As cyber-attacks become increasingly sophisticated and ransomware continues to pose a threat, worrying about security can be more than a full-time job. Taking steps to protect against security risks may seem like a daunting task — especially if your company is starting from a vulnerable position of not protecting enough information. However, as Chester Wisniewski, Senior Security Advisor at Sophos, points out, security doesn’t have to be as difficult as it seems. In fact, once you start putting incremental security systems and policies into place, protecting data gets easier and easier.
No matter where you sit within the organization, becoming more security savvy is one of the most important and impactful things you’ll do in your job and is the first step toward protecting your company against a potentially damaging breach.
We recently spoke with Wisniewski about his views on security (in particular, those involving data transfers) to understand where some of the greatest security risks occur and what business leaders should know in order to keep their organizations safe.
How have security concerns around data transfers evolved over the years?
The biggest changes in the way we move data around are coming from regulations. Today, 47 U.S. states and territories have data breach disclosure laws in place that require companies to report instances of misplaced data — especially if sensitive information, like financials, is misplaced. This has caused policies to change, technology to change and even procedures around how data is moved and authorized to be moved to change. Even as recently as 10 years ago, most organizations didn’t have a policy to protect data at all; it was all left up to the judgment of individuals.
Changes in technology in the workplace also create new security concerns. Most people’s jobs don’t have anything to do with technology itself, but they have to use technology to get work done. This can make employees unwittingly part of the security problem. Take the Bring Your Own Device (BYOD) movement as an example. BYOD is a huge benefit to companies who are getting a lot of extra productivity from staff while also fostering more flexible connectivity for employees. At the same time, it can create a serious risk if the proper security practices aren’t put into place.
Why do companies struggle with security during data transfers?
Part of the problem is that it isn’t easy to protect the information, and that creates a huge challenge. For instance, you can talk about things like encryption, but it can be very hard to put in place as a solution. Too often, encryption products rely on the user taking an action to protect information. Users may mean well, but often forget or can’t be bothered to take additional steps. So, the ability to automatically protect things would help make the “struggle” easier.
Another part of the problem is that people think they know better. They will be working on a spreadsheet and won’t see the harm in putting it on their iPad to work on at home. They think they are doing the company a favor: they are working for free on their couch rather than delaying the project because it takes too long to complete in the office. There is an assumption that when a device is in our personal possession, it’s safer than it really is. It’s important for people to recognize this.
What are some of the security risks that could occur during a data transfer?
When information is in motion and being sent from one place to another, the most likely risk is that it could be intercepted, stolen or observed. This is one place where we do a good job in general as a society. We use HTTPS for most of our online transactions now, which is encrypted and we don’t have to think about it. What we’re not very good at is authenticating whom we’re communicating with. When you’re on the Internet, unlike in person, it is hard to verify that you sent something to the right place. Even if data is sent in a secure manner, it is often accidentally sent to the wrong person. This is one of the most common reasons for information loss. Most of the information resulting in companies disclosing loss is actually happening by accidental disclosures from within the organization, rather than by external hackers.
Where are the biggest security holes when it comes to data transfers?
There are two main areas where employees often unknowingly contribute to security breaches: mobile and authorization.
On the mobile side, we’re seeing more information used and insecurely transferred to mobile devices. A lot of employees are going outside of company policy and using software like Dropbox and Google Drive and other products that specialize in cloud storage to send sensitive information for their own, often unauthorized use. This information gets sent somewhere not under the company’s control so that employees can access it on their own smartphones and tablets, on their own time.
On the authorization side, we’re talking about passwords. The vast majority of organizations still rely on just the password in order to log into their systems. At most companies, the theft of the password will unlock all of the employee’s information. If I’m able to gain access to your password, I now have access to everything you do.
Are there any situations that are more risky than others in data transfers?
There are a lot more social aspects coming into play in attacks. We’re hearing a lot right now about organizations being tricked into wiring money to other criminals. It is one of the least sophisticated attacks I’ve ever seen. We’re usually worrying about viruses and ransomware when we are researching threats, but we’re seeing more and more that criminals are using weak processes at companies to convince the CEO or CFO to authorize a wire transfer overseas because the procedures aren’t in place to validate authenticity. It goes back to that idea of, if I can gain the password of the person in the company who sends wire transfers, then I can log into the email as that person and send a message to the people in charge of finance and say, “I need to make a change. Instead of sending the $100,000 to Acme Company, I need you to switch account numbers.” There’s no malware or data theft involved, just basic attacks taking advantage of computers and employees.
Are there different security considerations for different types of data?
Every organization will have different ideas as to what information is most sensitive. Financial information will always be in that top bucket because, obviously, money means a lot to all of us, and none of us can operate our organizations without access to those assets. But there are other things that are equally important, depending on the organization. Companies have to recognize that they aren’t going to be able to protect all of the information all of the time, so you have to prioritize which information we apply the strictest requirements to, which information is middle ground and which information won’t cause much damage if something happens to it. One of the big mistakes many companies make is making everything ubiquitous all the time when they have a limited budget. Then you are running too thin and not doing enough where it is truly important. For example, our State of Encryption Today survey data shows that highly sensitive employee information like banking details are not always encrypted. We also saw that corporate financial information is not always protected with encryption.
What steps should be taken to protect that data better during transfers? Are there additional tips for those situations with added risks?
Encryption and authentication are the focus points. We know that encryption works, thanks to the Apple and FBI case. If there were a secret way to get access to the information, we wouldn’t have government and companies battling over whether we use it. That tells me that if we use encryption, my data is safe.
Then, once we take steps to protect all that information, we need to make sure people accessing it are doing so in an authorized way.
What technologies and policies should be in place to protect data transfers?
Sometimes it isn’t about protection, but about awareness. As we discussed earlier, a lot of these disclosures are accidental. Sometimes it helps to add authorization–an extra set of eyes–to make sure it isn’t sent to the wrong place.
I think encryption is the only effective way we have of stopping people from accessing information they aren’t authorized to access.
Most companies still have ideas of inside versus outside. There are computers and networks inside the company, and then the scary Internet or the mobile phone or the Wi-Fi at the café are on the outside. The information on the outside is at risk while the information on the inside is safe. That’s why we see so many data breaches. The criminals simply come to the inside and take everything because, on the inside, it isn’t protected. That’s our challenge: protecting that information no matter where it resides.