[German]Today, January 28, 2023, is European Data Protection Day. It's a day of action for data protection launched on the initiative of the Council of Europe. It has been celebrated annually around January 28 since 2007. This date was chosen because the European Convention on Data Protection was signed on January 28, 1981. To ensure the security of data, risk behavior should be adjusted in everyday life.
On the one hand, since May 2019, we have the European General Data Protection Regulation (GDPR), which should protect personal data from being shared. On the other hand, not a day goes by without reports of data protection incidents or hacks in which data was captured.
Data protection is important
Data protection is a valuable asset, but people are finding it increasingly difficult to ensure it. This is mainly due to the fact that the digitization of the working world and private life knows hardly any boundaries. The fact is that much of our digital data is sold or stolen these days. Securing one's own data is therefore of particular importance. Joseph Carso n, CISO at Delinea (provider of Privileged Access Management (PAM) solutions) thinks so:
Protecting our sensitive personal data is an almost insurmountable challenge today, and the end of privacy as we know it may be closer than we think. While privacy is defined and valued differently by country, culture and individual, there is one overarching commonality: for many citizens, privacy is simply no longer an option.
In 2023, for example, deepfakes will already be so authentic that it will be easy for cybercriminals to steal and abuse our digital identities. In the process, we are also doing our part and unwittingly helping the threat actors in their mission by exposing our "digital DNA" on the Internet, including photos, videos, and audio files, some of which reveal highly sensitive information about us.
This thoughtless exposure of our digital DNA not only facilitates data theft, but also enables cybercriminals to become a digital version of us, an online clone. The fact is that it is no longer a challenge for criminals to replicate digital DNA and use it together with information collected on the Internet to create highly authentic-looking fakes. Distinguishing them from the originals and thus unmasking them is then no longer possible without sophisticated technology that is usually not available to the general public.
If you want to prevent this and protect your privacy, it is essential to check every application to see what data is collected and processed and how it is secured. If the only protection is a simple password, this should be a strong passphrase, but it is generally advisable to enlist the help of a password manager and, if possible, activate multifactor authentication.
In the business world, one of the main problems is the incorrect prioritization of corporate security. Far too seldom is data security placed at its center. Although the set screws have already been tightened considerably with data protection laws such as the EU-GDPR, many companies have preferred to do only what is necessary. They have still not managed to implement consistent cybersecurity based on the zero-trust model and adequately secure the sensitive data of customers, partners or even intellectual property.
And Bernard Montel, EMEA Technical Director and Security Strategist, Tenable says on the subject, "When we talk about data protection, we also need to consider data security – you can't have privacy without protecting it. Unfortunately, the daily headlines about numerous organizations that have fallen victim to cybercrime, compromising vast amounts of data, show that many still find this an impossible task. The problem is that criminals know they can monetize their crimes by targeting valuable data without fear of capture or punishment.
In cyberattacks, we know that cybercriminals' attack methods are not advanced or even unique, but opportunistic. They are looking for an open window to crawl through. When assessing an organization's attack surface, they look for the right combination of vulnerabilities, misconfigurations and identity privileges that will give them the greatest and fastest access.
If companies want to stay ahead of the curve and avoid becoming a target, they need to appear unreachable to bad actors, and that means eliminating the low-hanging fruit – the known but unpatched vulnerabilities in systems and software. This Data Protection Day focuses not on the tactics of threat actors, but on identifying and blocking the attack paths they seek to exploit."
Ransomware is the biggest threat
Michael Scheffler of Varonis sees data theft by ransomware as the biggest threat to privacy. No sensible person will doubt the importance of data protection. Accordingly, it ranks high among us as an important idealistic good. In practical implementation, however, most companies see it more as a kind of checkbox to be checked off – despite or precisely because of the GDPR. Above all, however, the intrinsic connection between data protection and data security is unfortunately often not recognized.
Ransomware is a good example of this. If you look at it from a different perspective, namely that of data protection, the real implications quickly become clear. It is not primarily about disrupted production processes, as annoying and costly as these may be. Modern ransomware attacks are primarily about data theft. Companies often have attackers in their systems for months before the attack is discovered or the cybercriminals reveal themselves, and they can move around in them quite undisturbed and, of course, steal data. While compromised systems can be rebuilt quite quickly, data unfortunately cannot be "uncompromised" – and often ends up on the dark web and in the hands of criminals.
