Misha Glenny famously said: “There are two types of companies in the world: those that know they’ve been hacked, and those that don’t.” In the last 12 months, I’ve realised he’s 100% right.
Even considering how ‘hot’ IT security is currently, there’s been an overwhelming amount of data breaches in recent months and years. This has been ramped up tonnes by the fact that Yahoo hasn’t been out of the news all year regarding data breaches going back to 2013.
The one that really reinforced Glenny’s beautifully poignant phrase for me happened in February 2016. It’s actually so significant that if it would have happened just 5 years earlier it would have been front page news for weeks, purely because it sounds like something out of a Hollywood movie script from the mid-90s.
When a hacking group posted the persona details of 30,000 people who worked for both the FBI and Department of Homeland Security, it symbolised just how much IT security had changed. It’s when I truly got a flavour for how significant this issue was in practically every organisation in the world.
So if it happens to everyone at some point, what’s the plan? Well you could just roll over, drop your guard completely and give in to the rogues. That probably wouldn’t be wise though. As any decent security contractor will tell you, you can follow all the guidance in the world: nothing will give you guaranteed security and protection from threats. That doesn’t mean to say you don’t do everything in your power to prevent it though. Taking measures to stop it from happening will only serve to hopefully reduce the frequency and severity and you never know – you may just go many years with no significant breach.
That’s where this article is coming from. All challenges acknowledged, how do you give yourself the best possible chance of avoiding a data breach, the fines that can go with it and the throbbing, unrelenting headache that comes from having to endure a PR disaster? Here are our top 5 blind spots when it comes to data security.
You ignore the feet on the street
If you asked Chief Information Security Officers to break down their IT security spending by category, the end numbers would be huge. There’s literally no expense spared on the latest innovations in firewall tech, intrusion detection, backup and recovery and anti-virus.
Having the right technology stack to prevent and recover from a security breach is definitely important, but it can sometimes create a false sense of security within an organisation.
As cyber security expert Jay Abbott eloquently puts it: “Random people wearing high viz jackets confidently breezing past reception on a made-up claim that they’re fixing the air conditioning is a real and present threat that can’t be solved with flashy tech.”
Companies may spend a lot on the tech side of things and have started to back that up with training. But often the ‘cyber awareness’ training is generally applied to everyone in the organisation and doesn’t accommodate for the raw human traits that can be easily exploited. The overwhelming majority of people don’t want to: upset people, appear rude, seem like they don’t know what they’re doing, or make a mistake. These are all core human thoughts and are very difficult to condition people out of with meditation and therapy let alone in an hour’s generic cyber security training.
What you can do
Invest in some proper training for key people. And ‘key people’ isn’t just the IT security professionals. Think about your reception team. Also think about your security provision. Quite often, security staffing can be provided by temp agencies. Make sure that whether they’re agency staff or not – your security and reception teams (including those that do holiday cover) are individually trained with role play scenarios and situational awareness to understand the social engineering side of things. It’s not something that traditional classroom based training will be able to prepare your people for. The training programme should also operate with some degree of regularity, rather than being a ‘once every few years when we have an audit coming up’ type thing.
You’re not encrypting
8 years on from the release of the original Government Security Framework, amazingly there are a boatload of education and public sector organisations that still aren’t encrypting their data.
The then Labour Government set out this Framework on how things are done for the first time in 2008. From my experience, in the general public sector, compliance is pretty good. There are a limited few that aren’t doing it right. Which again, considering how long the guidance has been out there shows just how long it can take to procedurally and culturally change the ways that things get done.
The worst culprit by far is education. At around the same time as the Government Security Framework was penned, the now–obsolete-but-highly-regarded BECTA released very well publicised guidance for schools entitled “Keeping data safe, secure and legal”. Again, despite having clear guidance available for many years, there’s still probably to be hundreds of thousands of devices out there in education that don’t have the right disk encryption in place.
I really thought things would improve when BitLocker started shipping with the Microsoft operating system (it started shipping with Vista, unfortunately few would have known!). It took away the need for organisations to think too much about encryption. It could be set up automatically as part of the imaging process and controlled through group policies as part of a new device rollout. There had previously been many software and hardware disk encryption services, some of which were quite costly and complex in terms of process. Microsoft had just solved the device security challenge (or so I thought). But it wasn’t to be.
Point 46 of the most recent Government Security Classifications April 2014 is very clear that encryption is expected as a matter of course when data is at rest on a laptop or tablet:
“Information in transit should be protected by default, unless there are sensible business reasons where this is not appropriate and the business can tolerate the risk. In practice, use of encryption would be expected to secure (for example) the following information exchanges:
OFFICIAL data at rest on End User Devices and removable media;”
Still today, the majority of devices that we ship to education don’t have the relevant encryption in place. Granted, some will be sorted by the IT team locally on-site. Some won’t. That’s despite Windows BitLocker being licensed and available to practically all of them for no extra investment each year.
What you can do
This is a simple one. You need to ensure that all data at rest on data bearing devices that aren’t physically located in a government-level data centre have suitable encryption. For data classified as OFFICIAL then foundation grade encryption is specified in the Government’s classifications doc.
BitLocker doesn’t have the Foundation Grade formally, but CESG has issued written confirmation that it provides protection that is as good as the required level of that particular standard.
To confirm, for information that would be held at OFFICIAL or OFFICIAL SENSITIVE, then you can use Windows 10 BitLocker to encrypt data at rest. You’ll need to make sure it’s configured as per the guidelines set out by Government at https://www.gov.uk/government/publications/end-user-devices-security-guidance-windows-10/end-user-devices-security-guidance-windows-10
For anything at either SECRET or TOP SECRET level, then Becrypt DISK Protect Enhanced is a software encryption product that’s been around for years and is trusted by many of the globe’s most secure organisations, including military and anti-terrorism police. It’s the one we always recommend.
