By: Mr. Filip Cotfas, Channel Manager, CoSoSys
Data is the new gold
Data is the new gold. The value of sensitive information and personal data may not seem that great, but its leakage is one of the costliest disasters for all types of organizations – businesses, governments, and other institutions. The lack of suitable data protection is an accident waiting to happen because cybercriminals are continuously on the lookout for a chance to get their hands on sensitive data, which they may then sell to other criminal organizations for various uses.
In addition to direct financial consequences that could result from data breaches, organizations that fall victim to them also face reputation losses and must pay huge fines to supervisory authorities for non-compliance.
All in all, one of the primary cybersecurity concerns today is the prevention of personally identifiable information belonging to data subjects falling into the hands of black-hat hackers. Here is what we believe are the five fundamental rules to follow to ensure data security and information privacy in your organization.
Prevent data loss where it happens most
If we were to focus on the sensational information coming from the media, it would be easy to believe that the number one reason for data loss is cyberattacks performed by skilled, professional black-hat hackers. This, however, is far from the truth. Most data breaches are the result of human error, not malicious activities.
If we analyze the reasons behind the biggest historical cases, for example, based on data collected from Wikipedia, the two most common reasons are hacking and poor security. And the poor security category refers to cases where data was, for example, available unencrypted in an unprotected database accessible with no authentication at all. This data was just waiting to be taken.
When we go down the list sorted by the number of records, we see more and more occurrences of accidentally published and lost/stolen media. While the biggest security breaches might have been associated with intentional actions, most data is lost due to mishaps that can easily be prevented by introducing automation-based safeguards not against hacking but against thoughtlessness.
When deciding upon your security strategy, consider preventing potentially risky authorized access at least as much as protecting yourself against intentional unauthorized access. Give permissions only where necessary.
Data Loss Prevention (DLP) solutions such as Endpoint Protector can help businesses prevent data breaches by enforcing protection policies and preventing illegal access to data. Restricting end users from sharing confidential information or transferring them from corporate networks is also possible, as well as controlling or blocking unauthorized devices. DLP solutions can help in protecting both data in transit and at rest by CoSoSys.
Consider all possible sources of data leakage
This type of protection became the norm a long time ago. Today, we can’t imagine an organization that doesn’t use an antivirus/anti-malware solution on all their endpoints. We also cannot imagine a network without a firewall; almost every organization educates its staff about the dangers of phishing. However, businesses and institutions still fail to go beyond these basic protection methods.
The two areas that many businesses don’t see as potential sources of data leakage are web interfaces and typical endpoint activities such as chatting, emailing, posting on social media, or using a USB stick to move data around. Many companies employ very strict rules on information access and don’t control what data is being shared over messaging apps, email, and attached devices. Without sufficient data privacy protection, a malicious internal user may easily send sensitive data to his private email address. Without preventive measures, a careless internal user may easily cause a tragedy by sharing sensitive data with the wrong person or accidentally pasting it into a comment on LinkedIn.
Suppose you’re protecting yourself from data leakage via phishing, open network ports, unsecured IP addresses, viruses, and trojans. In that case, you should pay just as much attention to other potential sources of data leakage, such as potentially irresponsible and accidental activities.
Monitor all potential sources of sensitive information
Sensitive information is not always concentrated in a single source. While it’s not very probable that you will have credit card numbers laying around in text files on one of your employee’s hard disks, that is much more probable when it comes to other cases of processing of personal data, which is just as much under protection as those credit card numbers – even as simple as your user’s date of birth. You can still pay a hefty fine to a data protection authority for losing social security numbers and other types of PII and not being able to delete personal data if its owner has the right to be forgotten.
Many organizations do not realize that with the current development of cybersecurity technology, it’s possible to identify such sensitive information just by how it’s constructed. You’re able to implement privacy protection by using a data profiling solution that recognizes sensitive data before it is sent over an insecure channel such as, for example, social media. Your users may be clueless about online privacy and not realize that some type of data is, for example, considered sensitive health information or represent biometric data. Still, a smart IT solution won’t make that mistake.
Don’t assume that sensitive information is only contained in well-identified sources. Use modern solutions to identify it not based on its storage location but on the content itself.
Prevention is better than cure – use encryption wherever possible.
While 20 years ago, encryption of information was considered a rare occurrence and only associated with the transmission of secrets, today, we live in the age of data portability, where almost every data transmission is encrypted. For example, most web pages that you visit today use SSL/TLS (HTTPS) connections which guarantee that nobody can listen in on the communication between your browser and the website or web application. Email servers also communicate with one another. Many instant messaging platforms enforce encryption and even allow you to send messages with limited retention by giving you an option of automatic erasure after a selected period.
However, while all these mechanisms are available, many of them are not enforced. Not every website allows only secure connections; many still make it possible to use unencrypted data transfer. The email content is almost never encrypted, and there are known messaging platforms that trust third-party communication channels to handle the encryption. Therefore, you should enforce encryption wherever you can, especially if you suspect any sensitive information may be included in your data collection.
Enforce encryption wherever you can. Even if you use secure channels, extra data encryption won’t hurt anyone and provides you with additional protection.
Treat security as an investment, not a burden.
All the extra security measures may look like a burden. Many businesses are not happy about spending a lot of money on cybersecurity and decide to limit such spending, taking a calculated risk. However, it is exactly such companies that are featured on the lists of the biggest data breaches. In the past, we just needed good locks on the door, and now we have to think of all these potential sources of data leakage, too.
One of the most important aspects of security, not just data protection, and data privacy, is your mindset. If you treat cybersecurity as an investment, you will see it pay off by helping you avoid sudden costs that have a high potential to bankrupt your organization.
Start your cybersecurity initiatives with the right mindset by treating security measures like seat belts – as an investment that will help you avoid potentially tragic consequences.