Data is big, data is valuable and data is trouble. In 2014, the Breach Level Index recorded that over one billion records had been breached, an increase of 78% over 2013. And 2015 is seeing similar levels – the first 2 quarters of the year each seeing a loss of almost 340 million records.
Data loss affects all of us, as individuals and within an organization. It affects all types of companies no matter what size they are. In a study by the Center for Media Data and Society into Data Breaches in Europe, they found that 51% of all breaches involved corporations and of those 41% had records compromised by hackers; the rest was either insider breaches or mismanagement. The UK is the worst hit nation in Europe with 93% of large UK organizations reporting a breach in 2013.
Data loss and theft is the most common type of cybercrime according to PWC. In their report on the Global State of Information Security 2016, they cited the top four types of security incidents as being:
- Computer records compromised
- Employee records compromised
- Loss or damage of internal records
- Loss of intellectual property
2015 has been a year noted by the levels of data loss and theft. All market sectors are being targeted and there are many examples within the healthcare, financial and government areas.
One of the biggest and most far reaching was the health care insurance provider, Anthem, where a breach in late 2014 impacted almost 80 million customer records. In Europe there have been major breaches such as the holiday firm ‘Think W3’ who in 2014 lost almost 1.2 million credit and debit card records of customers due to a SQL injection attack on the database. More recently Carphone Warehouse and partner Experian lost the personal information of 2.4 million customers. In Germany almost 18 million personal details of German citizens were stolen from the server of German Bundestag (the national parliament of the Federal Republic of Germany) – the attack allegedly being due to foreign sponsored Trojan malware.
The What, Why and Wherefore of Data Loss
The problem is there isn’t one tactic or method that accounts for the loss of data; data loss can take many forms. The following shows the types of data lost by an organization:
- Cyberespionage / Intellectual Property theft. Price Waterhouse Coopers in their report on the Global State of Information Security 2015 estimated that the loss of trade secrets (IP) may be as high as $2.2 trillion annually. In the same report for 2016, they found that IP theft increased by 56% in 2015.
- Company financial details. This impacts companies of all sizes. There are a number of methods that are used to obtain access to company bank accounts. One example is shown in a recent FBI warning about company bank fraud, perpetrated by business email account compromise.
- Personally Identifying Information – PII (of your employees or customers) / identity theft. This is becoming a major issue with some of the largest breaches of PII ever being seen in the last 12 months. This is becoming an increasing problem as PII is being used for web services as a method of identification and for identity assurance purposes. This means that once an individual’s personal information is out for sale on the cybercrime black market, it can be used for other attacks as was seen in the IRS exploit.
- Data records: Data records are distinct from PII and can contain proprietary company information or items such as medical scans and so on. Stolen records can go onto the black market, fetching hundreds of dollars per record. The average cost of a health record, for example, being $363.
How Do Cybercriminals Steal Data?
The list below is not exhaustive, but it shows the areas of vulnerability within an organization and the types of tactics used to exploit information:
- Advanced Persistent Threat (APT). This takes the form of a long lasting and slow exfiltration of data. It is most commonly used to extract proprietary information, such as intellectual property. An example of such an attack was performed on Google in 2009. The attack spread to other companies such as Adobe and Rackspace. In this attack, nicknamed ‘Operation Aurora’, it is alleged Chinese hackers (possibly government sponsored) were behind the attack which was an attack on Google’s (and other targeted companies) intellectual property. The APT was a typical attack where malware used a software vulnerability, known as a zero day exploit, which is where a software vulnerability is unknown to the vendor and therefore remains vulnerable. The malware then sent data back to a ‘command and control’ center operated by hackers. APT’s can lay undetected for long periods, during which time they send stolen information back to the central command center. Since the Google attack, APT’s have become even more sophisticated and are designed to bypass traditional firewalls.
- Phishing and spear phishing. Phishing is one of the most popular methods of getting malware onto a computer. It was estimated in a report ‘State of the Phish’ that in 2013-14 95% of all cyberespionage attacks and 80% of all malware infections originated in a phishing or spear phishing email. Once infected, malware or spoof websites are used to exfiltrate data, including login credentials for company resources such as databases.
- Insider threat. This type of threat covers a gamut of issues, both malicious and non-malicious. Simple loss of data due to carelessness is a continuing problem for companies. Simple mis-delivery of emails, for example, causes up to 44% of data disclosure errors according to a Verizon report.
- Malware: As already mentioned phishing is the way into an IT environment, but once in, it is malicious code that does the work. One particularly sinister form of malware is ransomware. This is where the malware encrypts your data, not only on your hard drive, but potentially out into the network and even Cloud storage. Once encrypted the cybercriminal presents a screen asking for money and if you pay up they promise to decrypt the data – of course the word of a cybercriminal is not worth much. Ransomware has exploded recently, up by 165% according to McAfee. And the costs for this type of malware, alone, are around $18 million in 2014.
How the Loss of Company Data Affects your Business
Loss of data isn’t just about the financial implications of the loss. It also affects your company brand and reputation. In fact Ponemon has found that the biggest costs associated with an APT attack, is on brand and reputation.
And fines for non-compliance when customer records and PII is stolen are becoming more common place and also affect company directors. For example, in the UK the Ministry of Justice was fined £180,000 for the loss of almost 19,000 prison records when an unencrypted and non-password protected portable hard drive went missing. In the USA, the Target breach of late 2013 which saw the loss of around 40 million customer card details and 70 million customers PII, has resulted in a suite of class actions against the company. And data protection laws, which exist in most countries, are applied to company directors resulting in large fines. For example, the U.S. Federal Trade Commission has a specific clause in their Act for Unfair or Deceptive Acts or Practices, which allows them to go after the directors of a company who haven’t used sufficient protection to prevent a loss of customer data.
How to Protect your Company Data
But all is not lost. There are mechanisms and tools that can help you minimize the risks coming your way from cybercriminals and even from accidental data loss by employees. The first place to start is to understand your data flows within your organization – both internally and with the outside world, especially via the Internet. Mapping your data flows is a fundamental part of your security strategy and will allow you to create a game plan for data protection.
Next is awareness. This may take the form of employee education, to allow, for example a person to recognize a phishing attempt. But general awareness across all parts of an organization, from the board down, is crucial in creating defensive measures.
Using the right tools for the job is also an integral part of your overall security strategy for data protection. Based on your company risk profile and data flows (as mentioned earlier) the right tools for your company need to be identified and put in place. Traditional security tools like anti-virus still have their place, but more modern tools like smart web application protection solutions, is an important part of the arsenal of any modern organization that has data flowing outside of a company perimeter.
Other areas to be aware of are your authentication options for protecting application and data access – many data breaches start with the loss or theft of credentials. Sometimes these credentials are stolen from third party suppliers, so it is important to ensure you have the correct credentialing process in place across the extended enterprise, including for mobile working (BYOD); providing secure credential management options to control access to your company’s web applications, web services and data, is a crucial part of your overall security strategy in protecting data.
With the right approach and the right tools in place, your company data can be protected, as well as your brand, reputation and director standing.
Michael Liebi ist Gründer und nun als Board Member bei United Security Providers tätig.