How to safeguard data in the digital age

Data protection is of upmost importance to companies. Even individual cyber attacks can cause devastating data breaches, with the victim count of the MOVEit supply chain cyber attack seen in June of this year reaching 2040 organizations and 55.7 to 60.6 million individuals as of September 26, 2023, with this victim count still growing. 

The long-lasting consequences of this single cyber attack and subsequent data breaches demonstrates why data protection is integral to cyber security.

Additionally the further ramifications of data breaches, for example lost revenue from customers choosing not to interact with a company any more following a data breach, also serve to demonstrate why data protection and privacy is so important. 

There are many threats to data integrity including cyber attacks by malicious actors and software misconfigurations. Here, Cyber Security Hub explores how to overcome these issues and protect data. 

Contents 

1. The current state of data protection 
2. The issues caused by bad data protection 
3. Ensuring good data protection and privacy 
4. Final remarks 
5. The current state of data protection 

When surveyed by Cyber Security Hub, almost one in three (29 percent) said that secure data management was a top cyber security investment for 2023.

Additionally, secure access and basic security fundamentals and cyber security hygiene were flagged as a top investment priority for 24 and 23 percent of respondents respectively. 

To protect data effectively, Anthony Lim, fellow of cyber security and governance at Singapore University of Social Sciences notes that cyber teams need to ensure basic data cyber security policies, solutions and practices are in place such as: 

• Proper password and authentication regime including the use of two-factor authentication. 
• Data encryption wherever feasible.  
• A data-leakage prevention solution.  
• Network segmentation and access control. 
• Least privilege and zero-trust principles. 
• Firewall, anti-virus or anti-malware software. 
• Monitoring and logging of network and data movement activity. 
  Consistent patching and updating of software applications, operating systems, middleware and other software.

When it came to non-cyber threat related issues for cyber security professionals, lack of company-wide training/understanding of cyber security was cited by 38 percent. More than a third (36 percent) said they had difficulty integrating cyber security into company culture and one in three (33 percent) said they struggled with a lack of budget for cyber security solutions. These issues can be problematic for data protection, as it can mean that companies are more susceptible to data breaches. 

Nate Mendell, partner in legal services partner in Morrison Foerster's Investigations and White Collar Defense and Privacy and Data Security practice groups, explains why: “The most frequent point of failure is user error – “own goals” like clicking on a malicious link or failing to update and patch. The utility of threat intelligence depends on not just conveying information to users but getting them to act on that information. The solution is user engagement, and the strategy for that varies by institution and can be anything from limiting system access to timely prompts. Even humor can be effective!” 

The issues caused by bad data protection 

Data breaches, leaks and thefts can have a number of causes, from targeted cyber attacks to software misconfigurations to human error. This section will evaluate the causes for data going unprotected and explore how they can be rectified. 

Software misconfigurations 

When surveyed by Cyber Security Hub, one in four (25 percent) of cyber security professionals said that their companies were investing in cloud security capabilities. As more companies invest in and migrate to the cloud, they should be aware of the risks that cloud can pose in terms of data protection. 

On March 6, 2023, DC Health Link, the provider of health insurance for those in the United States (US) Government, suffered a data breach that affected over 50,000 people.  

The cyber attack saw an unauthorized party gain access to the data of 56,415 current and past customers of DC Health Link, including 585 staff members and 17 members of the US Congress.  

In a message sent to employees on March 8, the US House of Representatives explained that the data breach had “potentially expos[ed] the Personal Identifiable Information (PII) of thousands of enrollees”.   

After the breach was discovered, DC Health Link reported it to the FBI and Google-owned cyber security firm Madinat. Following this, the health insurance company notified six other federal agencies whose employees use DC Health Link for their health insurance.  

Mila Kofman, executive director of DC Health Link, submitted documents ahead of her testimony before the House Oversight Committee on April 19, revealing that the data breach was caused by a misconfigured cloud server. 

This misconfiguration was, according to Kofman, caused by human error rather than malicious intentions, and once discovered was shut down immediately by the security manager at DC Health Link.  

Matt Kerr, CEO and founder of appliance repair site Appliance Geeked, notes that while the cloud-based data storage can be equipped with cyber security measures to prevent data breaches, if a company hosts a large amount of valuable customer data, even a partial breach can have far-reaching negative effects. 

This is because a company’s cloud storage contains “enormous hoards of extraordinarily valuable data”, even if an attacker only gains access to a fraction of this data, they can do real damage with it.  

Human error 

When surveyed by Cyber Security Hub, the top non-cyber threat related issues for cyber security professionals were noted as a lack of company-wide training/understanding of cyber security and difficulty integrating cyber security into company culture. 

With telecommunications company Verizon finding that 74 percent of all data breaches include a human element, the potential ramifications for a workforce that is uneducated on cyber security and a working culture that does not take cyber security into account can have disastrous ramifications for data protection. 

For example, on August 8, 2023, the Police Service of Northern Ireland (PSNI) suffered a “critical incident” after the personally identifying information of all those within the PSNI was published online. 

The “monumental” data breach occurred when a database containing the surname, initials, rank/grade, role and location of more than 10,000 serving officers and staff of the PSNI was mistakenly posted online following a Freedom of Information (FoI) request. The database was published to a “legitimate FoI site”. The data was accessible for around three hours before it was taken down. 

In a statement regarding the data breach, PSNI senior information risk owner, assistant chief constable Chris Todd said that the “unacceptable” cyber security incident was ultimately down to “human error”. 

