Personal Data Management Fundamentals

The identity data you collect is a core asset of your company, and it’s as vital to the success of your business as any other part of your inventory. That personal information doesn’t just include customer data either. Internal transaction records, human resources files, and numerous other functional areas likely include data of inherent value not just to your business plan, but also to cybercriminals.

In Personal Data Management Fundamentals, OWI takes builds on principles established in our Introduction: Data Stewardship white paper. This paper gives a broad overview of the nature of current threats to your data, and details the most common attack vectors. Most importantly, it provides concrete steps your company can take to protect sensitive information and empower employees to be an effective first line of defense.

Author:
Principal Analyst – Kaelyn Lowmaster

Editor:
Neil Hughes

Contributors:
Director of Education – Katie Stephens

 


 

Protect your assets

The identity data you collect is a core asset of your company, and it’s as vital to the success of your business as any other part of your inventory. That personal information doesn’t just include customer data either. Internal transaction records, human resources files, and numerous other functional areas likely include data of inherent value not just to your business plan, but also to cybercriminals.

But protecting personal data from theft and misuse is by nature a lopsided battle. Businesses must try to detect every vulnerability and thwart every attempted breach, while scammers only have to get it right once. It only takes a single missed software patch or less-than-vigilant employee to expose critical information. For that reason, prioritizing Trust and Safety by building robust data protection mechanisms and maintaining an educated team at all levels of your business should be a priority.

Though no company is immune from all hacks and breaches, a few key strategies can drastically reduce the likelihood that sensitive information will be compromised. Built on the principles established in our Introduction: Data Stewardship white paper, this paper gives a broad overview of the nature of current threats to your data, and details the most common attack vectors. Most importantly, it provides concrete steps your company can take to protect sensitive information and empower employees to be an effective first line of defense.

The nature of the threat

2017 brought a near-constant barrage of data breach headlines. More than 2 billion unique data records were stolen worldwide in the first 6 months of the year alone, a 164% increase over the last half of 2016. Those records came not just from headline-grabbing attacks on the likes of Equifax, Yahoo, or LinkedIn, but also from smaller leaks, breaches, and unauthorized disclosures as well. Household names aren’t the only corporate targets: there’s a 1 in 4 probability that any given company will experience a data breach in the next two years. It’s all the more important for smaller companies, then, which may not have robust IT teams or cyber infrastructure, to remain vigilant.

Both the monetary and reputational costs of those breaches have expanded along with their size and frequency. The average data breach now sets companies back over $3.6 million, with each individual compromised record costing $141. Reputational risk is more difficult to quantify. One study found that the damage to a brand ranges from $184 to $332 million depending on the type of data compromised, and up to 90% of customers report that they would avoid doing business with a company that had previously compromised credit card information.

Common causes of data breach

The cost of data theft is painfully apparent, but businesses often have an underdeveloped sense of where their vulnerabilities lie. Once sensitive data has been exposed, it can be subject to a wide array of exploitation mechanisms. In some cases, the data itself can be simply sold as a black market asset, with prices ranging from less than $1 to around $450, depending on the information available. In other cases, stolen or compromised data can be used to facilitate fraud or cripple business operations. The first step toward a robust data management strategy is understanding the most common attack types facing companies today.

Phishing

Phishing is the practice of sending fraudulent emails designed to look as though they were sent by a legitimate source, with the intent of inducing the recipient to reveal personal information or inadvertently give an adversary access to the recipient’s systems. The tactic is simple and has its roots in the earliest days of email. It’s still pervasive, however. More than 9 in 10 cyberattacks – and ensuing data theft – still start with a phishing email.

Phishing has evolved considerably since the days of poor grammar, spelling errors, and fictional Nigerian princes looking to share their fortunes. Those simple red flags are no longer present: sender email addresses are designed to look legitimate, availability of recipient social media leads to easier tailoring of convincing message content, and infected attachments or fake links are better disguised. Even savvy users are easily duped.

This attack vector is enormously successful, and rates of phishing are increasing rapidly. 77% of companies were victims of phishing in 2016, and nearly half of employees will click a phishing email that looks real or compelling enough, leading to catastrophic consequences for organizations ranging from U.S. Democratic National Committee to Anthem to Sony.

Malware and ransomware

Malware refers to any number of software programs designed to cause harm to a digital network, including viruses, Trojan horses, worms, and spyware, among others. The most common type of malware today is ransomware, in which an adversary encrypts or blocks access to certain files components of a target’s system until a ransom is paid. Phishing is the most common vector for this type of attack – up to 97% of phishing messages contain some type of ransomware.

