The question is no longer whether data can leak (intentionally or not) and be misappropriated, but rather, how to secure it, and limit the impact when it does leak.

Against a backdrop like this, security models need to evolve. The castle model is now largely outdated, and is being replaced by that of the airport. Data-centric protection then becomes an imperative. And such protection also has to meet the daily needs of those same users who worry about being affected.

2 the different types of data … And the different approaches they require

The large data-protection projects launched by major players all face the same problem: how to decide how sensitive a given piece of information actually is. The answer to this question is key: it’s this that determines the relevant level of protection needed to avoid data leakage.

Today, there are two broad types of data:

• Structured data, which refers to all information that follows a particular format, and is easily identifiable as such: a CRM field, social security number, official certificates, and email addresses, as well as a host of other data that can be expressed in a clearly defined format (1). Typically, this information is found in the databases of applications.
• Unstructured data, which can exist in any format (such as MS Office documents, PDFs, images, videos, music, business application files, etc.). It should be noted that data which, at first glance, might be considered structured (for example, the telephone field of a CRM), may not be so if the format in which the data is entered is not followed strictly.

Structured data can be easily identified, and its sensitivity assessed according to predefined norms; but unstructured data presents a problem of a whole different magnitude—and it’s mostly this type of data that employees generate day to day. In concrete terms, this translates into an inability of the relevant security tools (such as: Data Loss Prevention/DLP) to identify a leak or the misappropriation of vital information.

The classification of unstructured data, then, represents the cornerstone of any data protection strategy—and it’s something that has to be done manually by end users.

But what is classification?

“Data classification” means the entirety of the technical and organizational processes used to categorize information produced by the employees of an organization. Following the categories defined – according to levels of sensitivity (for example, internal, confidential, secret, etc.) or by relevant organizational functions (such as HR, R&D, Purchasing, etc.) – classification allows data to be placed within the appropriate regulatory, legislative, or security framework.

Historically very basic (for example, a checkbox in a header or on the first page of a document, or the manual addition of metadata), classification consolidates data, and makes users responsible, by placing them at the center of the process, while, at the same time, offering them an improved experience (a simple interface and clear advice).

In practice, classification tools offer a diverse range of functionality:

• For new files, either manual or automatically determined classification according to predefined rules (for example, the presence of a certain number of social security numbers);
• For existing files, the manual scanning of files stored in local directories or on premises, according to predefined rules;
• The addition of metadata (or tagging) to the file: this metadata, which can be interpreted by third-party tools, unlocks visibility for supervisory tools such as Data Loss Prevention;

The addition of visual marking elements (such as headers, footers, and watermarks) to raise awareness among end users.

The results of classification projects have been inconclusive so far

RSSI procedures tend to take into account issues of data classification, and the issue is core to most major corporations’ policies. This imperative is reinforced by recent regulations such as the GDPR or the French Military Programming Act (LPM) which require the mapping of data and uses. However, few organizations, other than banks, have successfully implemented effective classification strategies.

There are several reasons for this gap:

• End users are generally not aware of the nature of the sensitive data or its impact: while the highest classification levels (“C4”, “Secret”, “Confidential”, etc.) are used for documents likely to put companies, or even entire Groups, at risk; these usually represent about 1% of all such information – although this proportion is close to 10% in some companies. Conversely, it is not uncommon for a user to share files containing sensitive personal data, or passwords, without any classification or protection.
  Thus, any data-classification project requires strong change-management support for end users. This should use clear messages and concrete examples, that allow users to classify information easily. Periodic recaps will also be needed to remind users what constitutes good practice. In fact, a user who handles sensitive data—day in, day out, may no longer be aware of the impact of this data being compromised.
• If they fail to provide users with sufficiently ergonomic approaches, companies cannot expect solid results. Experience shows that checkboxes for classification levels on cover pages, headers, or footers are only rarely selected.
• The classification of the entirety of a company’s data is a transformation project in its own right and requires strong commitment from functional and corporate teams if it is to be widely delivered. This commitment must be even greater if the classification strategy that has been defined impacts users (through obligations to classify documents, use encryption, etc.).

Classification takes center stage again

The topic is back, in force, with large corporates, driven by digital transformation programs—requiring the rethinking of data protection, and with the large players in the market—who are shaping their offerings around the subject. Some analysts, like Gartner, even foresee the consolidation of data-protection solutions into a single, classification-centric solution.

Awareness and ergonomics will need to be combined, if such approaches are to be successful and end users are to buy into the process. The two will need to work together – hand in glove.

In a future article, we’ll be looking at how the market is evolving for historical security players, and how the implementation of an effective classification strategy can provide a springboard for new impetus in data protection.  

(1) A regular expression is a string of characters that corresponds to a specific syntax. For example, a French phone number can have one of three formats: 0123456789, +33123456789 or 0033123456789.

Cet article Classification: that essential aspect of data protection est apparu en premier sur RiskInsight.

To avoid these costly consequences, companies are clearly concentrating on securing their critical IT infrastructures, but cyber-attacks are not only targeted at network vulnerabilities, datacentres and workstations. Users, whether internal or external to the organisation, are a prime target. Attackers usurp the identity of the targeted organisation to trick users in order to carry out their misdeeds.

