This the most basic breach that can be discussed
and prevented up to great extent by simple measures like 80-20 rule so if you
address 20% of prevention religiously you could stop 80% of these leaks.
Let’s define data breach, "A data breach is a
security incident in which sensitive, protected or confidential data is copied,
transmitted, viewed, stolen or used by an individual unauthorized to do
so." Data breaches may involve financial information such as credit card
or bank details, personal health information (PHI), Personally identifiable
information (PII), trade secrets of corporations or intellectual property. Most
data breaches involve overexposed and vulnerable unstructured data – files,
documents, and sensitive information, it is the intentional or unintentional
release of secure or private/confidential information to an untrusted
environment. Other terms for this phenomenon include unintentional information
disclosure, data leak and also data spill (source Wikipedia).
There are various Data Protection Regulation has
been implanted worldwide but I personally believe the overall ignorance of
users feeds the 99% of these Data Breach overall, so this is my humble effort
to address such shortfalls.
Let’s consider simple data breach by an employee by
wrong attachment, dissemination of wrong information by mistake can lead to
major issue for the individual or cooperates. This can be prevented by checking
the email before sending them. We could just queue the emails while composing
and send them later to prevent any such nightmares.
Then there are
Then there are Malwares, a short for malicious
software programs which is any software intentionally designed to cause damage
to a computer, server or computer network. Malware does the damage after it is
implanted or introduced in some way into a target's computer and can take the
form of executable code, scripts, active content, and other software.
Now even, File-less malware is a huge security
challenge for organizations today, and traditional email security controls
aren't sufficient to meet the challenge.
Believe me, it’s really easy to do 100 variants of
the same [malicious] document even if we are using the same code, the same
document, but you're putting 100 different random characters that aren't even
visible in the document. It's super easy to create these, and if you're relying
on signatures, you're going to have to wait for every one of the 100 to catch a
signature. the points to consider here are
- How malicious attachments are infecting organizations;
- Why traditional defenses fail to detect these payloads;
- How to respond when infections do penetrate defenses.
Information management is critically important to
all of us as employees, business and consumers. For that reason, various
institutions has been tracking security breaches, looking for patterns, new
trends and any information that may better help us to educate consumers and
businesses on the need for understanding the value of protecting personal
identifying information and business critical data.
To understand various data loss methods consider
following points
- Insider Theft
- Unauthorized Access
- Hacking / Computer Intrusion (includes Phishing, Ransomware/Malware and Skimming)
- Data on the Move
- Physical Theft
- Employee Error / Negligence / Improper Disposal / Lost
- Accidental Web/Internet Exposure
- Stalking on social network
Let’s take a breath and understand how we could
reduce these seven risks factors.
Insider theft is the act of stealing information
stored on computers, servers, or other devices from an unknowing victim with
the intent to compromise privacy or obtain confidential information. Data theft
is a growing problem for individual computer users as well as large
corporations and organizations.
Prevention for data breach are
- Train yourself, employees, customers
- Segregate & Secure sensitive information.
- Build strong security policies
- Periodically & Properly dispose of sensitive data.
- Protect against malware
- Control physical access to your business computers
- Encrypt data communication
- Build & plan incident response teams
- Review / update all account sittings once a week
1. Train your employees.
According to the various reports, employees are the
top cause of data breaches in small and mid-size businesses, accounting for 48
percent of all incidents. It’s usually due to an innocent mistake; employees
often lack basic awareness of data security and how hackers work. Employee
education is one of the most important things you can do to lower the potential
of data theft.
Offer mandatory awareness training on the security
risks employees face every day. Social engineering is a growing threat for
small businesses whereby hackers pose as a trusted source in need of
confidential data. Through phishing, employees are invited to click on a link
that installs a virus on their computer without their knowledge. Ransomware
will hold a computer hostage until the required ransom is paid.
To prevent employees from falling into these traps,
advise them to:
- Confirm the legitimacy of the source before giving out confidential information
- Never open attachments from people they don’t know
- Avoid suspicious links in emails, websites and online ads
2. Secure sensitive information.
Sensitive data is the valued commodity that
criminals seek to exploit for profit. It includes personally identifiable
information (PII) for employees, customers and patients as well as business
trade secrets, financial data and other company-confidential information. In
the wrong hands, this information can damage your business, customers and reputation.
Limit access to online files based on an employee’s
need to know. Store paper files and removable storage devices containing
sensitive information in a locked drawer, cabinet, safe or other secure
container when not in use.
3. Properly dispose of sensitive data.
Be equally vigilant when disposing of sensitive
data. Shred documents containing confidential information prior to recycling.
