Defending Your Castle from the Inside: Data Breaches and How to Minimize Their Impact

Every business holds at least some sensitive data. This includes sensitive personal information belonging to clients and employees, and confidential data relating to business operations. Protecting this information should be a concern for every business, no matter what industry or size.

Data breaches can be hugely costly to an organisation. The Ponemon Institute's 2014 Cost of Data Breach Study: Global Analysis found the average cost to a company from a data breach was US$3.5 million, up 15 percent from the previous year. Malicious and criminal attacks were the most costly cybercrimes to a business, the study found.

Expect attacks from every angle

Verizon's 2014 Data Breach Investigations Report shows that hackers target businesses from every sector and of any size. This report, based on 1,367 data breaches and more than 63,000 security incidents in 95 countries, found that attackers used a wide range of methods to compromise business systems. The majority of attacks originate from outside the business. Against these threats, organisations try to build higher and more impenetrable walls around their networks and data. This is a never-ending arms race, as even the most advanced systems may, before long, present weaknesses that malicious technology can exploit.

According to internationally renowned security technologist, Bruce Schneier: "against a sufficiently skilled, funded, and motivated adversary, no network is secure."

However, this is not the only risk that keeps information security professionals awake at night. Attacks originating from inside the business are typically harder to detect and prevent, and have more potential to significantly damage the business. In other words, it is not the outsiders charging at the walls but the people with the keys to the castle who present the greatest threat.

There has been a spike in the number of cases involving the theft of confidential information over recent years. A major catalyst for this increase is the availability of cloud-based storage services such as Dropbox.  Bodies such as Wikileaks and recent high-profile instances of whistleblowing are also making disclosures seem acceptable.

Of course, not all leaks are malicious. Flexible working arrangements that necessitate remote access also contribute to this rise, as does the increasing use of 'bring your own device' policies. In some cases, lax or unclear human resources policies result in some employees not realising it's unacceptable to take intellectual property with them when they leave a business.

Malicious or not, there are now more ways than ever for workers to transfer huge amounts of data very rapidly outside the business, and most have the technology skills to do it.

Make sure your castle is tidy

As a community, information security professionals have started to accept that it’s not possible to prevent all data breaches. We are instead working to minimise the potential damage if a breach were to occur. One crucial step for an organisation is understanding exactly what sensitive information lies in its data stores, and where it is located.

If your car was stolen and you knew you left your wallet in the glove box, you would immediately cancel your bank cards. In this way, you would limit further damage from the crime. But if you didn’t know your wallet was in the car, you would lose time and give someone a greater opportunity to spend your money before you took action.

Applying this concept to sensitive data can minimise risks and reduce the damage after a security breach. Organisations need to know where their important data is and who has access to it.

To achieve this, organisations must examine all of their data, remove the parts they don’t need, protect the sensitive elements and ensure what’s left is well organised and easily searchable. This requires information governance technologies which provide transparency into the contents of a company’s data.

While most organisations have strict compliance rules around how long they must retain data, once the retention period is over, the risks and costs of keeping that data greatly outweigh any residual value. Older data may contain unknown business risks or confidential information. Deleting this low value data, according to pre-defined and legally sanctioned rules, reduces risks and also minimises the volume of data that could be compromised.

The next step is identifying high-value documents such as customer records, intellectual property and contracts, and moving them to managed locations and protected with access controls and retention rules. The bigger the circle of people who have access to your organisation’s confidential data, the bigger the risk for a security breach. Therefore organisations must then apply policies and conduct regular audits to ensure only authorised staff have access to important data.

Through these efforts, an organisation increases the value of its data and minimises the opportunities for malicious or accidental breaches of important information. Whether the culprit is malware that has breached a network, an unhappy employee or a misconfigured network, the chances of anyone gaining unauthorised access to the high-risk and high-value information an organisation stores are greatly reduced.

Fast response is enabled by a high-level view

The proposed EU General Data Protection Regulation (GDPR), if adopted in 2015, would give businesses in Europe only a single day after a data breach to figure out what went wrong, who could be hurt by it and how to prevent it from happening again. Current practices often involve months-long investigations before anyone admits to any fault. 

I believe an incident response plan is the most import element of your defence. A practical way to minimise the business impact of a breach is to detect and contain the incident as soon as possible. However, there is considerable room for improvement in the way organisations handle this task.
An attacker will rarely leave an obvious trail to follow. The difficulties of post-event autopsies are multiplied if organisations don’t know where their data is. But even if an organisation has followed the data hygiene procedures I have discussed, investigators must follow a trail through potential evidence sources including email, documents, mobile phone images, server logs and data in the cloud.

Data volumes are growing so rapidly that traditional data forensic tools and methodologies simply can't keep up. Security professionals must evolve and consider new techniques to effectively manage the data. The only effective solution is a toolset that can take in vast data sets and quickly reduce them to a small, more relevant set of evidence by casting a wide net and culling with powerful and repeatable search technology with a full audit trail. Techniques such as searching, date filtering, entity extraction and clustering similar documents can help investigators quickly identify the relevant compromised data.

This crucial ability allows you to effectively respond to any incidents. It provides a robust first response for your security team, who can then focus their tools and analysis efforts on the most likely sources for evidence.

If a breach does occur, it is vital to have strategies in place to minimise their damage. It is also crucial to learn from the incident and improve practices and processes, to decrease the chances that a similar breach will occur in the future.


By James Billingsley, Senior Solutions Consultant, Nuix

James Billingsley

Principal Solutions Consultant, Cybersecurity & Investigations

James has a decade of experience in computer forensics. Before joining Nuix, he worked as a Senior Breach Investigation Consultant leading PCI forensic investigations for clients including Visa and MasterCard.

As a Certified Examiner, James has supported UK Police Force and government agency investigations and served as an expert witness in UK courts. James has contributed to web browser forensics software tools which law enforcement agencies and international corporations around the world use.

Read More