Following the data leak, PSNI said an independent advisor would be conducting an “end to end review of [its] processes in order to understand what happened, how it happened and what [PSNI] can do immediately to prevent such a breach happening in the future”.

While evaluating a company’s processes can be beneficial to flagging areas where cyber security can be improved or increased, it is important to educated employees effectively to prevent a data breach. In order to do this, Robin Smith, CISO at Aston Martin, suggests a pro-social approach. 
Pro-social cyber security training follows these principles: 

Work: Fully understand the experience of the staff for whom you are engaging the security process.  Do this through observation, interaction, and immersion.  

Define: Process and synthesize the findings from this initial work in order to form a staff-centered view that will guide design collaboration. 

Ideate: Explore a wide variety of possible solutions through generating a diverse set, allowing security teams to step beyond the obvious and explore a range of ideas. 

Prototype: Transform the ideas into a concrete plan of action, learning and developing more empathy as teams explore potential outcomes.

Test: Use observations and feedback to refine prototype ideas, learn more about the staffs’ adaptation(s), and refine the original view.

“The pro-social design approach enables the building of digital literacy to be focused on need, engaging and helping to optimize staff training time. The initial results are very pleasing with pro-social design now aiding protective technology planning and policy making. It also illustrates a determination to develop cyber solutions that are adaptive, resilient, and able to focus on optimizing cyber security,” Smith adds. 

Targeted cyber attacks 

Companies additionally have a duty to adequately protect the data they hold as it is frequently a target for malicious actors. Malicious actors will target personally identifying and other confidential information in order to sell it on the dark web to other hackers. They will also target confidential or sensitive information to manipulate their targets into paying a ransom for the data with the promise that it will not be released if a ransom is paid. 

An example of the devastating effects of targeted cyber attacks to steal private data were seen in the Medibank data breach which occurred in October, 2022.

On October 13 Australian healthcare and insurance provider Medibank detected some “unusual activity” on its internal systems. The company was then contacted on October 17 by a malicious party which was later revealed to be part of the REvil ransomware group. The party said its aim was to “negotiate with the [healthcare] company regarding their alleged removal of customer data”. However, Medibank publicly refused to bend to the hacker’s demands. 

Medibank revealed the true extent of the hack on November 7, announcing that the malicious actor had gained unauthorized access and stolen the data for 9.7 million past and present customers. The information included confidential and personally identifying information on medical procedures,  including codes associated with diagnosis and procedures given. 

“Medibank revealed the malicious actor had gained unauthorized access to data for 9.7 million past and present customers” 

Following Medibank’s continued refusal to pay a ransom, the hacker released two files containing customer data called "good-list" and "naughty-list" on November 9, 2022. 

The so-called “naughty-list” reportedly included details of those who had sought medical treatment for HIV, drug addiction or alcohol abuse or for mental health issues like eating disorders.  

On November 10, they posted a file labelled “abortions” to a site backed by Russian ransomware group REvil, which apparently contained information on procedures that policyholders have claimed on, including miscarriages, terminations and ectopic pregnancies. 

A member of Cyber Security Hub’s Advisory Board shared that cyber security teams should frequently conduct cyber security hygiene tests and have a robust incident response plan in place to make sure that, in the instance of a breach, they are able to protect their data. The member also noted that cyber security teams should frequently check through the company’s assets and carry out response simulations while communicating the risks.

Another member also recommended that cyber security teams evaluate who has governance over the data that is held within the company to ensure that it is inaccessible to malicious actors even if they do manage to hack into the organization’s network.

Ensuring good data protection and privacy

This section will share key insight into how to ensure good data protection and privacy. It will give clear advice on bolstering data protection and increasing a cyber secure culture business-wide. 

To overcome the data protection issues discussed in this article, Singapore University’s Lim shares that organization managers and cyber security professionals need to have a central policy and clear visibility of their data, where it is being stored and which person oversees and authorizes this data storing process. 

Likewise, Lim suggests that a centrally managed data classification system must be enforced. This ensures that there is a complete overview of the company’s data and moves it “away from being a technological or operational matter and into management, political and bureaucratic territory”. This means that the cyber security team gains the support of executive management and means that those across the organization are involved in the cyber security of the company’s data.

In the case of a cyber security incident, by focusing on cyber resilience, companies can mitigate the impact of a cyber attack or data breach. 

“A centrally managed data classification system moves it away from being a technological matter and into management, political and bureaucratic territory.”

Sourabh Haldar, threat policy implementation lead of information and cyber security at Standard Chartered Bank, explains why cyber resilience can be beneficial: “Cyber resilience considers all the possible impacts of threats and how to combat them. As an example, when looking to develop a cyber resilient security strategy, a cyber security professional may consider what would happen if a very advanced persistent threat actor breached their company’s perimeter and remained in its network for six months. 

“They will consider how they would cope with the discovery of such a breach, including minimizing the confidential and sensitive data a malicious actor could gain access to once in their network. By doing so, they can attempt to minimize the likelihood of a data breach.”

Final remarks

Cyber security teams face an uphill battle when it comes to adequately protecting personal, confidential and proprietary data. Both outsider threats like cyber attacks and insider threats like human error put this data at risk of being breached.

It is possible to reduce the likelihood of a data breach, however, by implementing robust cyber security training that focuses on raising the overall awareness of cyber security threats. It also helps engage employees outside of the cyber security team, meaning that the first defense against threats that these employees pose is better able to intercept and shut down cyber attacks.

Additionally, by focusing on creating a robust incident response plan, risk management and cyber resilience, cyber security teams can ensure that their company’s data remains protected.