping things running smoothly and safely online is key, Okta has become a go-to choice for companies managing who gets access to what…

Read now