While you're worrying about 'sophisticated' threats, your company may be leaking data largely through carelessness
In the last two years, 1,949 ransomware attacks were referred to the UK's Information Commissioner's Office, compared to 3,337 cases of lost or stolen devices or data left in insecure locations. The ransomware incidents resulted in just one fine - of £98,000. The data loss events incurred fines totalling £26.2m. So, looked at from the perspective of regulatory penalties, which is the bigger problem?
And is our obsession with the latest and most fashionable forms of attack diverting our attention, efforts and budget away from the essential basics of security?
"We cannot neglect protections against ransomware or hacking attacks," Martin Lee, technical lead of security research at Cisco Talos told SC Media.
"However, estimations regarding the likelihood of loss can be skewed by the reporting of newsworthy attacks. Mundane incidents such as 'user leaves USB stick on a bus' are never going to hit the headlines despite this being a potentially common occurrence."
That makes it difficult to know the scale of the problem.
What data?
"Reliable published data regarding the prevalence of data loss or theft is hard to come by," adds Lee. "Nobody wants to publicise their failings for fear of seeming less secure than their peers, or for disclosing vulnerabilities to attackers.
"Organisations may be underreporting data loss simply because they're unaware that the incident occurred. The obligation to report data breaches contained in the GDPR regulations is a good start in collecting data on how data breaches occur, but there is much work to be done in analysing these data to spot trends and identify systemic weaknesses."
According to Phil Robinson, principal consultant at Prism Infosec: "Organisations tend to focus heavily on technical solutions rather than starting with the sensitivity and importance of the data to the organisation itself. They haven't considered first what it is that they are protecting or what the impact would be to their company if the data was lost."
And in most organisations, data is growing exponentially.
"Data is duplicated far too often, controls on who can read the data are lax and rarely is the data encrypted when at rest," says Colin Tankard, MD of Digital Pathways. "Very few companies are wrestling this back into company control."
The number of weak points, where data is vulnerable, have also increased massively, not least due to the adoption of cloud.
"Very few companies impose security controls on a user's own device and so the data, contacts and evidence held goes with the user when they leave," says Tankard.
"Trying to capture the data on a user's own device risks the organisation taking some or all of the user's own personal information at the same time, so GDPR comes into play and stops companies taking these steps. Couple this with the complexities of controlling devices from a support perspective means IT departments often take the easier option of open data access."
So what can you do?
"Data at rest encryption linked with access control should be the baseline for all organisations," says Tankard. "This will secure the data wherever it is stored or copied, and the access control will only allow readability of the data if you are an authorised person."
Fortunately, there are signs that organisations are coming to understand these requirements.
"As part of risk management of these threats, it is common for IT departments to ensure that all laptops are encrypted using full disk encryption technology and that mobile phones have PIN, face/touch ID enabled," says Robinson.
"Additionally, it is very common for mobile endpoints to be part of a Mobile Device Management (MDM) solution which allows the organisation to locate and wipe lost/stolen endpoints as well as pushing and maintaining a strong organisational configuration to the mobile device estate."
But there is one final hurdle.
"The challenge CISOs have is getting buy-in from the board on a wide data security vision," says Tankard. "Hence they have to balance their budget against what the board will allow. I often think some security purchases are driven by what keeps the board members happy."
Text by: Steve Mansfield-Devine