[BreachExchange] Protecting Your Data Security Blindspot

Audrey McNeil audrey at riskbasedsecurity.com
Thu Feb 9 19:58:33 EST 2017


https://www.globalbankingandfinance.com/protecting-your-data-security-
blindspot/

Security breaches will be top of mind for all business professionals in
2017 and especially for those in financial services where the ramifications
of a breach can cost an organisation millions of pounds.  However, contrary
to what the flurry of news over cyber-attacks would have you believe, the
majority of these breaches were not caused by hackers, but by lost or
stolen laptops and mobile phones. While hacking accounted for 1 in 5 of all
breaches, lost or stolen laptops were responsible for more than a quarter.

 Confidential data stored on business systems such as laptops is both an
asset and a liability. As with any asset, the data should be protected, and
like any liability, it requires mitigating. Personal identification
numbers, payment information, passwords, customer information and
intellectual property are just some of the types of sensitive data that’s
stored on servers and employees’ laptops.

 The challenge is that laptops can easily be lost or targeted for theft.
Employees risk misplacing confidential, personal or company data, which
could get into the wrong hands, demonstrating that accidental data loss can
happen to anyone at any time. Laptops are a high-value item in the second
hand market, and more astute thieves are aware of the bigger value the data
may have over the hardware.

 Sensitive data is a high-value target for hackers and data thieves, and
you must assume the worst should an employee’s laptop go missing in the
event of an accidental loss or theft. Therefore, it is crucial that you
take steps to keep your data safe, should it end up in the wrong hands.

 The best way to protect the data stored on laptops is to encrypt it at the
hardware level using self-encrypting solid state drives (SSDs) – this
important data security step is often overlooked. New models often come
with low-grade preinstalled hard drives that lack encryption technology.
There are some that are sold with pre-installed hard drives withencryption,
however it’s usually software-based – one of the weakest forms of
encryption. Software-based encryption slows down a computer system’s
performance and productivity, whilst also putting the data at risk of being
compromised. This is because the software protocol relies on the operating
system and remains vulnerable to rootkit attack.

Self-encrypting SSDs, on the other hand, use top-level AES 256-bit
encryption technology that’s built into the storage drive to encrypt all
data at the hardware level. This is the type of encryption the most
risk-prone industries (financial services, for example) need to use as it
helps enhance security and minimise liability.

If your organisation does become the victim of a breach or data loss, then
the repercussions can be severe. Under the Data Protection Act, all
organisations are liable to receive a significant fine from the Information
Commissioner’s Office (ICO) for losing customers’ sensitive data. Risk
management frameworks, such as ISO 27001 and COBIT, gives financial
services organisations guidelines on how to best comply with data
protection laws, which will become more stringent.

 Next year the EU General Data Protection Regulation (GDPR) will become
enforced. This act will allow the ICO to enforce penalties which could
reach the upper limit of €20m or 4% of an organisation’s global turnover –
whichever is higher. For example, if the Tesco Bank hack from last November
happened after GDPR goes into effect, this would have meant that Tesco
would face upwards of £1.9bn in fines. Soon a breach will more than a
public relations nightmare, but a huge financial setback or even bankruptcy.

Financial services organisations rely on confidential data, which includes
sensitive customer data, company financial records and authentication or
access controls. Using self-encrypting SSDs to lock up the data in laptops
helps protect the integrity and confidentiality of your organisation’s
data, and as an added benefit, can improve business productivity by
eliminating the use of slower mechanical hard drives.Studies have concluded
that SSDs are six times faster than traditional hard drives, meaning
organisations can work faster and improve productivity, whilst also
ensuring data security.

With so much focus on cyber attacks, there is a risk of overlooking data
security at the hardware level – making this a dangerous blindspot for
financial services organisations. Putting the right safeguards in place for
data security requires extra precautions. Doing so will help prevent losing
data that your organisation has a legal requirement to protect. Protect
your organisation’s sensitive data by swapping out vulnerable preinstalled
hard drives, and encrypting the data at the highest level. Your data is an
asset and a liability – don’t let it get into the wrong hands.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170209/50dda72a/attachment.html>


More information about the BreachExchange mailing list