If Your Job Depended On It, How Would You Prevent a Data Breach?

Data breaches are an almost daily event and the problem is getting worse over time (although 2018 may end up being not quite as bad as 2017). If your job as an IT or security professional was dependent on preventing data breaches for your organization (and it very well could be), what steps would you take to prevent them? Here are a few ideas:

  • Understand where your data lives
    Our research has found that many decision makers really don’t know where all of their data is located. This is partly due to poor management of data, but also by the explosion of “Shadow IT” that enables employees to store data on personal devices, their own cloud accounts and in a variety of other places beyond the control of IT. To correct this problem, IT should conduct a thorough audit of every potential source of corporate data and bring it under the control of IT. That’s much easier said than done, but it’s essential if an organization is to regain control of its valuable data.
  • Analyze your data
    After the location of all corporate data is known and brought back under IT control, it should be analyzed as part of a good information governance protocol to determine what can safely be discarded, what data is subject to various compliance obligations, the duplicate data that is being stored, and so forth. This will reduce the volume of data that must be managed and identify what needs to be better protected, leaving less data available to breach.
  • Implement the appropriate access controls
    Implement robust identity access management to ensure that users have access to data only on a need-to-know basis. Implement risk-based authentication to ensure that more valuable assets require a greater degree of authentication than just username and password, but use multi-factor authentication at a minimum…everywhere. Implement user behavior analytics to ensure that anomalous behavior (e.g., unusually large file downloads or accessing sensitive data resources at odd times) is recognized and access to data is restricted, approved or blocked, as appropriate.
  • Train users
    It’s essential to educate users about how to protect corporate data. That means common sense things like not sending sensitive or confidential data without encryption, not using personal webmail or file-sharing services to send corporate data, not clicking on email links or attachments unless the identity of the sender is known and trusted, not visiting inappropriate web sites, not using personal webmail at work, being skeptical of requests delivered through email, not clicking on links in social media posts without first verifying their validity, not logging into unsecured Wi-Fi networks (e.g., at airports or coffee shops) without using a VPN or appropriate controls, not oversharing on social media, and maintaining robust security software on personal devices and networks if they are going to be used to access corporate networks or data resources.
  • Use air gaps wherever you can
    Not everything should be online. Old databases, older archived data and other data sources that are valuable, but rarely accessed, should be air-gapped to prevent breaches of this data.
  • Encrypt devices
    One of the most common sources of data leaks is the loss of laptops and mobile devices that contain unencrypted data. Every device must be encrypted to ensure that even if a device is lost, the data on it will remain inaccessible. Plus, the loss of encrypted data will, in most cases, not trigger requirements under data breach notification laws.
  • Encrypt data
    All data should be encrypted – at-rest, in-transit and in-use.
  • Evaluate your providers
    The typical large enterprise employee more than 1,000 cloud providers in addition to many non-cloud providers. It’s your responsibility to ensure that each of these providers maintains appropriate security controls for your data under their control. Regulations like the General Data Protection Regulation codify these types of requirements, but it’s good to implement this best practice even in the absence of a specific external requirement to do so.
  • Establish multiple and disconnected communications channels
    One of the most financially damaging types of data breach is CEO Fraud or Business Email Compromise, in which a cybercriminal impersonates a CEO or other high ranking official to someone in the organization like a CFO or HR staffer. The recipient will often trust the message and execute the requested action, which might include initiating a wire transfer or sending W-2 data on employees. By establishing a communications backchannel, such as text messaging on mobile phones, the validity of the request can be confirmed.
  • Implement DLP
    To prevent malicious and inadvertent data breaches, implement a data loss prevention (DLP) capability that will inspect outbound emails, file transfers and other outbound content for sensitive data that is being sent without encryption, information being sent to competitors, emails sent to the wrong party, and so forth.

These are just a few ideas that will help to mitigate, if not prevent, data breaches. Of course, every organization should implement a robust information governance program, but these are some good steps that will help to move an organization in that direction.

Phishing and Ransomware are the Logical Evolution of Cybercrime

Phishing, which can be considered the delivery mechanism for various types of malware and cybercrime attempts; and ransomware, which is a specialized form of malware that is designed for the sole purpose of extorting money from victims, are critical problems that every organization must address and through a variety of means: user education, security solutions, vulnerability analysis, threat intelligence, good backup processes, and even common sense. The good news is that there is much that organizations can do to protect themselves, their data, their employees and their customers.

Phishing, particularly highly targeted forms of phishing like spearphishing and CEO Fraud/Business Email Compromise (BEC), as well as ransomware, are the logical evolution of cybercrime. Because there have been so many data breaches over the past few years that have resulted in the theft of hundreds of millions of records, there is a glut of this information on the market. The result, as there would be in any other business driven by the economics of supply and demand, is that prices for stolen records are dropping precipitously: a leading security firm estimates that the price of a stolen payment-card record has decreased from $25 in 2011 to just $6 in 2016.

Consequently, cybercriminals are turning increasingly to more direct means of theft. For example, ransomware will extort money directly from victims without requiring stolen data to be sold on the open market where it is subject to economic forces that can reduce its value. CEO Fraud/BEC can net hundreds of thousands or millions of dollars in a short period of time by getting victims to wire funds directly.

We are in the process of writing a white paper on phishing and ransomware, and will be publishing the results of an in-depth survey on these problems. Let us know if you have any questions or would like copy of the white paper when it is published next week.