/pcq/media/agency_attachments/L8pkS8gpnodJThOdAfv1.jpg)
Follow UsQ: What are the various stages in which a data breach takes place?
Naik : A data breach is the exposure of business information in an unauthorized manner, either through negligence or malicious action. Data breaches can be caused by individuals or organizations with malicious intent from within and outside the organization, or through employee negligence or ignorance. Malicious data breaches typically have four stages:
Phase 1: Incursion. Criminals break into the company's network by exploiting system vulnerabilities, using default password violation, SQL injection, or targeted malware.
Phase 2: Discovery. The attacker maps out the organization's systems and automatically scans for confidential data.
Phase 3: Capture. Exposed data stored by well-meaning insiders on unprotected systems is accessed. In addition, rootkits are surreptitiously installed on targeted systems and network access points to capture confidential data as it flows through the organization.
Phase 4: Exfiltration. Confidential data is sent back either in the clear (by Web mail, for example), wrapped in encrypted packets or zipped files with password protection.
Q: What are the 5 most common data breaches organizations face?
Naik: The seriousness of a data breach can vary depending on the type of information exposed, its importance to the organization and its relevance in context to the nature of the business. This is one reason why point solutions or a one-size-fits-all approach does not work in the case of data loss prevention. Some common types of data breaches include:
1) Insider breaches: Experienced by 75 per cent of the surveyed respondents in India, criminal insiders range from disgruntled thieves with emotional motivations for compromising information, such as a sense of entitlement or ownership of the data, to careful tacticians who plan a breach carefully and patiently in order to gain maximum profit from it.
2) Loss/theft of data-bearing devices: Enterprise mobility has become a reality, and the productivity benefits are accompanied by risks. As organizations increasingly run line-of-business applications from mobile devices, their loss or theft can pose a significant danger to corporate data. This puts the focus on technologies such as encryption, authentication and data loss prevention. A fifth of Indian organizations experience this type of breach.
3) Identity theft: According to Symantec Internet Security Threat Report 17, identity theft was one of the most widespread motivations for data breaches in 2011. Approximately 1.1 million identities were exposed per breach, mainly owing to the large number of identities breached through hacking attacks.
4) Third-party flub: The Cost of Data Breach study reported that 30 per cent of Indian respondents said their data breach involved one or more third parties — including outsourcers, cloud providers and business partners. As transactions in the digital world become increasingly complex, connecting multiple, dispersed systems and people, errors by third-parties result in exposure of information.
5) Targeted attacks: In today's threat landscape, we are seeing attacks that are specifically crafted to target certain types of information of specific organizations. Targeted attacks usually involve the attacker seeking out a vulnerable individual — which could be anyone from the CEO to a more innocuous target such as HR, PR or administrative personnel — designing an attack to trap that particular person (using spear phishing techniques). Once the target has been locked and loaded, the attackers silently drop malware into the system. Once the network has been infiltrated, the malware stays in hiding until the required information is located, after which it swings into action and relays the data back to the attacker. 25% of data breaches in India take place through phishing and social engineering.
Q: How can organizations do risk assessment of data breaches?
Naik: It is said that he who protects everything protects nothing. A good DLP solution should be risk-based, which means protection is prioritized based on the importance of information to organizations. For example, in a manufacturing unit, design documents may be crown jewels that require the most protection, while there may be other types of non-critical information. Risk assessment involves knowing what type of data resides in the organization, classifying and prioritizing the sensitivity of data, and monitoring how data is being used. Risks can be reduced when organizations have visibility into the patterns in which information is shared, and define, enforce policies that prevent data from being exposed in an unauthorized manner.
Q: How does cost analysis affect mitigating data threats?
According to the Symantec Cost of a Data Breach Study, it costs Indian organizations INR 2,105 for each lost or stolen record, with the average total organizational cost of data breach being INR 5.34 crores. Victims lost INR 1.46 crores on average in business costs, suggesting that customers abandon the organization after a breach and rebuilding loyalty or maintaining reputation can be expensive. Customer churn was particularly high in the communications and technology industries.
At the same time, there are some factors that reduce the impact of breaches. Organizations with a C-level security professional (such as a Chief Information Security Officer) had an average per capita cost 46 percent less than those that did not.
