Data Leaks: 8 Data Leakage Prevention Tips for Your Organization
Research shows that a data leak could cost your company $3.5 million. Here’s what you need to know about data leaks, plus 8 data leakage prevention tools and tips to protect your company
To put it in the most frank terms, experiencing a data leakage sucks.
A data leak sucks for you and it sucks for your customers. That’s because even a small data leak is a major concern for any business. It can cost your company a lot of money, damage your reputation and brand, and make your customers very angry. Simply put, exposing customers’ personal and financial information is a nightmare — with everything from financial losses to identity theft.
In cyber security, data leakage refers to a situation in which sensitive or classified information “leaks” to the outside world. This means that someone intentionally or inadvertently transfers data to someone or somewhere outside the organization. However, not everyone within the cyber security industry uses the term “data leak” the same way. Some people view data leaks and data breaches as the same thing while others differentiate each term by the intention(s) or the action(s) associated with their occurrences.
So, with all of this in mind, what exactly is data leakage? What causes it? And what data leakage prevention tools are available to help you stop it before it starts?
Data Leakage vs Data Breaches: What’s the Difference?
Some companies, such as Imperva, use the terms “data leak” and data breach” interchangeably. The U.S. Department of Justice (DOJ) identifies a breach as:
The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where (1) a person other than an authorized user accesses or potentially accesses personally identifiable information (PII) or (2) an authorized user accesses or potentially accesses PII for an other than authorized purpose. It includes both intrusions (from outside the organization) and misuse (from within the organization).”
Others use the terms separately to differentiate data that is exposed due to an internal source of mechanism (data leak) versus an external source or threat (data breach). For example, Forcepoint identifies data leakage as a “low and slow data theft” or “the unauthorized transmission of data from within an organization to an external destination or recipient.” The leakage can occur via a variety of web, email, or via endpoint technologies including mobile data storage devices and laptops.
Regardless of however you choose to identify an information compromise, the bottom line is that a data leak spells bad news for your organization and your customers alike.
The 5 Most Common Causes of Data Leakage Situations
If you want to protect your company from data leakage, you first need to understand some of the underlying causes of these leaks. There are many potential causes for data leakage issues, but nearly all of them have one thing in common: people. Unsurprisingly, people are not infallible. We can be lazy and negligent — and, sometimes, we simply make mistakes.
Ultimately, as humans, we’re prone to human error. That’s because we’re not drones who do only as we’re programmed to do — we have free will to make our own decisions. On one side of the coin, those decisions may be to do the right thing, to be thorough and to verify information before we act, etc. But on the other side of the coin, some people choose to cause harm intentionally (by stealing or releasing company information or data). This could be because they either have malicious intentions or they believe they’re doing the right thing to serve a larger purpose.
Ultimately, this means that people can be your organization’s biggest assets or your greatest weaknesses. It ultimately boils down to how they choose to behave and apply themselves.
So, with all of this mind, how do data leaks occur? Here are some of the top reasons for data leakage (in no particular order):
It’s human nature to want to make things as easy as possible. This includes using either super easy-to-remember passwords, using default passwords, and sharing passwords across multiple accounts. While these practices make it easy for users to remember their passwords, that also means that it makes it easy for outside parties to guess or crack using brute force attacks.
CNN reports that the 10 most commonly used passwords include:
Phishing attacks — whether they’re pulled off via email or via phishing websites — are a big source of data leaks for organizations worldwide. They’re very successful. That’s because actors use social engineering tactics to convince or trick users into outright providing their login credentials via a form on a malicious website or get them to download a malicious file that steals their information.
Regardless of how it happens, phishing is a big issue and a source of data leakage.
Hacking and Web Application-Related Cyber Attacks
A cyberattack occurs when a hacker or cybercriminal gains access to a computer or system. Cyberattacks come in a variety of flavors — everything from straight-up hacking to the use of SQL injections and man-in-the-middle (MitM) attacks.
Human Error and Negligence
Have you ever accidentally sent a confidential email to the wrong person? Well, you’re not alone. According to Clearswift, a HelpSystems Company and data loss prevention solution provider, “Nearly half of employees (45%) have accidentally shared emails containing bank details, personal information, confidential text or an attachment with unintended recipients.” Many data leaks occur simply because employees and contractors aren’t as careful as they should be with handling sensitive information and data.
Research from a 2019 IBM/Ponemon Institute data breach study shows that “[…] inadvertent breaches from human error and system glitches were still the cause for nearly half (49%) of the data breaches in the report, costing companies $3.50 and $3.24 million respectively” between July 2018 and April 2019.
