The rapid move to home working due to COVID-19 has stretched many IT teams to breaking point. The sheer pressure to help set up home networks, support personal devices and divert telephone systems, has been a massive task, writes Colin Tankard, pictured, Managing Director of cyber security company, Digital Pathways.
In many cases, little planning was done, and over the weeks of the lockdown, the attitude was ‘keep things going’, for fear of breaking something. Companies now face the dilemma of finding where their data has been copied to, who has access to it and, whether or not it has been protected. IT teams are finding data stored on back up systems such as Dropbox, linked to an employee’s home network and stored within emails, which have been sent as a simple way to share information. Most worrying of all, are the employees who use their personal devices which could be shared with other members of the family, who themselves could be sharing the information.
In a recent survey by Netwrix, 40 percent of organisations are uncertain as to the whereabouts of their vital information and the number of exposed sensitive consumer records is increasing by 126 percent year-on-year. US-based companies are predicted to account for more than half of all breached data globally, by 2023. The challenge of selecting an appropriate service that will satisfy these concerns, as well as help to establish an effective data security strategy through the discovery, classification, protection, and remediation of an organisation’s internal data, is now an overwhelming priority.
The risk of losing track of data is immense. It will be a significant problem should a company have a data breach and face an Information Commissioner’s Office (ICO) investigation, or worst still, receive a Subject Access Request (SAR) and have only 30 days to find the data. Not finding all the data could mean a company fail in its legal requirement and suffer crippling fines.
As we work through the security/privacy landscape and consider how to keep control of data sharing, it is evident that unstructured data on endpoints is a risk for any business. A starting point is to adopt a solution to scan structured and unstructured data locations for sensitive data and then protecting that information. Once data has been discovered, which is deemed sensitive, action can be taken by:
– Classifying the data and protectively marking it, to ensure it is not shared
– Moving any data out of insecure locations, such public cloud storage or within emails, especially if a cloud service, such as 365 or Gmail, is used, and locate it in an encrypted, secure storage domain whilst alerting business/data owners of the type of data and its new location.
A scanning solution will also simplify handling a SAR, as it will search all identified company data locations, even inside emails, for the requested information. At the end of the search, data can be retrieved, anonymised as needed and presented to the requestor with evidence of the completeness of the scan, which is invaluable should the SAR be escalated to the ICO, for further investigation.
Controlling data access
Once data has been brought back under control, access rights should be considered, as many companies do not keep tabs on user data access privileges. This lack of visibility into access rights makes it hard to track data sharing. According to the survey, only half of all organisations are confident that employees are not sharing data without the IT department’s knowledge. Of those, 29% cannot track employee data sharing at all, making controlling data leaks almost impossible.
Also, you may know that something happened, but there is still the matter of understanding who committed the act. This all goes back to getting visibility into, and understanding of, user behaviour. One of the more important focus areas is the understanding of how users can remove data from the network, both deliberately or by accident.
Most systems, including SharePoint, Drive and Box, allow access controls to be applied to files and folders. But these rely on the user directory being correct and users located within the proper groups. However, frequently, users inherit access rights which have not been correctly handled by IT, where the user is added to their new group without old groups being removed. A classic example is when an Intern starts within, say, the HR department and then is taken on by the organisation, moving to facilities. The Intern is added to the facilities group, but their HR access role is not removed. This means they can still see HR records!
This happens because most Active Directory schemes are complex, and the IT staff rush or forget things. This is overcome by an automated process which orchestrates the actions required to add users to groups, assign roles and privileges, provides a transparent escalation process of approvals, and alerts if things are wrong, allowing proactive action to be taken to block the user or the possible security failure. This removes the responsibility from being solely on IT, to data owners and direct line managers who should know who and what is allowed to touch data.
Finally, all data should be audited, both on company devices and personal devices. It is crucial to ensure that any endpoint has the protection required by the company and any data stored is secure.
This is achieved by a mandatory scan each time the device is started, which checks for latest updates on operating systems and anti-virus, encrypts any sensitive data which is discovered and blocks any unauthorised services, both local as well as remote/cloud. Once the device has been ‘signed off’, the user works as usual.
In the new world of ‘home working,’ companies must start to plan for the long term and address data flow and protection, as finding data when it is so scattered is an almost impossible task. Defending any data breach will be very hard and with GDPR, PCI et cetera, carrying large penalties for those who fall foul of them, I do not think the ICO will allow any room for error, even with the blow that COVID19 has dealt businesses recently.
