Taking active steps to safeguard your organization’s digital presence on and offline is not a new recommendation; if anything, elaborate security measures are emblematic of our times. Passwords, multi-factor access protocols, biometrics and other forms of user authentication have become standard, and for good reason: the incidence of data loss, theft and misuse is huge. Data compromise – whether it involves personal, business, or government files – has become so common that only the most egregious consumer-facing cases make the evening news today.
That’s understandable; sometimes the owners of business data effectively pin “kick me” signs on top of their most sensitive files. An astonishing volume of data, whether through poorly configured security settings, indifferent employees, or a reluctance to update legacy software, is exposed to pretty much anyone interested in harvesting it. And the situation is getting worse. Digital Shadows’ Photon Research Team scanned the landscape of online file storage technologies and found more than 2.3 billion exposed files – a 50 percent increase from similar research just one year earlier, with Europe accounting for the largest share, followed by the Americas, Asia, and the Middle East, respectively.
With exposures on the rise, it’s not surprising that ransomware extortion has become such a growth industry. And the methods used by ransomware attackers have become more cunning as well. The industry standard for ransomware mitigation has been to back up files so you can quickly revert to saved copies and avoid downtime or payments to the attackers in case of infection. But Digital Shadows’ same research effort identified more than 17 million ransomware-encrypted files among file stores often used to back up systems. One particularly aggressive variant, NamPoHyu, was found to be solely responsible for encrypting more than 2 million files since it’s discovery in April of this year. No longer is backing up data sufficient to to solve the problem of ransomware - backups need to be secured too.
Not all data leaks and exposures result from the actions, inaction or neglect of their owners, however. Increasingly, they can be traced to third parties – contractors, suppliers, vendors and other firms in the company’s supply chain with legitimate access to the client’s files – companies that provide services such as data management, storage and processing.
If anything, it is now routine for larger enterprises to have an extensive network of specialized suppliers and partners – many of which are small companies whose own cyber defenses are nowhere near as robust as those of their clients. The notorious 2013 attack on Target, which resulted in massive compromise of its customers’ credit details, gained entry to the company’s point of sale files through an HVAC contractor. Add to that the growing use of Internet connected wireless devices, and you have a toxic stew of opportunities for mischief.
However, this growing base of interconnections is not limited to big corporations; essentially every individual and business, regardless of size, is embedded in a maze of online relationships – many of which may be hidden from the user. What it means is that the attack surface – the sum of all the different points where an unauthorized user can attempt to extract data from an organization’s digital environment – is expanding geometrically. Your fiendishly difficult password offers little protection if a third party’s connected system unwittingly exposes the same data you are determined to safeguard. And those gaps in the armor cascade onto every sector they’re link to.
Of course, not every file exposed to unauthorized parties is highly sensitive; there’s plenty of routine material – product orders, receipts, shipping labels, and customer complaints in there as well. But payment information, customer data, product roadmaps, sales strategies, schematics, security assessments, financial and legal documents as well as credentials to access other systems can be of tremendous value to a competitor or to someone looking to monetize that information through fraud, extortion, dark web sales, or inflicting reputational damage.
The potential for losing millions of sensitive files at the same time is a relatively new phenomenon. Of course, thefts of information have been going on forever. But swiping a document or stealing a folder was a comparatively small loss; the physical demands and risks of stealthily removing papers from a desktop or file drawer are considerably greater than those associated with using a few keystrokes from halfway around the world to pilfer data on an industrial scale. It’s enough to make you nostalgic, but there’s no turning back; digital transformation has become essential to remaining competitive, and the associated risks to your enterprise will continue to grow as outsourcing and system integration trends spread.
So, what does that mean for a company that takes data security seriously? For one thing, it means that in dealing with vendors, trust alone is not a strategy. Instead, security needs to be a collaborative effort. Standards for mitigating risks need to be set for third parties. Ongoing monitoring of vendors has to be part of that. Beyond that, there are independent organizations whose primary business is assessing the security of different vendors. They may not tell the whole story, but they certainly offer a start.
Even then, it is prudent for a company, in coordination with its vendors, to set security directives, run simulations, and assess the impact of potential failures in order to prioritize the measures required for the different categories of data it maintains.
If it takes a whole village to raise a child, it takes a whole community of vendors and business partners to build a secure data environment.