Ransomware is a booming business for attackers and a massive financial burden for affected companies. Estimates vary, but a third to one half of businesses have been the victims of a ransomware attack, and 70% of them met the ransom demand to get their files back. An estimated $1 billion in ransom payments were made in 2016, with most affected businesses forced to shut down online operations for at least a week.

The growth of ransomware as an industry is unlikely to slow down anytime soon. High-profile ransomware attacks like WannaCry and Petya/Not Petya impacted hundreds of thousands of computers worldwide in 2017, and the pace of attacks continues to accelerate. Despite this, many companies don’t have a clear response strategy in the event their company is impacted, and many employees are not sufficiently trained on avoiding ransomware threats in the first place.

Poor security hygiene

Generally poor security hygiene is also a frequently-leveraged attack vector for corporate breaches. Negligent security practices can include using weak, default, or duplicate passwords, foregoing additional security layers like multi-factor authentication, skipping hardware or software updates, or simply sharing too much data unnecessarily or with the wrong people.

Bad password habits can be particularly damaging. 80% of hacking-related attacks in the past year leveraged weak or stolen passwords. Three-quarters of passwords are duplicates used across multiple accounts – on average, only 6 unique passwords protect every 24 accounts, and nearly half of people use passwords that are over 5 years old. Separately from the most recent hack, Equifax also got caught using the easily-guessable “admin/admin” as a username/password combination, for example. Moreover, the potential for damage is likely to increase in the near term as a greater number of connected devices become operational while still using weak factory default passwords.

Failure to keep devices updated can also lead to significant vulnerabilities. In the unprecedented Equifax breach announced in September 2017, it was found that a patch for the particular exploit leveraged in the attack had existed for months before the company’s systems were breached – the company simply hadn’t updated. The expanding Internet of Things will likely provide even more opportunities for cybercriminals to take advantage of delayed updates.

Third-party application attacks

The use of third party applications has expanded in companies across sectors, and has become an increasingly central component of workplace function. The average business now uses around 20 distinct web- and cloud-based apps for services ranging from email and teleconferencing to data storage and file sharing. But this high degree of integration with external service providers means that threat opportunities for companies are multiplying while internal data visibility is often decreasing. For example, misconfiguration of Amazon cloud-based data storage has led to multiple data breaches at Verizon and Time Warner in 2017. The instant messaging service Slack was the vector for the recent attack in advance of one company’s Initial Coin Offering (ICO), costing potential investors $500,000. Vulnerabilities in the third-party apps your company relies on can also be direct vulnerabilities for your company.

Internal errors or mishandling

Even in the presence of the most rigorous anti-virus software, spam filters, and technological security mechanisms, human error and mishandling still a major threat to data safety. This could take the form of inadvertent employee mistakes (i.e. forwarding sensitive material to unintended recipients), or intentional malice (i.e. actively seeking access to restricted data for exploitation). In 2013, for example, several employees of the National Security Agency were found to have abused surveillance tools to track former romantic partners.

Too often companies are simply lack a complete picture of where their data is stored, who has access to view and use it, or how it’s secured. When the actions of a single employee can create critical vulnerabilities, a robust data management and incident response protocol is necessary.

Physical loss

With the proliferation of advanced cyber weaponry, many companies overlook simple physical loss of sensitive material or devices as a vector for data breaches. This can include both the compromise of printed material, as well as lost or stolen devices like mobile phones or laptops. One 2014 study in California, for example, found that physical loss was the most common cause of data compromise in the healthcare sector. The 2017 Verizon Data Breach Investigations Report indicates that 8% of total data breaches originate in physical device or material compromise.

Ten Commandments for data management

With the threat landscape continually expanding, building effective data management and cybersecurity defenses can seem daunting. Fortunately, though, many of the most pervasive attack mechanisms we outline here aren’t really new – they’re simply variations on established themes. These types of attacks continue to work, though, because they prey on common weaknesses in data management strategy.

A few relatively easily adopted steps can go a long way toward thwarting digital adversaries and substantially raising the time, effort, and monetary costs of compromising your data. Your company doesn’t have to be the low-hanging fruit for hackers. And while no company can guarantee flawless cybersecurity, you can help ensure that it’s less worth a hacker’s time to try accessing your valuable data. Here are ten commandments to start building your data management infrastructure:

  1. Use best practices for passwords

Despite regular reminders of both the weaknesses of passwords as an authentication mechanism and the dangers of poor password hygiene, the average user still employs weak, outdated, repeated, or default passwords. Until other means of authentication gain broader traction, ensure that both you and your employees are following best practices for passwords. The National Institute of Standards and Technology has released updated guidelines for implementing passwords, and your company should ensure that passwords used for corporate assets are of sufficient length, complexity, and uniqueness. Where possible, they should also be cross-checked against existing databases of easily-guessable or compromised passwords. In addition to those guidelines, using a password manager can help generate and store strong passwords to reduce the burden on the user and mitigate the risk of passwords being shared across accounts.  

