A structured approach to data protection
Why do you need data security? There are many reasons, however, there are typically three main drivers we see for the adoption of a data security strategy…
Firstly, compliance. Businesses are subject to mandatory compliance standards imposed by governments (such as UK-GDPR, PCI-DSS, HIPAA, SOX, etc). These standards often stipulate how businesses should secure Personally Identifiable Information (PII), Financial and other sensitive data.
So, a Data Protection policy is a basic first step to address these requirements. It’s critical that DLP tools are built to address the requirements of the common standards, as a minimum.
Secondly, Intellectual property and intangible assets. An organization may have trade secrets, other strategic proprietary information, or intangible assets, such as customer lists, business strategies, trade secrets and other sorts of IP data. Loss of this type of information can be extremely damaging, and accordingly, it is directly targeted by attackers and malicious insiders. A Data policy around this can help identify and safeguard important information assets that are critical to a business’ success.
And thirdly, data visibility. Implementing a data protection strategy should provide insight into how stakeholders within the business use data. In order to protect sensitive information, organizations must first know it exists, where it exists, who uses it… and for what purposes.
Data usage continues to grow exponentially thus making it harder to manage effectively.
“From 2010 to 2020, the amount of data created, captured, copied, and consumed in the world increased from 1.2 trillion gigabytes to 59 trillion gigabytes, an almost 5,000% growth. What will data do in the coming decade?”1)
A 2021 survey2) identified that 85% of breaches involved a human element.
Human behaviour is complex and can be influenced and manipulated in a range of ways. All humans have fundamental psychological vulnerabilities that can manifest during times of heightened pressure of stress and this will impact the decision-making process in real-time. Insider threats typically fall within these two types…
The Accidental Insider – may be manipulated by an external attacker from a classic phishing or vishing attack. Or, simply accidently sending that file when they didn’t truly know all the contents.
The Malicious Insider – malicious insider as one of an organization’s current or former employees, contractors, or trusted business partners who misuses their authorized access to critical assets in a manner that negatively affects the organization.
Malicious insiders are harder to detect than outside attackers, as they have legitimate access to an organization’s data and spend most of their time performing regular work duties. Thus, detecting malicious insider attacks takes a long time. On average it takes 77 days to identify the actions of a malicious insider.
Not to forget what is typically thought of when we discuss any type of cyber attack or data breach, the external hacker and attackers. Hackers and attackers are technical personas or organizations intentionally targeting technology to create incidents and achieve a breach. They can be solo individuals, groups, or even nation states with goals and missions looking to destabilize a business, government. All trying to disseminate information, or for financial gains.
3) “94% of businesses surveyed had suffered an insider data breach in the last 12 months”
What are external attackers after when they target us? Credentials remain one of the most sought data types… and Personal data is a close second. Credentials are a top target as the gain access to other areas within the business where the monetizable data is.
When you look back at the big brand breaches over the last few years, it’s been airlines, hotel chains and banks… and that’s been for data such as Personal ID numbers, emails, names and addresses, plus other financial data. So, you see the pattern of the data that’s easiest to make money from.
However, it’s not the only way data is compromised. We must also look at “Data leak errors”. Sadly, we cannot discount the ability of our own employees to make mistakes, thereby contributing to the problem – Personal data is by far the top data type compromised it those incidents.
They are less likely to involve credentials and more likely to involve sending out data in an email. This will typically be PII, which may be sent to the wrong person too, all still defined as a data breach.
Banking and card details understandably achieve the top prices. But other pieces of data are also highly rated, such as driving licence details, passport information and proof of identity, all of which can then be used in conjunction to steal someone’s identity.
So, how can you address these challenges? Start by looking at your data protection strategy and understand whether it covers all the core elements. Need tips on what a good data protection strategy should look like?
This data strategy (or journey) example has 7 steps:
- Prioritise criticality of you data
- Classify and categorise your data
- Understand your risk profile
- Monitor all data flows
- Communication and control
- Employee empowerment
- Deploy and monitor
Your data protection strategy could have other elements and/or cover things in a slightly different order, but this should help you get off to a great start!
If you want to find out more about these ‘7 Steps to Data Protection’, please get in touch with us at SecurEnvoy.
2) 2021 Egress Data Loss Prevention Report
3) 2021 Verizon Data Breach Report