Security isn’t as hard as it looks. It might seem scary and daunting, especially if your company is starting from a bad position and not protecting enough information. With the rise of ransomware and the increasingly sophisticated cyberattacks, worrying about security is a full-time job. However, as Chester Wisniewski, Senior Security Advisor at Sophos Canada, pointed out, once you start putting security systems and policies in place, protecting data gets easier. Becoming more security aware is also one of the most important and impactful things you’ll do in your job.
We recently spoke with Chester about security, particularly involving data transfers and where the greatest security risks are.
How have the security concerns around data transfers evolved over the years?
The biggest change in the way we move data around is coming from regulations. Forty-eight states have data breach disclosure laws in place, so if data, especially sensitive information like financials, is misplaced, companies are required to report it. That has caused policies to change, technology to change, and even procedures around how data is moved and authorized to be moved need to have policies put in place. Even as recently as ten years ago, most organizations didn’t have a policy to protect data at all; it was all left up to good judgement.
Why do companies struggle with security during data transfers?
Part of the problem is that it isn’t easy to protect the information, and that creates a huge challenge. For instance, you can talk about things like encryption, but it is hard to put in place. Too often, technology doesn’t lend itself to that very well. The ability to automatically protect things isn’t happening or is too difficult to do, so it isn’t being done.
Another part of the problem is that people think they know better. They will take a spreadsheet and don’t see the harm in putting it on their iPad to work on at home. They think they are doing the company a favor -- they are working for free on their couch rather than delaying the project because it takes too long to complete in the office. There is an assumption that when a device is in our personal possession, they are safer than they really are.
What are some of the security risks that could occur during a data transfer?
When information is in motion and being sent from one place to another, the most likely risk is that it could be intercepted, stolen, or observed. This is one place where we do a good job in general as a society: We use HTTPS for most of our Web transactions now, which is encrypted and we don’t have to think about it. What we’re not very good at is authenticating who we’re communicating with. When you’re on the internet, unlike in person, it is hard to verify that you sent something to the right place. There are a lot of accidental data that is sent in a secure way but to the wrong person. This is one of the most common reasons for information loss. Most of the information resulting in companies disclosing loss is happening by accidental disclosures than by hackers.
Where are the biggest security holes when it comes to data transfers?
There are two main areas: mobile and authorization. We’re seeing more information used and insecurely transferred to mobile devices. A lot of employees are going out of company policy and using software like Dropbox and Google Drive and companies that specialize in cloud storage. Employees are taking sensitive information for their own use and often authorized use and sending it to somewhere not under control of the company so they can access it on their own smartphones and tablets on their own time.
On the authorization side, we’re talking about passwords. The vast majority of organizations still rely on just the password in order to log into the systems. At most companies, the theft of the password will unlock all of their information. If I’m able to gain access to your password, I now have access to everything you do.
Are there any situations that are more risky than others in data transfers?
We’re hearing a lot right now about organizations being tricked into wiring money to other criminals. It is one of the least technically complicated attacks I’ve ever seen. We’re usually worrying about viruses and ransomware when we are researching threats, but we’re seeing more and more that criminals are using weak processes at companies to convince the CEO or CFO to authorize a wire transfer overseas because the procedures aren’t in place to validate authenticity. It goes back to that idea of I can gain the password of the person in the company who sends wire transfers, then I can log into the email as that person and send a message to the people in charge of finance and say “I need to make a change. Instead of sending the $100,000 to Acme Company, I need you to switch account numbers.” There’s no malware or data theft involved, just basic attacks taking advantage of computers and employees. There are a lot more social aspects coming into play in attacks.
Are there different security considerations for different types of data?
Every organization will have different ideas of what information is most sensitive. Financial information will always be in that top bucket because, obviously, money means a lot to all of us and none of us can operate our organizations without access to those assets. But there are other things that are equally important, depending on the organization. Companies have to recognize that they aren’t going to be able to protect all of the information all of the time, so you have to prioritize which information we apply the strictest requirements to, which information is middle ground, and which information won’t cause much damage if something happens to it. One of the big mistakes many companies make is making everything ubiquitous all the time when they have a limited budget. Then you are running too thin and not doing enough where it is truly important.
What steps should be taken to better protect that data during transfers? Are there additional tips for those situations with added risks?
Encryption and authentication are the focus points. We know that encryption works, thanks to the Apple and FBI case. If there was a secret way to get access to the information, we wouldn’t have government and companies battling over whether we use it. That tells me that if we use encryption, my data is safe.
Then, once we take steps to protect all that information, we need to make sure people accessing it are doing so in an authorized way.
What technologies and policies should be in place to better protect data transfers?
Sometimes it isn’t about protection, but about awareness. As we discussed earlier, a lot of these disclosures are accidental. Sometimes it helps to add authorization, an extra set of eyes to make sure it isn’t sent to the wrong place.
I think encryption is the only effective way we have of stopping people from accessing information they aren’t authorized to access.
Most companies still have ideas of inside versus outside. There are computers and networks inside the company and the scary internet or the mobile phone or the WiFi at the café are on the outside. The information on the outside is at risk while the information on the inside is safe. That’s why we see so many data breaches. The criminals simply come to the inside and take everything because on the inside, it isn’t protected. That’s our challenge, protecting that information no matter where it resides.