  1. Turn on multi-factor authentication wherever possible

Multi-factor authentication (MFA) is a process by which more than one piece of information is required to authenticate an account. This typically involves something the user knows (like a password) in combination with something that user has (like a device or physical key), or something the user is (like a fingerprint or other biometric). While MFA is a fairly effective additional defense mechanism in a world still dominated by passwords, studies show that adoption rates are still low. A recent study indicates that just over a quarter of people use MFA, while over half hadn’t heard of it. Wherever possible, your team should be using MFA.  SMS one time passwords (OTPs) have been a common second factor, but this has been proven to be less secure than newer form factors like authenticator apps or hardware tokens.

  1. Practice healthy e-mail skepticism

As phishing tactics become more advanced, it is critically important that all employees maintain a healthy skepticism of emails. You and your team should question all messages, and be particularly wary of invoice attachments, password reset notifications, or urgent payment requests. If in doubt, recipients should directly call the message sender or institution using known legitimate contact information (like the number on the back of a credit card for calling a bank). Avoid clicking through links – even legitimate-seeming addresses and landing pages can be fraudulent.

  1. Keep hardware and software updated

Keeping devices and programs up-to-date ensures that you and your team have the most comprehensive available protection from known bugs and vulnerabilities. As many as 85% of targeted attacks are preventable with regular patches and updates. Each of your team members should be sure to run the latest version of internal systems and all third-party apps. IT departments should regularly remind users of available updates.

  1. Know where and how your data is stored

The sheer volume of data companies collect and process continues to grow, and it can be challenging to maintain visibility of exactly where data is stored and how it is protected. This simple lack of knowledge can lead to costly mistakes: leaving sensitive data exposed or not properly limiting internal access. Your company should have an overarching data storage strategy to ensure that sensitive data is securely stored and only those that need it for core business functions can access it.  Cloud storage and containers have improved the scalability and functionality of corporate IT, but as recent incidents with data in Amazon S3 buckets being discovered show, these new capabilities make a comprehensive data storage strategy and audit functionality that much more important.

  1. Vet third-party apps and keep them properly configured

Third-party apps and service providers help companies execute necessary business functions, but can also give rise to additional security vulnerabilities. Many headline-grabbing data breaches over the past year, for example, have been the result of improperly configured third-party data storage. Your company should select third-party apps thoughtfully, monitor all integrations, and ensure that security settings are updated.

  1. Encrypt sensitive devices and data

Sensitive data and the devices on which it is stored should be encrypted wherever possible, both at rest (when it’s being stored) and in motion (when it’s being transferred to another user or account). This can help curtail the extent of data loss even if a device is lost or a breach occurs.

  1. Know how your employees are using personal accounts and devices

For many workplaces, remote work and employee use of personal devices to access company systems is common. As a result, companies should not assume that only company hardware or networks are being used to access company data. That means your employees’ personal data management habits may present vulnerabilities for your company. Your company should establish a policy for remote access.

  1. Institute an incident response protocol

Though the costs of data breaches are already high, they can be multiplied if a company does not have robust structures in place for reporting and remediation when adverse events occur. Do your employees know how to recognize a potential ransomware infection and to whom it should be reported? Statistically, it’s likely only a matter of time before your company is targeted, and your team members at all levels should know how to respond.

  1. Regularly train and test employees on common security threats

Education and training are a core component of incident response. Though no cybersecurity silver bullet exists, companies whose employees are frequently trained on phishing and other common security threats experience up to 77% fewer attacks. OWI Institute Trust and Safety courses provide a foundation on data management concepts to ensure that your employees are an active first line of defense for your company rather than a potential vulnerability.

Fighting the good fight

The personal data your company manages powers your business, but it can be equally valuable to adversaries. Even in a complex world of digital threats, these few practical steps can substantially decrease your risk of theft, loss, and associated fraud potential. By ensuring your team is an active participant in your company’s data management strategy, you’re more likely to avoid the costs associated with data breaches and build a reputation of Trust and Safety with your customers.