Well over a third of UK businesses discovered at least one data breach or attack in the past year and a “sizable proportion” did not have “basic protections” in place around data security, it has been reported.
The threat of data loss, data breach or experiencing a malicious attack is nothing new and many organisations will have suffered these not only in the UK, but globally.
In this case, the UK is representative of the state of data protection globally. Although the statistics may not line up perfectly, there is no denying that organisations of all sizes in most countries are facing the threat of malicious data breaches.
2016 was dubbed the year of Ransomware and in 2017 that threat has not slowed, although many organisations are likely better educated on the topic now.
The full report on the Cyber Security Breaches Survey can be read here.
The growing threat against data
Data protection threats can come in many forms, from both internal and external sources and range from disgruntled employees to hackers. Identifying some of these sources is the first step to being able to protect against them.
The explosion of data growth that many industries are currently facing presents data protection challenges. With more data being stored in more varied locations, as well as being accessed by more people more regularly, from more locations, it also becomes difficult to track how and if data is being protected. Organisations can implement centrally enforced, company-wide policies to address these risks. If implemented correctly and reviewed often, they may be effective. Unfortunately, with the prevalence of shadow IT and unpredictable user behaviour, enforcing data management policies completely is often far from easy.
Together, data growth, data sprawl and easier data access can result in a loss of control, leaving data protection officers, or more commonly, IT and network managers, in the dark as to what is going on in their network. Growing organisations have a responsibility to train inexperienced staff and new employees correctly on the data protection policies and procedures in place to help reduce human-error.
Human-error remains one of the largest threats to data on a network, as was demonstrated with the Gitlab data loss at the start of this year. Staff accidentally deleted a live database and by the time they had cancelled the operation, less than 2% of the 300GB dataset remained, the rest had been permanently deleted. The failure of 5 separate backup and replication solutions that followed can also be attributed to human error, the systems having not been implemented or tested correctly.
Many challenges to data security have a commonality in that the risk to data is presented when data is unstructured. Unstructured data refers to data that is not stored or contained in a database or a different type of data structure. Unstructured data also stretches to cover data that is stored or accessed on mobile devices and removable media such as a USB storage device.
46% of organisations in the Cyber Security Breaches Survey 2017 stated that they have BYOD challenges that expose them to cyber security risks. Whilst mobile working can be a great asset for many organisations and cloud services make this a possibility, they can be a risky option for organisations who have limited control over when and where content is being accessed.
As with any removable media, there is a chance that storage devices such as USB and devices such as mobiles or tablets could be lost. If encrypted and password protected, this may not cause an immediate issue however, if unencrypted, these represent a serious data breach risk.
Fraud and criminal threat
The threat posed by cyber-criminals cannot be ignored and although large and enterprise-scale organisations are more likely to be targeted, all organisations are at risk. The truth is that malicious attacks come in many different formats, most of which can be hidden in email, on a seemingly harmless looking webpage or can exploit previously unknown vulnerabilities in technology used by any organisation.
Forms of attack can include:
- Phishing or ID theft
- Social Engineering
Organisations often use filtering, scanning and blocking to monitor emails and activity on networks and it is estimated that less than 1% of people will open attachments or follow links on malicious emails. However, given the opportunity to send millions of emails this becomes a considerable number of organisations and users affected.
Taking steps to reduce the threat of cyber-attack
Reducing the threat of losing data or having a serious network breach should be a priority for all organisations. If you are unsure on where to start, here are 4 tips to help you reduce the threat of data breach or cyber-security failure to your organisation.
- Complete a risk analysis – Completing a risk analysis will allow you to better understand where the threats are to your network and come up with an actionable plan to resolve them.
- Understand where your data lives – Gaining a better understanding of where data resides in your network, structured and unstructured, can give you an insight into where changes should be made and how best to protect data.
- Train staff around cyber-security awareness – Making users more aware of the challenges that the organisation faces daily around data security, can help to reduce the risk of human error and gives users a better opportunity to alert the necessary authority should they identify a risk of breach themselves.
- Ensure policy driven data protection procedures are in place – Implementing and following data protection policies will help to identify and deal with breaches more quickly should they occur.
Using backup and disaster recovery planning
Having a secure, off-site backup of all data is a vital first step to ensuring data is protected. Although a backup does not have the ability to stop fraud, cyber-attack or even human error, it is often the quickest and best way to reduce and resolve the effects of one of these scenarios.
Data backup is important to not only protect against data loss or breach but is commonly required to comply with regulations and compliance such as The Data Protection Act (DPA) and the upcoming General Data Protection Regulation (GDPR) which is set to become active in May 2018.
- Although GDPR is European law it will have knock on effects globally, as it applies to all organisations doing business with European citizens and companies.
Aside from the cyber threats facing organisations, there are also a multitude of physical threats and disasters that could take place and also need to be accounted for. Having a disaster recovery plan (DRP) in place that allows your organisation to meet set recovery point and time objectives (RPO, RTO) will save time and money but ultimately could save your organisation.
A robust offsite backup solution should form a key part of this. Depending on timeframes to recover critical data and after considering the functionality of the backup solution in place, a backup solution may by itself provide sufficient cover against data loss, however this could differ depending on any organisation’s unique requirements.
The importance of implementing a full data management solution
Further to backing up all data, organisations can implement solutions and strategies to help protect against threats to data and decrease the chance of downtime occurring.
To do this, organisations first need to have an understanding of what data they have and where it resides. They need a tool that provides this visibility and insight quickly and easily not least of which to identify duplicate files and other data which could be safely deleted. Regularly reviewing where data is in the data lifecycle and having an active policy to remove data that is no longer needed (either from an operational or legislative stand point) will also reduce the footprint of data to be protected.
One of the further benefits of having this visibility is the ability to tier data. Tiering data enables organisations to increase the efficiency of their data storage by moving data that is infrequently accessed or doesn’t change to cheaper disk, thereby freeing up space on expensive tier 1 disk to accommodate data growth.
Having a tool that provides visibility of and the ability to analyse file metadata such as last accessed date, last modified date, file owner, etc. also enables organisations to consider archiving and long term retention of data. However, deploying a separate tool to scan all files across the network to centrally collect this data securely likely seems onerous. Thankfully backup solutions already have a need to scan files across the network to identify changes. Therefore forward-thinking backup solution providers have begun incorporating this data analysis and insight capability into their backup technologies.
Having a solution in place to actively monitor and limit who has access to datasets is another method of protecting data. It not only gives administrators a chance to track who is accessing data but can work as a deterrent for any potentially disgruntled employees who may look to steal data, such as in the case of Royal Sun Alliance who had an unencrypted NAS device stolen from site.
There are new and old challenges and threats that face modern organisations and they have the responsibility to manage and protect data against these. Traditional methods of data protection such as backup are still vital and are being improved to deliver additional value but they are only part of the solution.
Cyber-criminals are well resourced and well-funded and due to this, the advancements and techniques used in hacking, fraud and in the development and deployment of malware have accelerated. Organisations now need comprehensive data management to be able to cope with threats.
Changes to legislation such as the arrival of GDPR in the EU are the result of a recognition of these threats and the need to protect against them.
Methods such as encryption, data tiering and archiving can go some way to reducing threats but having real insight and understanding of your data is vital to being able to protect it.