[BreachExchange] Data Loss Prevention and Cybersecurity: A Practical Guide

[Audrey McNeil]

http://www.publicceo.com/2017/06/data-loss-prevention-and-
cybersecurity-a-practical-guide/

Cybercrime has become a focal point of national security and a frequent
topic in discussions of risk management. News about major corporate and
government breaches affirms that no organization or public agency is immune
to a persistent, skilled attacker. Critical infrastructure is also
increasingly becoming an attractive target for criminals due to its growing
reliance on technology.

Why Are Criminals Targeting Sensitive Data?

Adapting and responding to evolving cyber threats and protecting critical
infrastructure and proprietary business assets are essential for both
government agencies and businesses. “Post-mortem” analyses of breaches
offer a treasure trove of lessons learned and reveal attack tactics,
techniques and procedures.

Cyber criminals leverage technology vulnerabilities and trickery to exploit
the human-technology gap — by targeting sensitive passwords, data and
applications regularly used by staff. Data theft is the goal of most recent
breaches. Cyber criminals typically break into vulnerable systems and pivot
between systems using stolen credentials or posing as a third-party
contractor to gain access to valuable data.

Targeted confidential data comprises personnel records, public billing
information, credit card numbers, financial or health records and more. The
theft of your city’s legally protected data can result in significant
regulatory fines, loss of public trust and damage to the city’s reputation.

Fortune.com estimates that in 2016, the cost of data breaches averaged $4
million dollars or $158 per record. Medical history, credit card data and
Social Security numbers have the highest cost per stolen record at $355.

Sensitive Data Risk Management

Data is the new currency. Traditional currency and property risk-management
techniques also apply to protecting against cybercrime. Regulated or
sensitive data has monetary value and makes an attractive target for
cybercriminals. Reducing the amount of regulated data stored on hand is
equivalent to cash management practices, such as moving excess cash from
registers to a hardened safe or transporting it to a bank’s vault.
Unrestricted and unmonitored employee access to a large amount of cash is
typically prohibited; however, public agencies often fail to apply the same
level of scrutiny for employee access to regulated or sensitive data.

Eliminate Unnecessary Sensitive Data

Removing and reducing the amount of unnecessary sensitive data offer the
best protection against data loss. An attacker cannot compromise records
that simply don’t exist.

Retaining and storing sensitive data increase the agency’s liability in the
event of a breach. Unfortunately, many organizations have stale worksheets
and other files containing sensitive or regulated data that may have been
overlooked or forgotten. Such files may contain sensitive information such
as Social Security numbers, birthdates and other personally identifiable
information (PII).

“Unnecessary duplicate copies of records and those kept past the time
specified by agency retention policies — with or without sensitive
information — are avoidable pitfalls,” says Colleen Nicol, city clerk for
the City of Riverside. “Although it’s not glamorous work and admittedly
time-consuming, designating sufficient resources and giving high priority
to cleanup and ongoing file maintenance greatly reduces risk for the
agency.”

Having employees manually review large numbers of files for potential PII
is daunting and labor intensive. Data classification and loss prevention
products help facilitate automated discovery, classification and
remediation of sensitive and regulated data.

Such automated discovery tools may run overnight or for a period of a few
months, depending on how much data your agency retains. The initial
discovery process often highlights aged and unmaintained data as well as
extensive duplication of data. For example, employees typically save
multiple versions of reports, sensitive documents and billing information
on their local systems and in email or shared network drives.

Automated data loss prevention tools also reveal risky business processes.
Cities can take this opportunity to:

Involve employees and ask them to review the reasons for storing such data;
Help employees better understand records retention policies; and
Make the appropriate business process changes to store data in a secured
system of record such as a financial system, rather than in offshoot
spreadsheets and reports. This will help ensure better data cleanup and
elimination of duplicate data.

Secure applications can be designated as authorized containers for
regulated data to address encryption, authentication and auditing
requirements.

Create Safe Zones for Sensitive Data

After data cleanup and hygiene techniques are in place, there are several
ways to better secure remaining sensitive data. Such data should be
encrypted and only designated individuals allowed to access it. This
role-based access should be supplemented with audit logs, similar to the
restrictive nature of modern-day electronic safes and bank vaults with
auditing capabilities.

Encrypting sensitive data when it’s being transmitted or in transit is
another important way to protect it. This is the equivalent of an armored
transport vehicle that protects valuables traveling between safe locations.
Much like fire, earthquake, auto or professional liability insurance, cyber
liability insurance provides protection against the remaining risk that
cannot be addressed through other risk mitigation techniques.

Cities should also monitor sensitive data throughout its lifecycle within
the organization. Technology solutions can enforce encryption or prevent
the data from leaving the agency. Encryption technology protects the data
if a device is stolen, effectively reducing the value of the loss to the
cost of the stolen hardware.

Prevent the Release of Sensitive Data

To detect and prevent the release of sensitive data, implement business
process oversight protocols and automated tools. Sensitive data stored
outside the designated systems can be compromised due to employee
oversight, missed or inadvertently omitted as a part of a larger dataset —
or stolen.

The sheer volume of data in the average public agency environment —
combined with the lack of visibility and classification of regulated data —
is bound to result in a breach. Numerous examples illustrate this. For
example, in response to a public records request, Poway Unified School
District in 2016 released to one parent the records of 36,000 students,
including district-based test scores, some of which are protected
information under the Family Educational Rights and Privacy Act. The
University of California, Santa Cruz, suffered a breach in 2017 when
thieves stole two laptop computers with unencrypted, regulated data. And in
another instance, in 2017, a Boeing employee asked his spouse to help him
with a spreadsheet formatting issue. The employee sent the spreadsheet file
from work to his spouse and did not realize that the document contained
hidden columns with over 35,000 employee records, including Social Security
numbers and dates of birth. Although this event did not happen in a public
agency setting, it nevertheless underscores the ease with which such lapses
can occur.

Technology solution products can intercept such data before it is
accidentally emailed to someone outside the organization.

Classify, Discover, Monitor and Protect Sensitive Data

Most data breaches involve exposure of sensitive data outside designated
secure zones or authorized systems. It’s not unusual for public agencies to
find unencrypted sensitive data on employees’ laptop and desktop computers,
shared network drives and removable media, such as thumb drives.

Cities should treat data in the same manner as cash. Regulated data should
be identified, classified, appropriately marked and encrypted on all
systems throughout the agency. The movement of regulated data must be
monitored and prevented from leaving designated systems to prevent
accidental release or theft. Data loss prevention scans should be performed
on all records before release to identify any regulated data that should
have been redacted within a larger data set request. Encrypting stored data
within protected systems and on users’ computers and removable media
protects agencies against equipment theft.

Conclusion

No amount of funding or technology tools can prevent all data breaches.
However, cities can significantly reduce the risk of data breaches by
raising employee awareness through cybersecurity awareness and data hygiene
training, creating strong policies around PII data, scanning and removing
outdated and duplicate data and implementing protocols to prevent data from
leaving the agency.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170613/4851d0eb/attachment.html>