Q: Who are the main perpetrators of these data breaches?
The sources of a data breach can be categorized into three:
Well-meaning insiders: Over a third of the victims experience data breaches due to negligent insiders whose carelessness causes breaches. This includes employees who lose devices with sensitive data, misdirect emails or official data, cause internal data spills, fall victim to social engineering and bypass key processes.
Malicious insiders: Malicious insiders are a very common source of a breach. Three out of four victims of malicious attacks experienced such breaches, according to the study.
External attackers: These are perhaps the most commonly considered security risk, and rightly so, since they cause the most expensive data breaches. Malicious/criminal attacks, while experienced by 20 per cent of victim-organizations, were also the most expensive, costing significantly more than the average, at INR 4,224 per record.
How Organizations Can Prevent Data Breaches
What causes employees to retaliate against their organization and steal data? What kind of methods do they use? We quizzed Nair more...
Why do employees get involved in severe data breaches?
Nair: There are two kinds of IP thieves with differing motives:
- The entitled, disgruntled thief: This employee was at least partially involved in developing the information he stole, and has become dissatisfied with his position or the company. In some cases this leads him to feel he was entitled to take the information with him as he left the job. In other cases, he may have intended to use the information to further his career. Shortly before leaving, he would copy the information, using it to either get or perform at his new job. He rationalized his actions by convincing himself that other employees were doing the same, or that the company would be unable to trace the theft back to him.
| 3 Ways To Empower Employees Against Data Breaches 1) Employee Education One of the simplest methods an organization can adopt is to educate employees about keeping their data secure. According to Sesanka Pemmaraju, CISO, Hitachi Consulting, India, “On top of cyber security training during induction, we also conduct a yearly event where the IT security team does rounds of the office and quizzes employees on data security. The one who wins gets a prize from Hitachi which is valued”. By holding regular training and enrichment sessions, employees will have it at the top of their minds. 2) Manage Portable Drives One of the primary ways to copy data is onto a USB stick. However, a user should be authorized to perform such an action, especially on company property. “With the Symantec DLP installed, our IT administrators receive a red flag immediately once an employee inserts a removable media. We then approach the concerned person directly to stop unauthorized access”, says Pemmaraju, on how it is implemented in Hitachi. 3) Control Remote Access Even though enterprise mobility is the next “big”thing, organizations need to be shrewd on control policies for devices used to connect to the network. For example, we learnt from V C Gopalratnam, VP-IT, Cisco India that Cisco allows employees to use their own devices for work, but implements a network layer policy that restricts usage of unknown devices and unknown users. An authentication test of the device has to be passed for the device to connect. Also, a mobile device has very limited access and priorities, so no mission-critical information can be accessed on the device. Such robust policies have to be implemented to prevent unintentional loss by an employee from losing his personal device. |
- The machiavellian leader: The primary motivation of this thief is ambition. He has specific plans to use the information, either selling it to another organization or using it to develop a new, competing product. Unlike the disgruntled employee, he plans the theft carefully, perhaps even creating a new business and recruiting fellow employees to assist in the theft. He may have begun to steal the information more than a month before leaving the company and is less likely to show outward signs of dissatisfaction or impulsive behavior.
Whatever the motive for the theft, the employee becomes a goal-oriented tactician, evaluating the necessary knowledge, skills and activities for extracting the protected information without being caught. This operational planning is often dynamic, based on the protective challenges employed by the company.
Further, there are six channels through which IP thieves compromise critical information-email, removable media, printed materials, remote network access, file transfer or downloads to laptops. With the twin strategic trends of cloud computing and mobility enabling anytime/anywhere access to information, the window of opportunity opens further. The greater the motivation and capacity of the rogue employee, coupled with ineffective or inappropriate applied surveillance or protective measures, the higher the likelihood of success.
The negligent insider, on the other hand, is the one who compromises information. This is the individual who leaves his tablet on the backseat of a cab, or, while working on his laptop at the airport, reveals data to those sitting next to him. It could also include emailing errors such as sending a confidential database to the wrong email ID, since most popular email systems include the autocorrect feature. Another sign of the negligent insider is the one who copies information on unprotected or unauthorized devices that are not governed by company policy, to work from outside office.