Data breaches are an almost daily event and the problem is getting worse over time (although 2018 may end up being not quite as bad as 2017). If your job as an IT or security professional was dependent on preventing data breaches for your organization (and it very well could be), what steps would you take to prevent them? Here are a few ideas:
- Understand where your data lives
Our research has found that many decision makers really don’t know where all of their data is located. This is partly due to poor management of data, but also by the explosion of “Shadow IT” that enables employees to store data on personal devices, their own cloud accounts and in a variety of other places beyond the control of IT. To correct this problem, IT should conduct a thorough audit of every potential source of corporate data and bring it under the control of IT. That’s much easier said than done, but it’s essential if an organization is to regain control of its valuable data.
- Analyze your data
After the location of all corporate data is known and brought back under IT control, it should be analyzed as part of a good information governance protocol to determine what can safely be discarded, what data is subject to various compliance obligations, the duplicate data that is being stored, and so forth. This will reduce the volume of data that must be managed and identify what needs to be better protected, leaving less data available to breach.
- Implement the appropriate access controls
Implement robust identity access management to ensure that users have access to data only on a need-to-know basis. Implement risk-based authentication to ensure that more valuable assets require a greater degree of authentication than just username and password, but use multi-factor authentication at a minimum…everywhere. Implement user behavior analytics to ensure that anomalous behavior (e.g., unusually large file downloads or accessing sensitive data resources at odd times) is recognized and access to data is restricted, approved or blocked, as appropriate.
- Train users
It’s essential to educate users about how to protect corporate data. That means common sense things like not sending sensitive or confidential data without encryption, not using personal webmail or file-sharing services to send corporate data, not clicking on email links or attachments unless the identity of the sender is known and trusted, not visiting inappropriate web sites, not using personal webmail at work, being skeptical of requests delivered through email, not clicking on links in social media posts without first verifying their validity, not logging into unsecured Wi-Fi networks (e.g., at airports or coffee shops) without using a VPN or appropriate controls, not oversharing on social media, and maintaining robust security software on personal devices and networks if they are going to be used to access corporate networks or data resources.
- Use air gaps wherever you can
Not everything should be online. Old databases, older archived data and other data sources that are valuable, but rarely accessed, should be air-gapped to prevent breaches of this data.
- Encrypt devices
One of the most common sources of data leaks is the loss of laptops and mobile devices that contain unencrypted data. Every device must be encrypted to ensure that even if a device is lost, the data on it will remain inaccessible. Plus, the loss of encrypted data will, in most cases, not trigger requirements under data breach notification laws.
- Encrypt data
All data should be encrypted – at-rest, in-transit and in-use.
- Evaluate your providers
The typical large enterprise employee more than 1,000 cloud providers in addition to many non-cloud providers. It’s your responsibility to ensure that each of these providers maintains appropriate security controls for your data under their control. Regulations like the General Data Protection Regulation codify these types of requirements, but it’s good to implement this best practice even in the absence of a specific external requirement to do so.
- Establish multiple and disconnected communications channels
One of the most financially damaging types of data breach is CEO Fraud or Business Email Compromise, in which a cybercriminal impersonates a CEO or other high ranking official to someone in the organization like a CFO or HR staffer. The recipient will often trust the message and execute the requested action, which might include initiating a wire transfer or sending W-2 data on employees. By establishing a communications backchannel, such as text messaging on mobile phones, the validity of the request can be confirmed.
- Implement DLP
To prevent malicious and inadvertent data breaches, implement a data loss prevention (DLP) capability that will inspect outbound emails, file transfers and other outbound content for sensitive data that is being sent without encryption, information being sent to competitors, emails sent to the wrong party, and so forth.
These are just a few ideas that will help to mitigate, if not prevent, data breaches. Of course, every organization should implement a robust information governance program, but these are some good steps that will help to move an organization in that direction.
The European Union (EU) will put the General Data Protection Directive (GDPR) into effect on May 25th, and with it some potentially difficult and onerous requirements. Here are a few potential issues with which companies worldwide will have to contend:
- Article 7(1) of the GDPR states, “Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.” That means that anyone who signs up for a mailing list, a webinar, an email newsletter or any other type of communication from you will need to be fully informed of the “processing” that their data will undergo, and you will need to keep an accurate record of each instance of consent that has been granted. For example, someone who signs up to be on your corporate emailing list is granting consent for their information to be used strictly for the purpose of receiving email from you – you need to maintain a record of that consent. If they sign up for a webinar that you have announced to them in an email, they are granting consent to be contacted with regard to that specific webinar – you need to maintain a record of that, as well.
