As businesses and organisations incorporate an ever growing number of solutions, platforms and applications into their IT operations, it goes without saying that the scope for data loss, and it’s prevention, rises in tandem. It’s a drum we have been banging for some time now but two stories in the news this week further highlighted that there is more than one vector for data loss in modern business – and removing one doesn’t reduce that burden.
First up is the widely reported news that the German government is considering reverting to old fashioned type-writers to counter the threat of the NSA snooping on sensitive communications. If indeed this goes ahead and German agencies start typewriters for confidential documents it will, in essence, be removing one set of data protection problems only to replace them with another. While documents will no longer be directly accessible by the internet, wearables and smartphones mean that they are only a photograph away from becoming digital. We often forget that information in paper files and documents can be just as sensitive, and prone to mishandling, as electronic data – so going offline is not a silver bullet for data loss prevention.
Also in the news this week has been reports that Android apps ask for far too many device and data permissions, leaving businesses that utilise them with a potential data protection headache. With applications often requiring a variety of access permissions both businesses and employees need to be aware of what potentially sensitive data they are making accessible to people outside the organisation. For instance if an application that requires address book access is running on a corporate device do you really want to give that app access to your corporate address book? This obviously adds another layer to, and raises more questions about, an organisations data loss prevention policy.
One week’s worth of news just goes to show that all information, irrespective of format or device, needs to be considered in data security audits and should be covered by policies that govern its access, usage, storage and disposal – even if it is easier said than done!
With the action easing up in Brazil this week you may have seen reports circulating about a malware attack on more than 1,000 energy companies across Europe and North America. The attack was carried out by a group of attackers known by the name of Dragonfly. Dragonfly have been in operation since 2011 and previously targeted defence and aviation companies in the USA and Canada.
Research carried out by Symantec found that Dragonfly turned its attentions to Energy companies in early 2013 and managed to compromise 1,000 strategically important organizations for spying purposes. Dragonfly infiltrated the organisations using phishing attempts in the form of spam emails sent to senior executives with infected PDFs attached to infiltrate the network. Disturbingly, if they had used the sabotage capabilities open to them, the group could have caused untold damage and disruption to the energy supply in the affected countries.
It is cause for concern that critical infrastructure could have been damaged or interfered with simply because staff were not cautious enough in their approach to suspicious emails. This attack goes to show just how important staff education about cyber-security is in protecting an organisation of any size. One uninformed employee can undo a whole security infrastructure – or even risk plunging people into darkness – with a single click.
A Ponemon Institute study released this week reported that only 16% of IT security professionals know where sensitive data is located on their organization’s computer systems – leaving the overwhelming majority left guessing where their data loss prevention efforts should be directed.
The study surveyed 1,587 IT security professionals whose jobs include helping protect sensitive or confidential structured and unstructured data – with only 7% of respondents knowing the location of all sensitive unstructured data, including in emails and documents. As such, not knowing where their organization’s sensitive or confidential data is located was identified as the biggest worry for IT security professionals, eclipsing both hacker attacks and insider threats – and rightfully so!
It should go without saying that knowing where data is located should be a prerequisite for sound IT security but we know from our own experience that too often this isn’t the case. With the threat of data loss and cyber-attacks growing as an increasing number of criminals become digitally savvy organisations can little afford to be unsure where data is stored and where their efforts to protect it should be focussed. We’ve said it before, and we’ll no doubt say it again, the first phase of solid Data Loss Prevention is ultimately knowing where the data is.
The full story can be found here.
You may have seen this week’s news that 600,000 customer records were stolen from pizza chain Domino’s, yet again raising questions about just how seriously large corporations and big brands are taking data protection. It is the second time in less than a month that we have seen customers’ personal details compromised after the records of 145 million people were affected by a breach of eBay’s networks.
For a period of time hackers had turned their attentions away from big businesses as they were seen as too tough a target and as a result they turned their attentions to smaller, less resourced targets. However, it would appear that in this period larger organisations have become complacent in their security practices and hackers have been quick to once again re-focus their efforts onto big, data rich organisations.
Although it is not certain exactly what records have been affected, it is staggering that the personal details of so many customers were seemingly left unencrypted and susceptible to this kind of attack – especially when you consider the warning shots that have been issued with previous high profile attacks. The possibility that a large organisation could even consider leaving data as plain text on a server is surprising to say the least.
Business of all sizes should be reviewing their data handling and storage practices as a matter of urgency in the coming days and weeks to ensure that they are not unwittingly offering an easy target for hackers. You can find a more detail comment about this from Pentura MD Steve Smith on the security portal, Net Security, here.
We are proud to announce this week that Pentura has been named as an accredited security provider under the recently launched Cyber Essentials Scheme. Launched last week by the UK Government, and managed and reviewed by regulator CREST, the scheme is part of UK Government’s National Cyber Security Strategy and provides an independent assessment of the essential security controls that organisations need to have in place to mitigate risks from internet-borne threats. This includes internet connected end-user devices such as desktop PCs, laptops, tablets and smartphones, and internet connected systems including email, web and application servers.
Announcing the launch Universities and Science Minister David Willetts said: “We already spend more online than any other major country in the world, and this is in no small part because Britain is already a world leader in cybersecurity. Developing this new scheme will give consumers further confidence that business and government have defences in place to protect against the most common cyber threats.”
In essence it represents a base level standard that all organisations should look at meeting, and has specifically been designed with smaller organisations in mind. Given the ongoing battle against large scale attacks, such as Zeus and CryptoLocker, the scheme will hopefully give both consumers and businesses further confidence that the organisations they deal with have appropriate security measures and defences in place to protect against cyber threats.
If you are interested in an assessment, or getting help in improving your organisation’s security stance, please contact us: firstname.lastname@example.org
You may have seen this week that Dropbox links have become the latest vector for phishing and malware attacks to try and harvest user details and valuable business data. Given Dropbox is the leading file storage and sharing application for business this is hardly shocking. What may be more surprising though is that these latest attacks can be more easily identified, and prevented, if staff are made aware of the potential threat. This once again highlights the importance of user education in reducing the risk of breaches, as Pentura managing director Steve Smith comments in the article.
Whilst staff training and awareness of cyber-security threats has undoubtedly improved, a common mistake is treating it as a one off box-ticking exercise rather than a continual process.
Incidents such as these just go to demonstrate that a continual awareness programme can be as effective a line of defence as the multitude of software products that are utilised by organisations. Furthermore it really brings home that a lack of security awareness amongst staff can easily undermine all other layers of defence – and is potentially just as dangerous as the attempted attacks themselves.