No one ever wants to look at their current or former employees and colleagues through a negative lens. But the reality is that some people are just bad eggs. Or, at least, they choose to do bad things. A malicious insider is yet another major threat to the security of your data and a potential cause of a data leakage. In fact, the 2018 Cost of a Data Breach study by IBM and the Ponemon Institute indicates that malicious insiders were the single largest cause of data breaches.
As you can see, there are a lot of different potential causes of data leaks. So, as someone who wants to protect your business by preventing these types of threats, what can you do?
Data Leakage Prevention: How to Prevent Data Leakage Before It Occurs
Both from an individual standpoint and a business standpoint, there are many things that you and your organization can do to halt a potential data leakage situation in its tracks. Here are a few recommended solutions:
1. Identify All Critical Data and Develop Strategies for Protecting Them
You can’t protect the unknown. This means that to protect your organization’s data, you first have to know what exactly it is that you’re protecting and everywhere it’s being stored and used. To do this, it’s vital that you create and maintain an inventory of databases and all of the different types of data your organization collects, processes, and/or uses.
2. Identify All Endpoint Devices, Hardware and Structure Connected to Your Network
Much like how you want to inventory all of the types of data you collect, process, and use, you also need to inventory your IT infrastructure — all hardware, software, etc. This way, you can ensure that you’re aware of everything that touches your network. All it takes is one unpatched laptop or even an insecure IoT device, and hackers can gain access to your network and navigate to whatever systems they want from there.
3. Develop, Set, and Enforce Security Policies
While no one I know personally enjoys creating setting user access limitations and implementing security policies, that doesn’t mean they’re not important. For example, by developing and implementing device use policies, you’re setting the guidelines and standards for how anyone — employees and contractors alike — can securely use your organization’s resources. These policies typically outline that users must follow secure data management and security procedures.
Having this type of policy in place also helps you cover your backside in the event that an employee or contractor using your device does so inappropriately and results in a leak or a breach.
4. Limit User Access
If you limit users to having access to systems that they need to perform their duties (and not just any system they want to access), this can help limit your potential exposure in the event that something goes wrong. Don’t give Arlene in accounting IT admin access, and don’t give the intern access to databases with personnel data. Both of these unwarranted levels of user access are unnecessary and open Pandora’s box should those individuals’ credentials become compromised. Why risk it?
5. Implement Challenging Password Creation Requirements
Don’t allow employees to be lazy. Require them to create challenging, unique passwords for your company accounts. Capitalizations, numbers, symbols — use every piece of real estate that’s available on your keyword by making end users use a brilliant combination of these things in their passwords.
6. Require Employees to Use VPNs When Connecting via External Networks
If you or your employees connect to the internet or company resources from outside of your network, require them to do so through the use of a virtual private network (VPN). Whether it’s logging in to check their email at a coffee shop or participating in that virtual conference while at the airport, make sure that their connections are secure by using a VPN whenever they’re away from the office.
7. Use Reputable Data Leakage Prevention Tools
The modern high-tech world offers an assortment of different solutions that meet virtually any budget. But what do you need to look for? Here are some of the things you’ll want to protect (and some of the solutions that can help you do so):
- Network — this includes using network firewalls, network behavior and anomaly detection systems (NBADs), and network-based intrusion detection systems/intrusion prevention systems (IDS/IPS) to analyze traffic and activity.
- Hardware and Software — Another important way to protect your company against data leakage incidents involves ensuring your systems are up to date with regular updates and patching. You also should have physical security mechanisms in place to protect your physical IT infrastructure from unauthorized access. These protections can include keeping such equipment in a locked space, allowing only specific users access to that space, and using security monitoring.
- Endpoint Device Protection and Isolation — these types of protections include using antivirus and anti-malware solutions, endpoint encryption, host-based intrusion protection systems (HDSs), limiting user access, managing IP addresses via subnetting, using virtual local area networks (VLANs), and configuring demilitarized zones (DMZs).
- Data — whether you’re trying to protect data at rest, data in transit, or data in use, there’s a data protection and security solution to meet your needs:
- Data at rest — this includes database encryption and using S/MIME certificates to protect your email.
- Data in transit — this can be achieved by using SSL/TLS certificates on your web and email servers to enable secure, encrypted transactions.
- Data in use — this includes using encryption mechanisms such as homomorphic encryption.
8. Teach Employees to Take Their Time When Sending Emails and Uploading Data to the Cloud
This may seem pretty obvious, but rushing and not taking the time to double-check information and information fields is a surefire way to make a mistake. This is why it’s so important that you and your employees take the time to ensure that you’ve dotted your Is and crossed your Ts. When sending an email:
- double-check the “to,” “CC” and “BC” fields.
- make sure you don’t “reply all” when responding to an email (unless you intend to do so).
- ensure you’ve attached the right document or file.
- double-check the sender before you replay to any email.
In other words: Don’t rush. It’s not a race.