Our recommendation: excellent and up-to-date recordkeeping is going to be of paramount importance in order to remain compliant with the GDPR. That means good archiving of data subjects’ information, including the ability to search for and retrieve this information quickly and completely, and the ability to defensibly delete this information when needed.
- Article 22(1) requires that a “data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling…” and that includes their “location or movements” (Recital 71). What that likely means is that there is a prohibition on determining whether or not someone is an EU “data subject” based on things like their IP address when completing a form on your web site, for example. So, if someone who lives in the United States is on your corporate mailing list, where their information is not subject to GDPR compliance, but later moves to an EU country, where their data is now subject to the GDPR, is the onus on you to know they’ve moved? According to a strict interpretation of Recital 71, you’re not allowed to collect their IP address when they interact with you, and so you may not be able to determine that they have moved.
Our recommendation: act as if everyone is subject to compliance with the GDPR and process information accordingly.
- Articles 12 through 23 of the GDPR are the “Rights of the data subject”, which include things like their right to access and have corrected any information that a data processor or controller has on them, and their right to have that information deleted – their “right to be forgotten” – albeit with certain limitations. There are some serious implications for data controllers and processors in these requirements:
You need to know where all of your data is located. Data subjects’ information that might be stored on a departmental file share to which IT or legal does not have ready access, information stored in employees’ personal Dropbox accounts, or information stored on ex-employees’ personal devices could make it difficult or impossible to respond adequately to a data subject’s request for information or their right to have this data corrected or expunged.
Even with access to all of your data, an organization with malicious intent could organize a group of a few thousand people to request their data simultaneously. Given that the GDPR gives data processors and controllers only one month to comply with these requests (up to three months in some situations), an organization with inadequate content management systems in place could easily run afoul of the GDPR.
Our recommendation: conduct a thorough data inventory to determine where all of your data is located, give IT access to it, and implement a robust and scalable archiving capability that will enable all corporate data to be searched and produced quickly and with a minimum of effort.
Many thanks to Anne P. Mitchell, an Internet law and policy attorney and legislative consultant, for her input to this post. Her firm is offering consulting on the legal aspects of the GDPR – you can contact her here.
For more information on the GDPR, you can download our most recent white paper here.
We just published a new white paper on the European Union’s (EU’s) General Data Protection Regulation (GDPR) and will soon be publishing the results of the two surveys we conducted for that white paper.
In the second of the two surveys we conducted, we asked the following question: “Will your organization increase or decrease use of cloud technology as a result of the GDPR?” We found that 50 percent of respondents indicated they would do so, 39 percent said there will be no change, six percent said they didn’t yet know, and only five percent said that use of the cloud will decrease. That tells us a few things:
- Many decision makers are still unsure about how they’ll deal with the GDPR. A thorough reading of the regulation, as with most government rules, leaves room for interpretation. For example, if data on an EU resident is subject to a litigation hold in the United States and the EU resident exercises his or her right to be forgotten, should the data controller violate its obligations to retain the data or violate the GDPR? That uncertainty will lead many to seek the assistance of third parties, many of which will be cloud providers that have more expertise in dealing with these kinds of issues.
- Many organizations will pass the buck to their cloud providers. Because many organizations are simply not sure about how to deal with the GDPR, particularly smaller ones that can’t afford a team of GDPR-focused legal and compliance experts, they will rely increasingly on cloud providers who they anticipate/expect/hope will navigate the intracacies of the GDPR on their behalf. We believe that will accelerate the replacement of on-premises solutions with those based in the cloud.
- Consequently, the choice of cloud providers will become extremely important. Since a cloud provider that inadvertently violates key provisions of the GDPR while working on behalf of their clients will not be a shield from prosecution, GDPR savvy will become a top priority when selecting new, or staying with existing, cloud providers.
- The new ePrivacy Regulation that will supplement or replace key provisions of the GDPR will impose significant usability restrictions on even simple activities like web surfing. For example, it is very likely that web site visitors will need to grant permission for each and every cookie dropped into their browser when visiting a web site, yet that web site operator will not be able simply to block content for those users who do not grant permission. This will make the choice of a web host extremely important in order to comply with both the GDPR and the ePrivacy Regulation.
