A data breach doesn’t need to be a big headline grabbing event (think of some of the high profile breaches by the likes of Equifax, TalkTalk or Wonga) to do your organisation serious harm. In this blog I am going to cover what constitutes a data breach and what can you do to avoid them.
A data breach is any incident where confidential or personal data is exposed, either intentionally or accidentally. A similar term is ‘data leak’, which usually applies where data is inadvertently sent outside the protective boundaries of an organisation. This data could be personal data, commercially sensitive information, trade secrets or intellectual property.
Many data breaches and leaks go unnoticed, in fact I am convinced that many organisations are not even aware of all the risks, or how much of their data could be leaking out to unauthorised places.
We are all familiar with the data breaches caused by hackers, (nearly always portrayed as hoody wearing, often teenagers working from a darkened bedroom!), but this is only part of the picture. There is very little we can do against a determined cyber criminal, and if we are hacked, we have the protection of the law behind us, provided we can demonstrate robust processes and procedures. However, we can all very easily cause a data breach from within our organisation. We are also the best preventer of data breaches through the values and culture of our organisation.
Let’s look five examples of different types of data breach, other than the criminal hack.
1. Inadvertent data sharing
How many times have you been asked by one of your application service providers to send them a screenshot to illustrate the problem? It is very easy to use the Snipping Tool to grab the screen and attach it to an email. This screenshot could contain confidential or sensitive information. As soon as you hit send data us going outside the organisation. At the very least you should be considering if the agreement with your service provider permits data sharing, in addition to using more secure means of sharing than email.
Using a service provider’s online helpdesk system is no better. Whilst t doesn’t put your data at risk of being intercepted through insecure email, it puts into a portal, probably cloud hosted and you probably don’t know where this data resides. It could be in a jurisdiction that doesn’t have the same data security controls as yours.
The right thing to do is to redact the data before you send the screenshot, however many users don’t know how to do this or aren’t aware of the risks so can’t be bothered. I use a free product called Greenshot, which is easy to use and has tools for highlighting and obfuscating data.
2. Loss of media / mobile devices
How many times do you pass data to a trusted partner on a USB drive? Do you ask for the media back? If not do you know what they’ve done with it? I came across this exact scenario last week where a client had passed some data to a lawyer who was advising them. A few weeks later they asked the lawyer for the media to be returned, however the lawyer doesn’t know what happened to it! We can’t confirm if a data breach has occurred but we do know that the law firm needs to tighten up on its data management protocols.
Much more likely, is media or mobile devices being left on public transport, in meetings rooms, or simply lying around the office where someone can easily pick it up.
USB devices are also a great way for cyber criminals to infiltrate your network. Who can resist putting a flash drive into a USB slot to see what might be on it? I saw this in action at a recent cyber security conference where I witnessed a USB drive, containing a keyboard emulator, taking control of a laptop and exposing all its data to the hacker.
3. Unauthorised cloud applications
Also known as ‘shadow IT‘, this is where staff inside an organisation make use of IT systems without the explicit approval of the IT Team. This has become a real danger since consumer led IT systems come to market far quicker than business systems and tech-savvy staff want to make use of systems that can make their life easier. This could be using systems like Dropbox to share files, signing up to a cloud based task management system, or using their own version of Excel online because it has greater functionality than the old one on their office desktop.
Staff will resort to shadow IT when they feel the internal IT provision doesn’t enable them to do their job properly. Sometimes I have seen these shadow applications sanctioned by senior management, due to frustration at not being able to get the right tools for the job. It is therefore extremely important for the IT Team to act as enablers, providing what staff need as well as explaining the risks behind many of these simple cloud applications.
4. Improper disposal
In this type of breach paper or electronic records are not properly disposed of when they have come to end of life. Paper is less of a problem these days, with most organisations having locked bins for secure data shredding. But what about those notes that you took home to work on at the weekend, or in your hotel room after a business meeting? It can be very easier to screw up a piece of paper and put in a wastepaper basket. Take them back to work with you and put them in the shredding bin!
Electronic media disposal should be the role of the IT Team, but as I’ve mentioned above, mobile media lack USB drives are a real cause for concern. These too should be returned to IT and securely disposed of. In the case of laptops or desktops they either need to have their hard drives physically destroyed, or they need to be securely wiped with appropriate software or hardware. The same goes for business smartphones which can contain as much sensitive data as a laptop.
5. Social Engineering
I’ve left this one to last because, in my opinion, it is the most dangerous and hardest to combat. This is data breaches caused by us and our innate human desire to help people and share information. I met a professional ‘social engineer’ last month and she described how there is no building or system that she can’t get into just by deceiving the people who work there. We naturally hold doors open for people and will very rarely challenge someone who we don’t recognise in our office. How effective is your ‘clear desk policy’? Do you trust that the cleaners or maintenance staff won’t be looking through the papers on your desk after hours?
The way to stop this is to prevent falling victim to social engineering is to change the culture in your business. Encourage behaviours of reporting incidents and near misses and provide regular training to your staff.
There are also tools we can use to monitor if or when a breach has occurred to alert security staff of the issue. However, I’d rather focus on what we can to prevent them happening in the first place. This largely comes down to training and staff awareness.
I’ve worked with several organisations helping them put in place staff awareness training for cyber security and data protection requirements (the two are very closely linked). Give me a call if you’d like to discuss your particular issues, or would just like to share ideas and best practice over a coffee – virtual or real!