Most data leaks are not the result of a cyber-attack, although many are, particularly ransomware, but are often the result of an employee either making a simple mistake, or more likely doing something that they didn’t know they shouldn’t.
I’m minded of an issue that arose a couple of years ago with a government department where magnetic media containing millions of pieces of data belonging to members of the public, was sent to somewhere it shouldn’t have been. An employee was asked to download the data and send it out. There was no policy in place for magnetic media handling, and the employee could not be blamed for doing what he was told.
Of course, these days electronic data handling make mistakes like that much easier to make, and as such they happen much more often. The reputational damage from such mistakes can be catastrophic.
My subscribers will know that my focus is the SME, large and small. So how does this impact them. Not so long ago a small UK housing association experienced a breach when a disgruntled former employee leaked tenant data, exposing names, addresses, financial details, and tenancy agreements of around 3,500 tenants. This case shows how insider threats and inadequate access controls can lead to leakage of sensitive data in a small organisation.
Industry reporting and surveys show that many UK SMEs experience data breaches with around 43 % reporting some kind of cyber security breach or attack in the past year.
While not always individually publicised, these incidents often involve:
• Phishing that leads to credential compromise
• Unauthorised access via weak passwords or unmanaged devices
• Malware/ransomware encrypting or exfiltrating business data
These types of breaches typically result in data leakage of customer contacts, invoices, employee records and sensitive business information that can severely harm small firms.
A widespread supply-chain style attack affected companies using compromised versions of popular VoIP software (3CX). While this isn’t a single SME, it demonstrates how attackers target tools widely used by SMEs, leading to stolen data and credentials across hundreds of thousands of business customers globally.
Here at H2, when we are first approached by a prospective client and we begin our offer of a 15-day free trial to examine their requirements, one of the first things we find is that they don’t know what data they are holding, or where it all is. Oh, they have a general idea; it’s on the cloud server(s), it’s not on laptops or desktops, it’s just the stuff we need to process our clients’ requirements and yes, we’ve only got one copy. And then we install our software that first carries out a discovery exercise and we find that their laptops/desktops are holding lots of copies of the data that is on the cloud server(s). How does that happen? Over time, especially with many now employing the hybrid system of working, ie between the office and remote (home) locations, employees log on to the cloud, find they have a bit of shaky internet link and download the data they need, work on it and then upload it again, forgetting to delete it from their machine. Or they need to share it and attach it to an email and send it out, forgetting, or perhaps not realising, that the data is now stored, attached to an email, on their email server.
Then comes the issue with audit trails. If the ICO ever wanted to carry out an investigation, then having an audit trail of who created/copied/deleted/forwarded what to who, makes life a whole lot easier. And let’s not forget the member of the public who is fully entitled to submit a Data Subject Access Request or DSAR, which demands that you reveal what data you are holding on that person. The law insists on it, and you can’t refuse it. I know of a financial firm that took nearly 3 weeks to satisfy a DSAR, taking an employee off billing, for that time.
We have a solution that meets these requirements and has a built-in encryption system, all within the same monthly cost. It’ll cost you nothing to trial it and we’d be very surprised if once you’ve seen it and seen the low monthly charge for the managed service, you don’t want to keep it.
Recent Comments