Accordingly, data theft also represents the greatest challenge for companies and the greatest threat to data protection and privacy. It doesn't matter much whether data is stolen as part of a double extortion ransomware attack, purposefully leaked through cyber espionage, or exfiltrated by employees. It goes without saying that data must be protected wherever it is stored, whether locally or in the cloud. For this reason, data, not perimeter, infrastructure or users, must be at the center of the defense strategy. Only with data-centric cybersecurity can data be effectively protected and thus data privacy ensured.
The human factor and the risks
A major threat to data protection still lies with the human factor. In fact, every single employee, consultant and partner bears responsibility for data integrity. In particular, falling for phishing and poor password hygiene are popular starting points for cyberattacks with ransomware or data exfiltrations. But the following five behaviors also pose major risks and threaten the integrity of sensitive data.
Risk 1: Bypassing security measures
Security tools are often a double-edged sword: on the one hand, they are essential for protecting companies from cyber incidents, but on the other hand, they can also be a time-consuming and productivity hindrance. According to a study by Cisco, one in two employees in Germany bypasses their company's security solutions at least once a week because they are too complex and time-consuming. But if security products are deactivated or otherwise bypassed, this means not only wasted investments for companies, but an uncontrolled increase in the attack surface.
Tip:Increase awareness and communicate the importance of individual security tools to your workforce. In addition, it is advisable to conduct routine audits to ensure that critical security tools are actually adopted. In addition, user-friendliness should be a (co-)deciding factor as early as the product selection stage.
Risk 2: Downloading malicious applications
The number of applications used in companies has increased significantly in recent years. The intention behind this is usually to reduce manual workflows and increase productivity. However, it is not uncommon for apps and services to be downloaded without proper authorization, which poses a number of risks. For example, employees may download apps that contain ransomware or store sensitive data on third-party services, which could result in data breaches.
Tip:Define application control policies with corresponding allow and deny lists so that employees can request and download approved services and apps in a controlled manner. This provides greater transparency and makes a lasting contribution to reducing shadow IT. It's also a good idea to use a PAM solution to enforce role-based access controls (RBAC) that control what a user can click on, read or modify within a web application. For example, a user can be granted access to Salesforce, but blocked from exporting files in the app.
Risk 3: Access to systems after leaving the company
If an employee leaves the company or the collaboration with a partner is terminated, this requires a careful offboarding process. All of the person's accounts and accounts must be deleted or deactivated immediately. If this doesn't happen, the accounts become risky ghost accounts that allow cybercriminals and insider attackers to quietly look around a company and exfiltrate data without making noise. And these threats are real, as Varonis' SaaS Data Risk Report shows that organizations have an average of 1,197 inactive accounts, and of 1,322 guest accounts, 56 percent are still usable after 90 days of inactivity.
Tip: Enforce a least-privilege strategy that ensures privileged access and cloud access is granted only as needed and for a limited time. Also, use a PAM solution that automatically identifies privileged accounts to reduce account proliferation. Above all, implement effective offboarding processes that ensure sensitive privileges are revoked promptly when employees or contractors leave the company.
Risk 4: The use of company devices by third parties
For many employees, granting family members or friends access to their business phones or laptops, for example to briefly surf the Internet or download a game, may not seem like a big deal. But for corporate security, this can have fatal consequences. It doesn't take long for innocent people, especially children, to click on links or download content that contains malware or ransomware, or unintentionally disclose sensitive information.
Tip: Draw a sharp line between work and family life and make it clear to the workforce that a zero-tolerance policy applies to outside use of company-owned hardware.
Risk 5: Missed software updates
Software updates are usually not high on our priority list because they cost time and nerves and their installation is often requested at the wrong moment. Employees also often assume that software is updated automatically or that the IT department oversees this process. Every now and then, however, programs have to be updated manually, which employees then tend to overlook or even ignore. This is all the more dangerous because, according to the Verizon Data Breach Investigations Report 2022, neglected software updates are one of the most important attack vectors for cybercriminals to gain access to computers or networks.
Tip: Make software updates mandatory and put the responsibility for software updates in the hands of administrators. They need to ensure that the entire workforce is always using the latest and most secure versions, and weeks or even months of delays are no longer the order of the day.
Effective enterprise security, and therefore successful data protection, lies in balancing cybersecurity with productivity. So the art that CISOs and IT teams must accomplish today is to minimize threats from the outside and common misbehavior on the inside, while giving employees seamless access to the systems and tools they need, when they need them. This requires modern security solutions that automate security as much as possible and, most importantly, implement it invisibly, i.e. behind the scenes.
Cookies helps to fund this blog: Cookie settings