How to Protect Yourself from Data Leaks
By William R. Pardi
March 22, 2021
When a customer authorizes a company to use and store their personal information, no matter how many conditions are agreed to or what kinds of promises are made, the transaction always boils down to trust. A client is trusting an organization to protect and responsibly manage their information. Unfortunately, either through persistent, well-planned efforts from attackers or complacency and negligence on the part of the organization, data leaks will inevitably occur. Data leaks, which can take many forms, are most simply when private information is disclosed to unauthorized third parties. The consequences can be catastrophic for both an organization and those whose information is leaked as private information such as financial and medical data may have been exposed to malicious actors. Due to the increasing severity of data breaches, building a plan and taking measures to prevent them has now become essential for any organization that stores personal data.
To understand just how severe this issue is, according to this article by Varonis, in 2018 alone the United States saw 1,244 data breaches that exposed 446.5 million records of personal information. The largest single breach of all time occurred when information held by Yahoo was leaked, compromising about 3 billion accounts in total. Other large companies, such as Facebook and Marriott International, have fallen victim to severe data breaches as well, both exceeding 500 million user records compromised. What’s worse, according to some highlights from this article by IBM, the average cost of a data breach is 3.86 million dollars, with an average lifecycle of 280 days to identify and contain the breach.
Data breaches can happen to any company of any size. While a large company holding massive amounts of data may be the most tempting target for attackers, even a small organization with a relatively low amount of stored or handled data might still make an enticing target, especially if proper security measures aren’t in place or the data is otherwise vulnerable. There are several methods of defense that could be employed to secure an infrastructure against such attacks. This can mean securing systems and educating employees, but also creating a plan and assembling an incident response team to contain a breach in the instance that one occurs.
There are countless assets within a business that need to be secured. To cover all of them requires a dedicated inventory of all resources, as well as a risk assessment for every unique business in order to inspect every vector in which data might be leaked. However, there are some basic guidelines on what should be considered to shut down venues for data leaks which can still be helpful if a more in-depth assessment hasn’t yet been conducted.
Left unsecured, some of the most important assets within an organization can be the very devices presenting huge risks of data leakage. Risks can stem from unsecured servers, workstation computers, and even printers. Databases that are not properly administered can provide troves of information to attackers and will therefore need to be protected in a way that matches the security requirements of the information they store. For example, all databases should have access restricted to only verified admins and applications, and databases storing highly sensitive or proprietary information should be strongly encrypted. While encrypting all information would be optimal, in some instances it is too resource intensive and will require companies to use their discretion as to what information should be encrypted.
Employee workstations and devices should also have policies in place to ensure unauthorized access is denied. Up-to-date antivirus solutions and software should be implemented, along with access controls, and an IPS should be active to monitor network activity on a specific LAN. Logs on all of these devices should be maintained so that any attempt to steal information can be traced back to the source. Other devices, such as printers, also need to be secured and monitored to prevent and discourage data leakage. Certain technologies, such as P2P file sharing services, should be avoided altogether.
Connections to all of these devices also need to be secured. Encryption should be implemented for most connections, and VPNs and IPsec in place for remote access to critical resources. Servers should only accept HTTPS connections with valid TLS/SSL certs and have unused ports closed to external traffic. A demilitarized zone (DMZ) outside the LAN should be created to house certain devices such as mail servers, with weakside and strongside firewalls filtering content coming from the internet to the server, and then further filtering content passing from the server into the LAN.
To combat security breaches, a Computer Incident Response Team (CIRT) should be created, with an accompanying plan for a variety of different breaches, including containing a data leak. When rolling out applications, other experts, such as penetration testers and threat hunters, should be employed to find vulnerabilities within the application before it is deployed, mitigating risks such as zero-day exploits. However, even with proper device and network security controls implemented, such mitigations are pointless if employees and personnel are unaware of best practices and policies, as 95% of security breaches are caused by human error.
Insider threats are a major concern, and even simple mistakes from uneducated employees can be a dangerous source of leaks. An example would be if an employee lacks knowledge of how phishing campaigns operate and ends up clicking a link that sends them to a malicious website with drive-by malware. Phishing cannot be underestimated, as according to statistics compiled by Varonis, phishing campaigns account for 80% of reported security incidents and cost an estimated $17,700 every minute. Uneducated employees may not know the proper precautions that need to be taken when handling sensitive data, or how dangerous it can be if they leave their work devices vulnerable. To avoid such issues, it is absolutely critical to have mandatory employee cybersecurity education on a regular basis, as even if employees understand potential risks, complacency on their part may undermine mitigations.
However, just education will still not mitigate a malicious insider, such as a disgruntled employee or someone engaged in corporate espionage. To further counter threats from within, administrative controls also need to be established. These controls will ensure principles such as least privilege and separation of duties are followed. Least privilege is the idea that personnel only have as many privileges as they absolutely need to fulfill the requirements of their roles. This prevents employees from having access to resources they could abuse, accidentally or intentionally. Separation of duties is the concept that a single employee doesn’t have all of the access and control over a single resource, making them a single point of failure should they become compromised or if they have malicious intentions. To enforce this, a company would designate several employees to be cross trained and rotated through a specific, critical position. To emphasize why these principles should be enforced, data derived from the aforementioned compilation of statistics by Varonis indicates an average of 11 million files total are available to all employees within an organization, with another compilation claiming 53% of organizations found 1,000 sensitive files available to every employee.
While both principles will help contain data leaks, employees need to be screened before taking their positions to ensure that they are trustworthy. Background checks will help scan for a history of cybercrime, affiliations with rival companies that may want to plant an insider, as well as any other actors such as domestic and foreign terrorists seeking to cause disruption. While whistleblowers may also be considered a ‘threat’, the best way to prevent a data leak of that nature is to ensure that the organization refrains from partaking in unethical, unsafe, or illegal activities.
No matter what the threat to an organization is, be it inside or outside the organization, accidental or intentional, it may very well be impossible to completely guarantee a data leak will never occur. Despite this, the threat can be greatly reduced if untrained employees don’t have access to critical resources, and defenses are in place to counteract even the most skilled hackers, leaving only large, extremely well-equipped organizations or severe disasters as the only viable threats. Accomplishing this, however, will require diligent planning, intensive monitoring, and continually updating software and systems within the organization. If an organization finds it isn’t completely equipped to deal with the threat of data leaks, it may need to consider seeking external assistance. Organizations such as humanID are well-equipped to avoid data leaks altogether, and if implemented as a login solution, can remove the burden of securely storing user passwords and other credentials, thus eliminating a major source of data leaks.