As is obvious from seemingly incessant news reports of data breaches, businesses often do not adequately protect all of the information that they should be securing. In fact, in November 2015 the Office of the Director of National Intelligence estimated that espionage predicated through hacking costs businesses in the United States $400 billion per year – certainly not a small sum of money. Interestingly, however, security professionals commonly discover that many businesses that, in fact, do expend significant resources on information security often neglect to adequately shield some of their data that should be better protected. Here are some prime examples:
1. Human Resources related data
Every business other than self-employed individuals has employees, which, by definition, means that they possess sensitive information related to human resources. While most people realize that payroll data and other records containing personal information must be protected, many folks neglect to afford proper protection for communications regarding performance on projects and other materials that could be highly damaging to a firm if they leak. Such HR-related information may exist in all sorts of formats, and hackers can exploit it to social engineer their way into an organization. Also, consider the damage to morale and staff productivity if HR data leaks – such adverse effects are often christened “indirect damage,” but, direct or not, they can certainly be quite costly to a company’s top and bottom lines. Furthermore, when a business sees to hire new people, how many stars will want to join a firm that they know has leaked private information about prior employees?
2. Sensitive data in the cloud
In reality, “the cloud” simply means “computers belonging to someone else;” organizations leveraging cloud technology effectively outsource some portion of their information infrastructure to third parties who typically handle the data of multiple clients on the same equipment. As such, any sensitive information transmitted to and from the cloud, stored in the cloud, and/or utilized in the cloud, is at risk, and must be adequately protected. Furthermore, in general, it is unwise to rely on cloud storage providers to encrypt one’s information; encryption services offered by such firms typically force users to rely on providers’ keys – so a system breach within their organizations could lead to a criminal accessing client data even without having to steal the client’s decryption keys.
Many organizations that spend a small fortune to protect data, neglect to adequately protect the same information when it is stored in backups. Sometimes, the reason for this is that improvements in information security have been implemented over time, so both production systems and their corresponding backups benefit from increasingly advanced security – but, backups made prior to the deployment of the improvement are left as is, potentially creating a serious vulnerability.Many organizations that spend a small fortune to protect data, neglect to adequately protect the same information when it is stored in backups. #CyberSecurity #InfoSec #Security Click To Tweet
4. Data on non-business devices
Organizations must address the risk of data on employees’ and contractors’ flash drives, memory cards, smartphones, home computers, and all sorts of other devices that can store information. Many firms do so only in part.
Do not forget that information security includes protecting information when it is printed (or handwritten) on paper!
6. All communications
Many organizations deploy significant technology to appropriately secure sensitive information within emails, but do little to secure data that resides in the infrastructure of other forms of communications such as chat apps.
7. Social media accounts
Social media accounts pose several risks. They obviously allow organizations to communicate with outside parties and broadcast messages to the world – and many businesses do not have any system configured to provide them with real-time alerts if something potentially problematic is somehow posted – which may be the first sign of a breach. Social media credentials are also often used for authenticating to various applications and for proving one’s identity to others – making social media accounts even more important to protect. Yet, many organizations neglect to audit who has access to these important resources – not just in terms of humans, but also in terms of which applications have been granted access rights.
8. Data in use
Often ignored, but at times absolutely critical, is the concept of encrypting data while it is being used. Advances in technology allow certain functions to be performed on data without decrypting it – which can help defend against unauthorized access and the pilfering of data. A modern e-mail system, for example, can route messages even when their contents are encrypted; many other technologies offer similar protections for other forms of communication. Obviously, it can also be quite valuable to encrypt data while it is being utilized at a third-party cloud-service provider. On that note…
9. Data accessed, handled, or supplied by third parties
Many parties do not adequately secure data and systems from the risks created when they allow outsiders to handle their data or to access their resources. Likewise, many organizations do not have any defenses against supply-chain risks – that is, risks created by suppliers of hardware, software, or data. Depending on the nature of an organization, for example, it might be worth considering whether there may be malware embedded in chips that it is purchasing, or software that it is deploying.
10. Data subject to regulations
Many organizations – even those that do attempt to comply with all legal requirements – often do not fully comply with every regulation to which they are subject. Often the failure stems from people overlooking some portion of data that is subject to the relevant regulations. I expect that we will see such scenarios leading to news stories after GDPR goes into effect in less than two months.
11. Credit card CCVs
CCV numbers should never be stored or written down, but some organizations still do.
Voicemail may be an outdated technology, but it is still used en masse, and, many organizations – who are reluctant to continue investing in an increasingly obsolete method of communication – still store messages in unencrypted formats on vulnerable systems.
We should remember that data security is not a “nice to have” or a luxury – it can literally mean the difference between a business flourishing or failing. Just a few years ago, the Chinese company, Sinovel Wind Group, cancelled an $800 million dollar contract with the American firm, AMSC, after Sinovel successfully stole AMSC’s source code and was able to run windmill equipment without legally licensing the software. Following the theft, and the resulting contract cancellation, AMSC lost more than $1 billion in market value, and half of its then-1400 employees lost their jobs. Smaller business often suffer even more severe fates – a single breach has been known to kill companies. So, make sure to protect all of your important information.
To learn more about data security, please view the free webcast, Guarding Your Digital Assets, from Microsoft’s Modern Workplace.
This post is sponsored by Microsoft.