The insider threat
Another data breach blind spot is the insider threat. A 2015 study by Intel Security found that 43% of data loss can be attributed to internal employees.
There’s a real contrast here between the data that’s lost in internal breaches when compared to the data lost in external breaches. Internal breaches tend to result in employee data being compromised, whereas external breaches tend to result in the leak of customer data. They’re both the same in the eyes of the law and neither data sets are something that any organisation would ever want to be in the public domain.
Most of the time, the internal data breaches are as a result of negligence or incompetence. If there’s malice behind an act, then it’s usually because there’s some intent. Whether that’s to take employee information for recruiting purposes, or perhaps a rogue sales person joining a competitor and wanting to take their customer address book with them.
What you can do
In the last few years, we’ve seen the emergence of a whole new type of software that’s designed to combat this issue head on – Data Loss Prevention Software.
There are a number of different vendors out there in the market. They broadly fall into two categories: Endpoint DLP (EDLP) and Network DLP (NDLP).
EDLP sits on the endpoint and monitors files in real time as and when changes are made. This can trigger alerts for an IT administrator and also give full visibility of copy and paste data and write status to removable media like USB or DVD.
Your organisation will still be protected whether the device is on the network or not. So even if an employee’s in a coffee shop, their device and your data is still protected. That said, it does require more maintenance and an agent on each device, which depending on your end user device management strategy and geographical spread of your people can be a bit of a drag.
NDLP on the other hand can be activated for each user without having to get involved at the individual device level. Either a physical or virtual machine runs the software at a network level and as data moves each way it enforces policies that are created and managed by the organisation. When a user tries to email sensitive information, or shares information through a file sharing site or social media, the administrator can enforce specific policies like blocking, putting it in quarantine, notifying the user or encrypting.
This obviously means the device enrolment strategy needs to be watertight as these policies would only be enforced if devices are connected to the network or VPN.
Ultimately then, the decision on which is most suited comes down to the level of existing control your organisation has over your device estate, policies on network access and the geographical spread of your people.
Quite often the picture of the hooded bloke in a darkened room purposely reaching out and trying to hack into your network is something that has many IT admins thinking about their network in a specific type of way. Nowadays, these operations are a lot more business-like. Quite often it’s a volume play – and with the rise of ransomware attacks against businesses reportedly increasing from one every two minutes to one every 40 seconds between January and September 2016 – we’re into unchartered territory.
Within the workplace, a simple Excel attachment named “Salaries 2017” would be enough to entice a click from practically anyone within any organisation and that’s all it would take to run a script and create a secure, authenticated backdoor into the company’s network. If you have control over a user’s machine and they’re authenticated to the network, that makes a malicious attacker authenticated to the network.
Also – you have ransomware where large amounts of data are quarantined and offered back in return for cash, targeted phishing scams where users can unknowingly give over their login details to cloud storage providers that hold company information – it’s all going on.
What you can do
Having an enterprise anti-virus system, which is strictly enforced on all client devices as part of a wider end user device management strategy is key. We come across so many organisations that put anti-virus software on every client device, only to not set policies around updates to the threat database. This renders the software practically useless considering the hordes of new threats that are identified each month.
Updates and patch management to all of the on premise software used across the organisation should also be factored into the wider management of operating systems. This helps to prevent malicious attackers take advantage of system vulnerabilities and backdoors.
Most organisations will have some sort of web filtering system in place. This is also something to maintain to aide in the fight against web borne viruses and scams.
Inadequate IT asset disposal practices
Encrypting data at rest, being notified when your data is being misused, putting in place strict physical control policies backed up by adequate training – all this puts you in a good position for reducing the risk of a data breach.
But, there’s an area which can often be missed: a true blind spot where a problem can cause just as much damage as the rest of the areas mentioned.
You see, once an end user device or storage unit comes to the end of its economic life, it goes out of sight. Out of sight – out of mind. The challenge is that although the hardware might be end of life, the data itself lives on to fight another day. Simply deleting files is not enough, as freely available system recovery software can bring those files back from an emptied recycle bin.
With the WEEE directive in the early noughties came a requirement for all electronic waste to be reprocessed. Considering the data that can reside on devices, just as much effort and deliberation needs to go into thinking about what happens to your organisation’s data when it’s not only at rest, but also laid to rest.
What you can do
Considering the vast majority of organisations don’t operate as an Environment Agency Approved Authorised Treatment Facility, it’s extremely common for IT recycling to be contracted out. This is sensible not only from an environmental perspective, as competent IT recycling organisations will securely erase your data in line with Government standards (hyperlink) as a matter of course.
There are over 700 organisations in the UK who offer IT recycling services, so there’s no shortage of organisations to choose from.
The quality of service and compliance levels vary massively between them though. Here are a few questions to ask when you’re going through selecting a supplier:
Who is accredited to process the most sensitive data? An interesting hack here is to look at who has DIPCOG accreditation. This means that the IT recycling facility has passed stringent audits and has been approved to handle end of life IT assets from the Ministry of Defence and securely erase the data.
Who is ADISA accredited? The Asset Disposal and Information Security Alliance (ADISA) is a global collection of elite IT recycling companies who are audited and measured against strict standards. Organisations that are rated as Distinction level by ADISA represent the cream of the crop of those offering IT disposal services and have been shown to offer robust facilities, transportation, processes and staff training.
There are lots more to look at, but if you start with these two measures you’ll end up with a strong starting point for a shortlist. We’d always recommend when you meet with potential IT suppliers as well, it’s ‘their place not yours’. You can really get a sense of what the policies and processes meet in practice with a factory tour.