Remove all data from electronic devices—whether computers, tablets, smartphones
or storage hardware—before disposing of them.
4. Use strong password protection.
Passwords are under constant attack and hackers use
a number of different means to crack their code. To deter their efforts,
password-protect your business computers, laptops and smartphones as well as access
to your network and accounts. Require employees to change default passwords and
set a strong, complex password with a variety of characters that must be
changed at least quarterly.
5. Protect against malware.
Malware refers to “malicious” software, such as
viruses and spyware, that is installed on a computer with the intent to access
sensitive information or cause damage. Malware can be installed when an
unsuspecting employee uses a malware-laden USB device or clicks on an infected
link in an email or on a website.
To prevent a malware attack, install and use
antivirus and anti-spyware software on all company devices and be sure your
employees are on the lookout for suspicious links.
6. Control physical access to your business
computers.
Create user accounts for each employee to prevent
unauthorized users from gaining access to your business computers. Laptops can
be stolen easily; make sure they’re locked in place when unattended. Also limit
network access on computers located in or around public spaces, such as the
reception area.
7. Encrypt data.
Encryption encodes information, whether it is
stored on a device, in the cloud or being transmitted over the Internet, and
only the person or computer with the proper key can decode it. Encryption is
highly recommended for all devices containing sensitive information, including
laptops, mobile devices, USB drives, backup drives and email.
Most operating systems and many software
applications have a built-in encryption option which you simply need to activate
(instructions vary). You may also purchase encryption programs tailored to the
needs of your business—whether for an entire drive or one or more files or
folders. Secure Sockets Layer (SSL) certificates are the standard way for
businesses to encrypt sensitive information, such as those containing credit
card details, before it is transmitted over the Internet.
8. Keep your software and operating systems up to
date.
Malware continuously evolves and software vendors
continuously update or “patch” their programs in order to address new security
vulnerabilities. For this reason, it’s vital to install updates to security,
web browser, operating system and antivirus software as soon as they are
released. They’re your first line of defense against online threats.
9. Secure access to your network.
To prevent outsiders from gaining access to private
information on your network, enable your operating system’s firewall or
purchase reputable firewall software. Configure a Virtual Private Network (VPN)
to provide workers with a secure means of accessing your network while working
remotely. If you have a Wi-Fi network for your workplace, make sure it is
secure and encrypted, and that your SSID (service set identifier) is hidden so
that it can’t be picked up by the public. Also require a password for access.
10. Verify the security controls of third parties.
Most businesses rely on third-party vendors for
some aspect of their operation, whether for payroll, credit card processing or
to manage their security functions. But there are security risks in doing so.
If a breach occurs on the vendor’s watch, your data may be compromised and you
could still be held responsible for the loss.
Before engaging the services of a third-party
vendor, evaluate their security standards and best practices to ensure they
meet your minimum requirements. Look for vendors that:
- Have strong security policies and procedures
- Regularly backup their data on a hard drive as well as the cloud
- Perform routine internal security audits
- Run background checks on employees with access to your data
- Require employees to complete data security training
- Keep up-to-date with the latest security patches and security software
Have a
comprehensive incident response plan for responding to and managing the effects
of a security attack
Once you’ve vetted and selected a third-party
service provider, put a service level agreement (SLA) in place that details
your security expectations and give you the right to audit the vendor to confirm
compliance with your policies.
Let me also include my take on General Data
Protection Regulation (GDPR) universal guidelines (these address almost 80-87%
of breaches by guiding users on what is critical )
Individuals have the right to:
- Access their personal data
- Correct errors in their personal data
- Erase their personal data
- Object to processing of their personal data
- Export personal data
Online portals, companies will need to:
- Protect personal data using appropriate security
- Notify authorities of personal data breaches
- Obtain appropriate consents for processing data
- Keep records detailing data processing
- Provide clear notice of data collection
- Outline processing purposes and use cases
- Define data retention and deletion policies
- Train privacy personnel and employees
- Audit and update data policies periodically
- Employ a Data Protection Officer who can address grievances or queries
- Create, publish and manage compliant & non-compliant vendor contracts
Me and my group
(India Training Services, ITS) already adopted GDPR guidelines and a big
supporter from long time, now its enforced by law I would also recommend India
government to completely support this great move.
Enhance your
capabilities to support the privacy rights of individuals with tools and
documents that help you respond to data subject requests (DSRs) and personal
data breaches, as well as the information you need to create your own data
protection impact assessments (DPIAs) , We at ITS can help you in this as we
are committed to protect all user & companies rights for privacy. Feel free
to contact me at rrpande@indiatrainingservices.in