(Ghostwritten for Chris Roney)
Data is the new gold. The value of sensitive information and personal data may not seem that great but its leakage is one of the most costly disasters for all types of organizations – businesses, governments, and other institutions. The lack of suitable data protection is an accident waiting to happen because cybercriminals are continuously on the lookout for a chance to get their hands on sensitive data, which they may then sell to other criminal organizations for various uses.
In addition to direct financial consequences that could occur as a result of data breaches, organizations that fall victim to them also face reputation losses and must pay huge fines to supervisory authorities for non-compliance, as a result of data privacy laws, data protection laws, and other privacy regulations such as the European Union’s GDPR (General Data Protection Regulation) for EU citizens, HIPAA (Health Insurance Portability and Accountability Act), the California Consumer Privacy Act (CCPA), and more.
All in all, one of the primary cybersecurity concerns today is the prevention of personally identifiable information belonging to data subjects falling into the hands of black-hat hackers. Here is what we believe are the 5 fundamental rules to follow to ensure data security and information privacy in your organization.
Prevent data loss where it happens most
If we were to focus on the sensational information coming from the media, it would be easy to believe that the number one reason for data loss is cyberattacks performed by skilled, professional black-hat hackers. This, however, is far from the truth. Most data breaches are the result of human error, not malicious activities.
If we analyze the reasons behind the biggest historical cases, for example, basing it on data collected in Wikipedia, the two reasons that occur most often are hacked and poor security. And the poor security category refers to cases where data was, for example, available unencrypted in an unprotected database accessible with no authentication at all. This data was just waiting to be taken.
When we go down the list sorted by the number of records, we see more and more occurrences of accidentally published, lost/stolen media, and inside job. While the biggest security breaches such as the Capital One breach might have been associated with intentional actions, most data is lost due to mishaps that can easily be prevented by introducing automation-based safeguards not against hacking but against thoughtlessness.
Conclusion: When deciding upon your security strategy, make sure to think about preventing potentially risky authorized access at least as much as about protecting yourself against intentional unauthorized access. Give permissions only where necessary.
Consider all possible sources of data leakage
Today, we can’t imagine an organization that doesn’t use an antivirus/anti-malware solution on all their endpoints. This type of protection has become the norm a long time ago. We also cannot imagine a network without a firewall and almost every organization educates their staff about the dangers of phishing. However, there are still businesses and institutions that fail to go beyond these basic protection methods.
The two areas that many businesses don’t see as potential sources of data leakage are web interfaces and typical endpoint activities such as chatting, emailing, posting on social media, or using a USB stick to move data around. Many companies employ very strict rules on information access and yet don’t control at all what data is being shared over messaging apps, email, and attached devices. Without preventive measures, a careless internal user may easily cause a tragedy by sharing sensitive data with the wrong person or accidentally pasting it into a comment on LinkedIn. Without sufficient data privacy protection, a malicious internal user may easily send sensitive data to his private email address.
Conclusion: If you’re protecting yourself from data leakage via phishing, open network ports, unsecured IP addresses, viruses, and trojans, you should pay just as much attention to other potential sources of data leakage such as potentially irresponsible and accidental activities.
Monitor all potential sources of sensitive information
Sensitive information is not always concentrated in a single source. While it’s not very probable that you will have credit card numbers laying around in text files on one of your employee’s hard disks, that is much more probable when it comes to other cases of processing of personal data, which is just as much under protection as those credit card numbers – even as simple as your user’s date of birth. You can still pay a hefty fine to a data protection authority for losing social security numbers and other types of PII as well as not being able to delete personal data if its owner has the right to be forgotten.
Many organizations do not realize that with the current state of development of cybersecurity technology, it’s possible to identify such sensitive information just by the way it’s constructed. You’re able to implement privacy protection by using a data profiling solution that recognizes sensitive data before it is sent over an insecure channel such as, for example, social media. Your users may be clueless about online privacy and not realize that some type of data is, for example, considered sensitive health information or represent biometric data, but a smart IT solution won’t make that mistake.
Conclusion: Don’t assume that sensitive information is only contained in well-identified sources. Use modern solutions to identify it not based on its storage location but on the content itself.
Prevention is better than cure – use encryption wherever possible
While 20 years ago encryption of information was considered a rare occurrence and only associated with the transmission of secrets, today we live in the age of data portability, where almost every data transmission is encrypted. For example, most web pages that you visit today use SSL/TLS (HTTPS) connections which guarantee that nobody can listen in on the communication between your browser and the website or web application. Email servers also communicate with one another and many instant messaging platforms enforce encryption and even allow you to send messages with limited retention by giving you an option of automatic erasure after a selected period of time.
However, while all these mechanisms are available, many of them are not enforced. Not every website allows only secure connections, many still make it possible to use unencrypted data transfer. The email content is almost never encrypted and there are known messaging platforms that trust third-party communication channels to handle the encryption. Therefore, you should enforce encryption wherever you can, especially if you suspect that any sensitive information may be included in your data collection.
Conclusion: Enforce encryption wherever you can. Even if you use secure channels, extra data encryption won’t hurt anyone and provides you with an additional layer of protection.
Treat security as an investment, not a burden
All the extra security measures may look like a burden. In the past, we just needed good locks on the door and now we have to think of all these potential sources of data leakage, too. Many businesses are not happy about spending a lot of money on cybersecurity and decide to limit such spending, taking a calculated risk. However, it is exactly such companies that are featured on the lists of the biggest data breaches.
One of the most important aspects of security, not just data protection and data privacy, is your mindset. If you treat cybersecurity as an investment, you will see it pay off by helping you avoid sudden costs that have a high potential to bankrupt your organization.
Conclusion: Start your cybersecurity initiatives with the right mindset by treating security measures like seat belts – as an investment that will help you avoid potentially tragic consequences.
Arm yourself with the Endpoint Protector
To address all the concerns mentioned in the above recommendations, you need several different classes of solutions or external service providers. However, many of these concerns, primarily those related to accidental data loss through irresponsible or malicious activities of internal users, can be addressed by using Endpoint Protector, which can help you control potential information loss via connected devices and modern communication channels. Additionally, it can help you identify personal information stored in local data sources.
Armed with the Endpoint Protector, you can be sure that you’re not leaving gaping security holes that have been the reason behind so many real-life data loss scenarios.