Maksim Kabakou - Fotolia

Security Think Tank: Safeguarding PII in the current threat landscape

The threat of identity theft via a data breach is heightened with the rise of attacks where ransomware threat actors both encrypt and ransom, and exfiltrate and leak their victims’ data. How does this evolution in cybercrime heighten risk for the enterprise, and what steps can we take to safeguard the personal data we hold?

Data is one of the most valuable assets for many businesses today, making it a highly prized target for cyber criminals and meaning they will be persistent in finding new ways to attack their prey.

Identity theft – the deliberate use of someone else's digital ID to gain confidential information, financial statements or personal information from an organisation’s IT assets – is one of these attacks. And threat actors are continually evolving, taking advantage of new ways of working which can be used to breach networks, masquerade as legitimate IT users and exfiltrate data.

Increasing risk of ID theft

The increasing value placed on data had raised the risk of ID theft prior to the coronavirus, but the pandemic-forced lockdown has put additional pressure on those tasked with keeping an organisation’s data safe.

Working from home can lead to people being more relaxed and therefore less vigilant. There are various reasons for this: the lack of perceived supervision might cause people to be more flexible in how they use their work laptop, while also easing off on general security discipline, leaving a laptop unlocked for extended periods, for example.

In addition, remote working makes it more likely that they will get a genuine email, chat message or text alert from senior management. Because posing as a senior team member is a well-used way for bad actors to infiltrate the network, this increases the chance of crafted phishing attempts succeeding.

Everything is currently more remote through necessity, and using these channels opens up a more effective delivery method for cyber criminals to infect devices.

In short, the opportunities have grown as electronic communications have increased, but vigilance has decreased. Furthermore, with huge numbers of the workforce operating at home, detection tools have to monitor thousands more system access points than originally anticipated. That makes it harder to detect breaches and easier for the malware, ransomware and viruses to take root and spread.

Data loss and reputational damage

Cyber crime is not just about exploiting financial information about consumers. Protecting personal data has always been important, but the General Data Protection Regulation (GDPR) and other enhanced privacy regulations around the world have raised the stakes, with significant fines handed out for those that fail in this responsibility.

But a breach also results in reputational damage, especially if it is not managed to minimise the residual impact. This can result in consumers losing their trust in the organisation in question and, with trust and transparency being determining factors in the provider selected, leads to a long-term effect on performance.

It is in everyone’s interests therefore for organisations to safeguard the information they hold.

Strengthening the human firewall

More often than not, cyber criminals repeat the same tactics, with phishing and social engineering still successful ways to gain illegal access to IT networks and, with it, access to consumer data.

The first level of protection against an organisation’s IT network being infiltrated is the ‘human firewall’ – in other words, the people employed. Educating users is one of the most important lines of defence for the IT estate.

This includes regular training so that people can spot malicious attempts at penetration, reinforced by testing – for example, in the form of fake malware messages being sent to ensure they are not acted on. At the same time, employees need to guard against poor security practices, such as downloading copies of documents and storing them on all their (potentially unprotected) devices.

Technical defence

Yet however vigilant humans are at guarding against bad actors, they need reinforcements in the form of technical defence.

The first place to start is in hardening application security and controls; pre-built, default ‘out-of-the-box’ settings are often not configured at all, or not configured correctly for the level of security required. Applications need to be set up based on the criticality of the system and the data it holds, and then regularly monitored and patched. 

In addition, end point detection, network monitoring, security information and event management (SIEM) aggregation, and other monitoring tools should be used continually to identify unexpected behaviour so that the appropriate response can be taken.

Vulnerability assessment and penetration testing (VAPT) is next in the line of technical defence, and organisations should undertake this regularly for their key enterprise resource planning (ERP) applications.

Vulnerability assessments discover which vulnerabilities are present, but do not differentiate between flaws that can be practically exploited to cause damage and those that cannot be (due to other preventative measures in place).

Penetration tests attempt to exploit the vulnerabilities in a system to determine whether unauthorised access or other malicious activity is possible and identify which flaws pose a threat to the application.

Multi-factor authentication provides an additional channel to protect against data leaks as it guards against system access with just a username, password or email address. Typical methods include devices that act as a token to receive a code, third-party authentication apps and biometrics. In addition, the use of privileged access management (PAM) adds an extra layer of security to the privileged accounts used for high-level system access, limiting the reach of a breach.

The organisational perspective

When identifying threats and how to mitigate them, the third parties that process, store or collate information on behalf of the organisation also need to be considered. While the organisation itself might have a high level of security maturity, cyber criminals could find that targeting a small boutique company that holds copies of data yields the same results with much less effort.

Building contractual obligations for security practices and breach notification is essential to guard against this ‘backdoor’ access, as is vetting any third parties before data is transferred to ensure they meet the minimum requirements.

Organisations also need to understand their overall data landscape and apply appropriate security measures to reflect its sensitivity. Those that collect personal information that is not commonly gathered (such as customer preferences about certain topics), or material that could be damaging to individuals if released (dating sites, or stock exchange trading, for example), could be elevated up the list of targets for cyber criminals.

Performing threat intelligence exercises therefore becomes even more important to understand if the organisation is being targeted, if it is under attack, and the methods used by the identified attackers, in order that appropriate defences can be defined and executed.

It is also critical to connect the processes for security incidents with those for wider crisis management within the organisation. Legal, corporate relations and management teams all need to be aware of the potential impacts of a breach, with people from all relevant business units contributing to the discussions on the situation, along with what should be communicated and how.

IT security is a business responsibility

The organisational element of safeguarding personal data is only truly possible with a culture that considers risk mitigation an equal priority to areas such as overhead cost reduction and resource planning.

Here, adopting a framework such as the National Institute of Standards and Technology (NIST) that can be customised to suit the specific risks of the organisation is useful. It provides all organisations, regardless of size or industry, with the practical guidelines needed to manage risk; using simplified language guarantees a common understanding of cyber security, for example.

A framework of this nature creates a consistent approach to cyber risk throughout an organisation and in so doing encourages staff at every level of seniority to appreciate why IT security and protecting data is critical. All team members are more likely to incorporate security in their everyday activities, thereby reducing both the likelihood of a breach and the impact should one occur. 

Read more from Computer Weekly’s Security Think Tank about protecting personal data

Read more on IT risk management