This week’s leak of personal details of nearly 50,000 Australians highlights the crucial importance of both reviewing contractor policies for data handling, and improving visibility of data to detect and stop data vulnerabilities before they are exploited.
The breach – first reported by iTnews and involving personal details of 48,270 employees of government agencies, banks, and a utility company – was exposed after a security researcher searched Amazon S3 for data buckets containing particular keywords and file types. His search turned up a number of data backups made in March 2016 by an as-yet-unnamed contractor; the Australian Cyber Security Centre (ACSC) has been involved in remediation since being alerted in early October.
Potential business damage from such breaches is already well recognised – 70 percent of business and IT executives in a recent Ponemon Institute-Centrify survey said that their organisation’s brand “can be significantly diminished” due to a data breach caused by third parties – but everyday practice is not keeping up.
Brand diminishment isn’t the only risk of poor security: in a recent determination, the United Nations Human Rights commissioner warned that governments must not release any personal data without “bulletproof” security and moved to establish guidelines for governments’ national privacy laws.
The urgency of such proclamations reflects a difficult reality: such breaches are becoming increasingly common as often-confidential data sets are moved between on-site networks and cloud services, often with impunity or ignorance of proper security protocols. Breach Level Index statistics suggest that 5.1 million records are being lost or stolen every day, with just 4 percent of those breaches considered “secure breaches” where the data was encrypted and stolen data rendered useless.
The other 96 percent of the breaches represented the direct opportunity for cybercriminals to exploit that data – a fact that was highlighted in Gemalto’s Data Security Confidence Index 2017, in which 88 percent of companies said that effectively collecting, analysing and using data would give them a competitive advantage.
Despite the recognised importance of this data, just 59 percent of respondents said that all of their sensitive data is secure and only 45 percent even know where all of their sensitive data is stored. Just 4 in 10 organisations said they carry out all of their data handling procedures in line with data protection laws, while just 8 percent of breached data was reported as having been encrypted.
Given the nature of those figures, breaches like the one suffered this week are hardly surprising – but they represent a clear and present danger under soon-to-be effected Notifiable Data Breach (NDB) legislation and the European Union’s General Data Protection Regulation (GDPR), which will impose significant penalties for exactly the type of breach reported this week.
Problems with the handling of personally identifiable information (PII) are more prevalent than many organisations may appreciate: A recent RiskIQ audit of security practices amongst 25 of the largest United States banks, for example, found 1891 insecure login forms, 1663 pages collecting PII insecurely, 1323 EU first-party cookie violations, and 1265 EU third-party cookie violations.
“Each of these insecure collection points represents a violation of GDPR, and a potential to have customer data compromised,” RiskIQ CEO Lou Manousos warned in a statement. “PII discovery, inventory, and compliance assessment is one of the major tasks for GDPR project teams. In our experience, most security and compliance teams have only partial visibility of the websites owned by their organization. They are left to engage users across the business in an effort to uncover them.”
A host of new offerings in recent months is seeking to help businesses close the gap before a similar breach hits them hard. Strong demand for visibility has motivated Australian cloud-monitoring provider Sinefa to expand to the United States market, while secure-hosting provider iLand recently with a presence in NEXTDC’s S1 data centre.
Visibility vendor Savvius has also increased its regional presence, while RiskIQ has productised its GDPR scanning capabilities. M-Files has also launched a GDPR data-scanning tool, while visibility vendor Ixia recently extended its CloudLens Visibility Platform to five key public cloud platforms.
Piqued by the ongoing ramifications of the Equifax data-breach disaster, where intruders had free run of the company’s network for months, the flood of cloud-visibility offerings is set to continue as compliance requirements continue to tighten. Even modest investments will pay off in better security, with Gartner recently predicting that some 60 percent of enterprises would implement cloud visibility and control tools by 2018 – and would see one-third fewer security failures as a result.
“Telemetry and documented testing will allow security teams to show the business proof the cloud is working and safe,” Gartner research director Rob McMillan recently predicted. “Telemetry allows organizations to see the danger signs and allow for a quick – and possibly preventative – response.”