You don’t have to go very far back in living memory to think of a data breach that impacted a UK company or its customers: Carphone Warehouse, TalkTalk and Dropbox are just a few of the more recent large attacks that have taken place. We hear about these household names because millions of records are taken in each incident, often causing the company involved a lot of financial and/or reputational damage.
Attacks on sites sometimes occur simply for the hacker’s thrill, other times it is to hide malware, gain specific information, or just steal whatever they can get their hands on. What is less well known is that large companies, with data such as credit card details, addresses and passwords, all of which can be sold on the dark web to help criminals commit identity theft and fraud, are not the sole targets.
Smaller companies are just as likely to be attacked, precisely because the intention of a hacker is not always to gather millions of records from a single target, particularly when they can use malware to gather a steady stream of information, undetected, for years. This should be of particular concern for the legal sector, where the protection of client and case data is critically important, possibly even the protection of client identities in some cases. The lure of a high profile public figure or individual linked to an inflammatory issue, may be enough of a prize for a hacker, never mind a sponsored targeted attack from an interested third party.
Research conducted by OnePoll, which spoke with 1,000 employees and 250 IT managers, found that 23% of IT managers stop a data breach of some kind, every day. A data breach can be the result of an attack on the network, or an employee inadvertently sending or taking information out of the corporate network without adequate care. One of the key challenges for managing the risk from data breaches is to acknowledge that it is not always someone on the outside trying to extract data.
Surprisingly, 41% of employees in the same survey believe IT security is solely the IT department’s responsibility – with only 37% saying they also have a role to play in IT security. IT managers were not necessarily surprised by that figure, given they rated employees as the second biggest risk behind hackers to security (24%). Employees agreed with IT managers that they were a risk, with 17% freely admitting they are “somewhat likely” to open an attachment from an unknown sender. This is a worry because it only takes a single action by one employee to potentially give a hacker a username/password combination they can use to impersonate an employee, or allow them to place malware on the corporate network.
This survey data highlights why IT and employees need to work together to protect any organisation that holds information they would not want to get into the wrong hands, or is the property of clients and partners.
Education, education, education
Education is essential, and whilst many IT departments believe they have this covered it’s important to consider whether you have told employees why they need to do things in a certain way, rather just than issuing rules. IT departments can implement all the perimeter security and antivirus tools in the world, but as we saw from the survey, two in every 10 of your employees are still likely to open e-mails they shouldn’t, and that is just one example.
One of the best things an IT department can do is enforce good password policies, and discourage employees from using passwords that are similar (or the same) as those they use for personal accounts. Enforcing regular password changes can also make a big difference in the fight against data breaches. If a user has a personal e-mail account password stolen outside of work, without these policies, it would be easy for a hacker to access their e-mail, establish where they work, and then they are straight into your network.
All the firewalls in the world can’t overcome the fact that human error can carve a huge hole to the heart of a business, whether losing a device, or becoming a victim of a phishing or malware attack. Any organisation handling legal material needs to be prepared for the inevitability of an attack. One way to think about this is to assume the hacker has got on, how do you protect the valuables at that point, even if they download them to another location. The primary concern should be protecting data at its source.
Protect data at its source
Any data that you would fear losing, or is sensitive in any way, should always be encrypted at the end point in the organisation. This can also be used to ensure that when data leaves the organisation it remains encrypted wherever it goes, by enforcing a security policy that requires it. Because you own and control the encryption keys on a centrally controlled key server – access to the files remains completely under your control: Wherever it goes, on any device. With centrally controlled encryption, it is also possible to ensure that files are only readable by certain individuals, thus helping a company enforce both regulatory and governance requirements.
But there are other examples where it is helpful. If an employee leaves the practice, or you stop working with a specific partner organisation, access can be instantly terminated. Without encryption users would retain access to those files, and the practice would have no way of removing them from devices. Using centrally managed encryption, access can be removed in the policy engine; the user instantly loses the ability to decrypt and read the files.
The Dropbox hack, is another prime example. If your company wants to use third party cloud storage services, it is critical to use solutions where encryption keys are always in the control of the organisation, rather than the cloud service. This adds yet another level of protection should a breach of usernames/passwords occur at a 3rd party cloud service provider. A hacker will not be able to read the files they can see.
These are just some of the reasons why it’s important that organisations enforce encryption automatically through their security policy to help avoid disaster. Encrypting at the source may not stop a hacker from gaining access to sensitive data, but it is the last line of defence against human error and the complexity and distributed nature of modern IT systems.
Here I have described some process and technology approaches to dealing with the inevitability of data breaches. They key thing to remember is that assuming it will happen, is the best way to prepare, encryption is the last line of defence for your sensitive practice data, but ultimately it is one component of a wider strategy that depends on employees and employer taking responsibility for the protection of IT systems and the information they contain.
Mark Hickman is chief operating officer at data security solutions provider WinMagic