The Company’s Digital Presence: A New Risk Factor

In recent years, companies’ digital transformation has been characterised mainly by exponential development of external communication via digital channels; means of communication have multiplied and become the privileged vectors of exchange and interaction, revolutionising the customer relationship and exchanges with partners. To remain closer to clients and partners companies promote the use of digital communication via:

• Emails
• Instant Messaging
• Institutional websites and Web applications
• Mobile applications
• Social networks

These media are the company’s showcase allowing it to portray itself, to expose and to radiate its brand image, via its own graphic impact, elements of language and messages. They personify the company and therefore refer directly to its perceived value. In addition, digitalisation has made it possible to largely substitute the physical relationship by digital services, accessible at any time and anywhere in the world, via which the company gives access to its community as well as its products and services, boosting ever faster, simpler and customised interactions with the users.

This heightened digital presence has enabled companies to develop their communication and the accessibility of their services, using digital channels to represent the company directly and fly its brand image flag. But there is a flip side to the coin: this digital ubiquity increases the possibility for attackers to usurp the company identity for malicious purposes.

Damaged Brand Image: the cyber-attack’s collateral damage

During a cyber-attack using spoofing of the company’s identity as a vector, the attackers’ intentions can be varied:

Some attacks aim directly to undermine the company’s credibility, to make the company appear incompetent, or to show the malicious group’s superiority imposing its antagonistic ideology:

Over the last few years, there have been cases of website defacing where the content of the pages has been changed to transmit false information and mock businesses in order to harm their image. In 2015, Lenovo paid the price when “hacktivist” group Lizard Squad attacked its website, redirecting visitors to photos of the attack’s protagonists. Attackers can also publish false information on a social network after stealing the Community Manager’s credentials. One defining moment of 2017 in France was the hijacking of the Ministry of Culture’s Twitter account by a joker distilling various abusive tweets. For the companies affected by these attacks, the financial consequences are as expected: following these events and announcements, the repercussions on sales and stock market value are always accompanied by a heavy impact on brand image.

In other cases, the attackers divert the company’s identity, this time seeking to steal money. In this case, the attackers pass themselves off as the company in order to commit frauds aimed directly at tricking the users:

• The “President scams” are steadily increasing and allow attackers to divert large sums of money by misleading employees in finance to believe they have to execute an urgent transfer for a company director. In France, the total damage caused by this fraud is estimated at more than 400 million euros per annum.
• Corporate employees are also the target of phishing campaigns, which can trigger a viral load contained in an attachment or a link from a seemingly familiar email. The goal may be to deploy a Cryptolocker to demand a ransom, or to gain a gateway into the organisation’s information system.
• Companies are also affected indirectly when phishing campaigns use their domain name to send fake emails to customers asking them to update their bank information or other personal data that may have value.
• The great novelty for collecting client data is via fake mobile apps imitating a legitimate application by their logo and interface but acting as a spyware when installed on the user’s smartphone. For example, a false WhatsApp application integrating malware was downloaded more than 1 million times on the Google Play store in October 2017.

In a digital world where customer confidence, increasingly sensitive to cyber subjects, is easily lost, protecting brand image has become a major issue for businesses, alongside protecting their IT infrastructure and data. But what are the best practices to put into place to limit these risks of usurpation?

Dedicated Solutions and Organised Monitoring for better protection

A company’s brand image protection of necessarily passes through the protection of digital communication channels. Depending on the type of channel, different action can be taken:

• Names of websites, email addresses and social network accounts similar to those of the company need to be monitored. This practice is recommended by the ANSSI (French Information Security Agency) to combat the brand usurpation, as well as the monitoring of the “Dark App Store” offering users pirated and potentially malicious versions of enterprise mobile applications.
• Carrying out regular audits and vulnerability scans on institutional sites and mobile applications allows the identification of vulnerabilities that could provide entry points during a cyber-attack. The necessary corrective measures can then be implemented to secure these media especially against defacing.
• Implementing multi-factor authentication for email and social network administrator accounts reduces the risk of spoofing by simply stealing credentials. This greatly limits the risk of malicious content being published or shared, or theft of sensitive data accessible via mailboxes, as was the case in 2017 for the firm Deloitte. In this theft, more than 5 million e‑mails containing sensitive exchanges with their customers were stolen, following the theft of one of the administrator’s credentials
• Activating protection such as SPF, DKIM or DMARC protocols can prevent the spoofing of company email addresses. In fact, these protocols protect the company’s domain names by declaring the IP addresses legitimate for sending emails and implementing signature mechanisms for emails to certify them. These protocols ensure that the company’s domain name cannot be used from an undeclared server.

Since digitalisation has favoured exposure of enterprise identities, cyber-attackers and hacktivists therefore take advantage to attack the companies and their ecosystem by posing as the company. In all these attacks and frauds, the attacker uses more or less complex means to usurp the company’s identity to attack and to weaken it. A damaged company brand image, for its customers but also for the general public, can cause financial losses of millions of euros, added to which are the huge losses that an attack crippling the company’s information system generates.

The subject of protecting companies’ digital identity, in whatever form, needs addressed so that they can protect themselves against the frequent and costly usurpation of which they are victims.

Cet article Protecting Company Identity: Digitalisation’s New Challenge est apparu en premier sur RiskInsight.