Posted by Vito Nozza on Aug 11, 2020 10:00:00 AM
Who moved my cheese… and my data?
From as far back in history as the Wild West, banks have been under constant theft, with money as the prime target. Gunslingers were robbing banks and stage coaches in hopes of a big payday. Fast forward to the 21st century and that trend has died down, because there is too much risk—for the criminal. That risk is mitigated for the criminal when they can infiltrate a financial institute, a healthcare entity, or perhaps a big casino’s data, all from the comfort of their keyboard. Welcome to the new world, where the new monetary value is no longer paper-based, but 1s and 0s: data.
So, we ask ourselves, what is it that we need to protect—and, ultimately, how do we do it? How do we ensure the privacy and security of our information stays intact? At the same time, how do we ensure that the data is available to our clients (both internally and externally) exactly when it is required?
Today’s biggest threats are ransomware, other malware, and the inability to continue business as usual. Unless you have been living under a rock, you have undoubtedly heard of the uptick in ransomware attacks that every industry industry is facing on a daily basis. Attacks are not vertical-specific, and no one is immune. During these troubled times of a global pandemic, cybercriminals are taking full advantage of public doubt and fears by pinpointing research, healthcare, and financial information to exploit.
What can be done to mitigate the risk of data loss, ransomware encryption, or a disgruntled employee exfiltrating information out of the company to fulfill their own motives? Let’s discuss Data Loss Prevention, or DLP for short, and how this 3-letter acronym has saved many a company’s information.
Now please understand, DLP is NOT one product or one solution, but multiple facets of various products working together for the one common goal of protecting your data’s confidentiality, integrity and availability (CIA). DLP encompasses three directives of your data:
- How is it being used?
- How is it being stored (rest)?
- While in transit, how is it being secured?
Data in Use
Let’s start off with the “in use” pillar of DLP. When private information is provided to a company by an individual, we call that Personal Identifiable Information (PII). This data can be used by nefarious individuals to piece together information on your client(s) and create attack vectors much more easily than by other means.
Here comes the privacy factor and, of course, the compliance issues that arise when private data is not properly handled. Who has access to this data? What have they done with this data while working on it? Did this data lose its integrity (that is, our confidence in its accuracy) and is therefore now in doubt? Was the data copied in an unauthorized manner, for the explicit action of communicating details of an individual to others? What data visibility tools are present in the environment, to be proactive in nature and stop these attempts?
In short, data handling has become such a big topic with regulatory bodies that Breach Notification laws have been put in place in every state and at the federal level, for the single reason of regulating how compromised data communication is handled.
So, what measures do you have in place to avoid state and federal fines?
Data at Rest
Data at Rest is the next pillar of DLP. It requires you to ensure data is not accessible in a clear format, should it be stolen. Encryption of information is the easiest way to mitigate these kinds of risks, but that is only the half of it. Here, the Availability factor of the CIA triad comes into play. If your stored data is not accessible to authorized users, then what good is it? How is your business continuity affected if data that is required to service your clients, patients, or partners is not readily available? Business, financials, and even lives could be at risk if the proper data is not accessible when required.
Too many companies do not know how to mitigate loss of data risk in this format. Some lose the private keys required to de-encrypt their own data. Some have become complacent to the fact that their business continuity and disaster recovery program is years old, with little testing completed. All these factors make it painfully clear that although the data is located somewhere, it might not available.
Data in Transit
Lastly—and probably one of the more relevant pillars of DLP—is how data is protected, secured, and ultimately kept private while in motion. In today’s world of remote worker expansion, many data compromises have begun at the home while information was being transmitted between colleagues on unprotected media. For example, how is my information being protected when a doctor is discussing my chart with a specialist on the other side of the country? Not only were files sent in an unsecured fashion, but the media streams flowing back and forth are now subject to eavesdropping, unbeknownst to the participants. Are defaults on my router and video conferencing platform allowing this? Has there been a man-in-the-middle attack that has spoofed my conversation and directed traffic to an alternate location? Perhaps an app or a malware-infected URL was downloaded and created all this organized chaos?
A Holistic Approach to DLP
DLP is not a one-time solution that only focuses on one aspect of data privacy. It is a holistic measure required to understand your security and privacy threats. What laws are required to be followed when handling private user information? Have compliance measures relating to the handling of such data been invoked into your ecosystem, especially during these troubled times? Have you created a Data Classification Program to identify the crown-jewel data assets residing in your infrastructure? When was the last time you had a Risk Assessment—which should be performed at least annually—to understand the risks, vulnerabilities, and exposures that exist in the current environment? How about a Controls Assessment to set the right amount of security for each data class in your enterprise? Finally, if a Business Continuity Disaster Recovery (BCDR) program does exist, has the proper testing been conducted to reflect current threats and risks? Remember, these threats can change quickly through time due to digital transformation measures or business-driven decisions.
At ConvergeOne, we have helped many clients across many verticals create a Data Loss Prevention Program, which is evolved and strengthened through our lifecycle optimization process. If you want to have greater peace of mind both from a compliance factor and a privacy initiative, then reach out. We are here to help.
[WHITE PAPER] THE CISO'S PERSPECTIVE: LESSONS LEARNED + ACTIONS TO TAKE DURING COVID-19
Security leaders must review their cybersecurity posture knowing that remote work introduces security concerns different from on-premises concerns. Given the already-expanded attack surface, it is never too early to look at lessons learned from the pandemic—and there certainly isn’t a shortage of teachable moments, right from the top down.
This white paper by ConvergeOne's Joe Vigorito, Senior Director, Cybersecurity Lifecycle Consulting, shares eight lessons and six action items for Directors of Security and CISOs whose organizations and livelihoods have been imperiled by the pandemic.