Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

In an Interconnected World, Data Security is a Shared Responsibility

Taking active steps to safeguard your organization’s digital presence on and offline is not a new recommendation; if anything, elaborate security measures are emblematic of our times.  Passwords, multi-factor access protocols, biometrics and other forms of user authentication have become standard, and for good reason: the incidence of data loss, theft and misuse is huge.

Taking active steps to safeguard your organization’s digital presence on and offline is not a new recommendation; if anything, elaborate security measures are emblematic of our times.  Passwords, multi-factor access protocols, biometrics and other forms of user authentication have become standard, and for good reason: the incidence of data loss, theft and misuse is huge.  Data compromise – whether it involves personal, business, or government files – has become so common that only the most egregious consumer-facing cases make the evening news today.  

That’s understandable; sometimes the owners of business data effectively pin “kick me” signs on top of their most sensitive files.  An astonishing volume of data, whether through poorly configured security settings, indifferent employees, or a reluctance to update legacy software, is exposed to pretty much anyone interested in harvesting it.  And the situation is getting worse.  Digital Shadows’ Photon Research Team scanned the landscape of online file storage technologies and found more than 2.3 billion exposed files – a 50 percent increase from similar research just one year earlier, with Europe accounting for the largest share, followed by the Americas, Asia, and the Middle East, respectively.  

With exposures on the rise, it’s not surprising that ransomware extortion has become such a growth industry. And the methods used by ransomware attackers have become more cunning as well. The industry standard for ransomware mitigation has been to back up files so you can quickly revert to saved copies and avoid downtime or payments to the attackers in case of infection. But Digital Shadows’ same research effort identified more than 17 million ransomware-encrypted files among file stores often used to back up systems. One particularly aggressive variant, NamPoHyu, was found to be solely responsible for encrypting more than 2 million files since it’s discovery in April of this year. No longer is backing up data sufficient to to solve the problem of ransomware – backups need to be secured too. 

Not all data leaks and exposures result from the actions, inaction or neglect of their owners, however. Increasingly, they can be traced to third parties – contractors, suppliers, vendors and other firms in the company’s supply chain with legitimate access to the client’s files – companies that provide services such as data management, storage and processing.  

If anything, it is now routine for larger enterprises to have an extensive network of specialized suppliers and partners – many of which are small companies whose own cyber defenses are nowhere near as robust as those of their clients.  The notorious 2013 attack on Target, which resulted in massive compromise of its customers’ credit details, gained entry to the company’s point of sale files through an HVAC contractor.  Add to that the growing use of Internet connected wireless devices, and you have a toxic stew of opportunities for mischief.

However, this growing base of interconnections is not limited to big corporations; essentially every individual and business, regardless of size, is embedded in a maze of online relationships – many of which may be hidden from the user.  What it means is that the attack surface – the sum of all the different points where an unauthorized user can attempt to extract data from an organization’s digital environment – is expanding geometrically.  Your fiendishly difficult password offers little protection if a third party’s connected system unwittingly exposes the same data you are determined to safeguard.  And those gaps in the armor cascade onto every sector they’re link to.

Of course, not every file exposed to unauthorized parties is highly sensitive; there’s plenty of routine material – product orders, receipts, shipping labels, and customer complaints in there as well.  But payment information, customer data, product roadmaps, sales strategies, schematics, security assessments, financial and legal documents as well as credentials to access other systems can be of tremendous value to a competitor or to someone looking to monetize that information through fraud, extortion, dark web sales, or inflicting reputational damage. 

The potential for losing millions of sensitive files at the same time is a relatively new phenomenon.  Of course, thefts of information have been going on forever.  But swiping a document or stealing a folder was a comparatively small loss; the physical demands and risks of stealthily removing papers from a desktop or file drawer are considerably greater than those associated with using a few keystrokes from halfway around the world to pilfer data on an industrial scale.  It’s enough to make you nostalgic, but there’s no turning back; digital transformation has become essential to remaining competitive, and the associated risks to your enterprise will continue to grow as outsourcing and system integration trends spread. 

Advertisement. Scroll to continue reading.

So, what does that mean for a company that takes data security seriously?  For one thing, it means that in dealing with vendors, trust alone is not a strategy.  Instead, security needs to be a collaborative effort.  Standards for mitigating risks need to be set for third parties.  Ongoing monitoring of vendors has to be part of that.  Beyond that, there are independent organizations whose primary business is assessing the security of different vendors.  They may not tell the whole story, but they certainly offer a start. 

Even then, it is prudent for a company, in coordination with its vendors, to set security directives, run simulations, and assess the impact of potential failures in order to prioritize the measures required for the different categories of data it maintains.  

If it takes a whole village to raise a child, it takes a whole community of vendors and business partners to build a secure data environment.  

Written By

Alastair Paterson is the CEO and co-founder of Harmonic Security, enabling companies to adopt Generative AI without risk to their sensitive data. Prior to this he co-founded and was CEO of the cyber security company Digital Shadows from its inception in 2011 until its acquisition by ReliaQuest/KKR for $160m in July 2022. Alastair led the company to become an international, industry-recognised leader in threat intelligence and digital risk protection.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...