In short, while the GDPR increases privacy protections for individual users in the EU, it is increasing the risk for those that wish to provide content to them. Many companies, particularly smaller ones, will seek to mitigate that risk by handing it off to cloud providers.
You can download our newest GDPR white paper here, and get more information on the ePrivacy Regulation here and here.
I will be participating in a webinar on the General Data Protection Regulation (GDPR) on November 9th along with ZL Technologies and Viewpointe (you can sign up for it here).
In one of our planning meetings for this event, the topic of Subject Access Requests (SARs) was discussed. One of the presenters wondered if SARs could somehow be used by anarchists or others to cause massive disruption to an organization. Given that data subjects in the European Union have the right to request any information about them that a data controller possesses, usually without a fee, and that requests must be processed within a month, what would happen if an organized group (are anarchists, by definition, organized?) flooded an organization with SARs in a very short period of time. There are situations in which data controllers are not obligated to provided data under an SAR, such as GDPR Article 23 which allows the Legal Professional Privilege (LPP) as an exemption to fulfillment of an SAR. However, this is a fairly limited exemption and would not prevent the type of planned disruption that might be made possible under the GDPR.
The potential for causing mass disruption using SARs is not as far-fetched as some might consider it to be. Given that it will take several hours to process a single request for a company that has not implemented an appropriate classification and archiving capability for all of the potentially relevant organization it has on data subjects, the potential for disruption is enormous. For example, if we very conservatively assume that just two person-hours would be required to process an SAR and someone wanted to “attack” an organization with 5,000 SARs in a single week, that would obligate a data controller to spend 10,000 person-hours — about five person-years — processing these requests in a very short period of time. While such a scenario against any single entity is unlikely, the likelihood that it will occur to some company is rather high, as is the risk: few organizations’ legal or IT teams have such an excess of labor available to them to deal with this type of occurrence.
This is just one of the topics we will be discussing at the webinar on November 9th. I hope you can join us.
We have recently completed a survey of IT decision makers that are knowledgeable about security issues in their organizations, and we found something surprising: the concern about “shadow IT” — employee use of unauthorized cloud apps or services — is significantly lower in this year’s survey than it was just over a year ago. While there can be variability between surveys because of sampling and other issues, the difference we found is not explained by sampling variability, but instead represents a significant shift of concern away from the problem of shadow IT and BYOD/C/A (Bring Your Own Devices/Cloud/Applications).
- First, we have not seen big, headline-grabbing data breaches result from the use of personally owned smartphones, tablets, laptops and other employee-owned and managed devices, cloud applications and mobile applications. While these breaches occur and clearly are a problem, the horror stories that were anticipated from the use of these devices have been few and far between.
- Second, senior management — both in IT and in lines of business — have seemingly acquiesced to the notion of employees using their own devices. They realize that stopping employees from using their own devices to access work-related resources is a bit like controlling ocean surf with a broom.
- Third, there are some advantages that businesses can realize from employees using their own devices. While lower business costs are an important advantage because IT doesn’t have to purchase devices for some employees, another important benefit is that IT doesn’t have to manage them either. For example, when an employee leaves a company and company-supplied devices need to be deactivated, some organizations aren’t exactly sure who’s responsible for doing so — IT, the employee’s manager, HR or someone else. A survey we conducted some time back asked, “when an employee who had a company-supplied mobile phone leaves your employment, how confident are you that you are not still paying for their mobile service?” We found that only 43 percent of respondents were “completely confident” that the mobile service was deactivated, and 11 percent either were “not really sure” or just didn’t know. Employees using their own devices and plans gets around this problem nicely.
To be sure, unfettered and unmanaged use of employee devices in the workplace is not a good idea. It can lead to a number of problems, such as the inability for IT to know where all of a company’s data is stored, the inability to properly archive that data, the inability to produce all of it during an eDiscovery effort or a regulatory audit, lots of duplicate data, a failure to establish an authoritative record for corporate data, a greater likelihood of data breaches if a device is lost, and the potential for not being able to satisfy regulatory obligations.
That last point is particularly important, especially in the context of the European Union’s General Data Protection Regulation (GDPR). A key element of the GDPR is a data subject’s “right to be forgotten”, which translates to a data holder’s obligation to find and expunge all data it has on a data subject. If an organization cannot first determine all of the data it holds on a data subject and then cannot find all of that data, it runs the risk of violating the GDPR and can pay an enormous penalty as a result.
In short, BYOD/C/A offers a number of important advantages, but it carries with it some serious risks and should be addressed as a high priority issue in any organization.