Secureworks: Combining Social Engineering Attacks in a Cyber Kill Chain
Seldom does a week go by without a major data breach being reported and the subsequent damage of such a breach can be devastating. For example, just recently I read a news story in the Guardian reporting that survivors of institutional sexual and physical abuse in Northern Ireland have rejected compensation offered to them in response to a damaging leak that exposed more than 500 of their names. This is yet another example of mishandling of sensitive data and demonstrates the severe reputational and financial ramifications such misuse can have.
Victims of this particular data breach, who number more than 500, have been offered financial compensation of £1,500 by the office of Brendan McAllister, which has been accused of breaching data protection and privacy rights after their names were revealed in a monthly newsletter sent by the body established to investigate their allegations and compensate survivors. However, a class action set to be taken by the affected victims via legal firms could see compensation ranging from £7,500 - £100,000 per person.
Today, data is prolific and good data governance is an ever-growing requirement, as is securing sensitive data. This is an everyday challenge that government organisations around the world face, as well as making sure that sensitive data such as I have described above has the right security labelling and is appropriately classified so that leaks of this nature don’t happen.
In the UK, the average cost of a data breach has grown to nearly £2.7 million, according to IBM research, and the reputational harm can be incalculable, which is why it is so important to ensure that data is appropriately, handled, classified and stored. Likewise, according to the Verizon Data Breach Report, the public sector struggles with mis-delivery – sending sensitive information to the wrong recipients – and misconfiguration, when someone puts data in the cloud without the proper security measures in place. Of the breaches that do occur, just over half (51 percent) of data compromised in public sector data breaches documented by Verizon involved personal information.
These types of serious data breaches and incidents of cyber-disruption have a powerful effect on driving regulatory change and activity. It is therefore imperative that government organisations keep doing everything in their power to keep sensitive data safe.
One way that they do this is through robust classification and protective markings, which are security labels assigned to public sector information. They signify the confidentiality requirements of public sector information, usually determined via an information security value assessment such as ‘Official Sensitive’, ‘Secret’ and so on. Classification systems and protective markings inform the minimum level of protection to be provided throughout the information lifecycle, including during its use, storage, transmission or transfer and disposal.
Most public sector information (including personal information) obtained, generated, received, or held by or for a public sector organisation for an official purpose or supporting official activities, usually requires classification and some form of protective marking. This includes both hard and soft copy information, regardless of media or format. Paradoxically, not all public sector information does in fact require a protective mark, though, other security measures may still be required to protect the integrity and availability of this material. More recently, protective marking schemes have been updated to also cover email communication.
It is therefore essential that government organisations have the right solutions in place so that they can effectively manage and classify data, in the way that I have described above, and can then proactively respond to regulatory change. This is where multi-level data classification solutions really help as they are able to attribute labelling according to the sensitivity of a document which then limits the distribution of that document to a degree appropriate to its classification. Likewise, classification tools with the right blend of automated and user-applied classification support can significantly increase end-user awareness when handling data. Additionally, these solutions protect a document by adding metadata labels, as well as visual markings. These metadata labels and the visual markings reflect the classification given to the document. The visual markings are customisable and include headers, footers, watermarks, and title pages.
If you have a complex classification system it is important to ensure the correct level of classification is assigned to a document, but we recognise that this can be confusing for the user, who is expected to correctly select the right classification. Our structured Q&A asks the user a series of questions to help them classify the document correctly. For example, the user does not need to remember exactly what ‘Official Sensitive’ is as they are reminded when classifying the document. This is particularly useful when the system is first installed as it helps to teach users to select the correct level of classification. The result is enhanced user engagement and accountability, improved security awareness, and a reduction of data security risk across the organisation.
Regardless of any compliance obligations government organisations face, it is good security practice for them to implement and enforce data classification systems to reduce the risk of inadvertent or unintentional data loss. That said, data classification is a complex process requiring detailed analysis and planning. But if government organisations work with the right provider who can take the complexity out through flexible, fit-for-purpose software, with business-centric labelling that provides meaningful and easy choices for the user, then this will keep the organisation secure, compliant and in control. Above all, we recognise how important it is that people are still a part of the process. How much organisations rely on automation to assist is down to individual preference or philosophy, but overall employees need to be a cybersecurity asset, rather than a liability. This is where data classification solutions provide organisations with just that - an effective data security programme, with the ability to make those human-assisted decisions. If you are interested in reading more about this topic, why not download our whitepaper.