Data Loss Prevention: Internal and External Threats

In 1985, CIA officer Aldrich Ames didn’t spend his summer at the park or at the movies. He spent his summer meeting with Russian diplomats and KGB officers in Russia, offering up classified U.S. information about technical operations and personnel.

Until his arrest in 1994, Aldrich Ames continued to volunteer information to Russian officials. Due to his easy access to both information and diplomats as a CIA officer, this was easy money for Aldrich – to the tune of $4.6 million.

In addition to traditional spies and double agents like Aldrich Ames, today’s organizations face a barrage of new threats brought on by the digital age. In this interview, Terminal B Service Manager Alan Stephenson explains that data loss prevention can include many disciplines, from cryptography to legal compliance to data archiving rules.

Tasked with overcoming both internal and external threats, data loss prevention has never been more important, but it has also never been more accessible. Locally-owned cloud service providers like Terminal B can give your company more control than ever over the security of your data, providing security and peace of mind.

What Is Data Loss Prevention?

Data can be deleted, overwritten, shared, copied, and misused – Alan explains that data loss prevention is an extra layer of security in the form of a set of procedures that identify, monitor, and protect your company’s sensitive data.

It includes everything from your company’s shredding policies to your cloud backup service. This combination of digital tools and company policy helps to keep sensitive data out of the wrong hands. Data loss prevention (or DLP) is synonymous with a DLP solution, which is the software companies use to identify, monitor, and protect sensitive data.

Since your company has to protect against a wide range of threats, data loss prevention looks different in different contexts.

Data in Use

Data is “in use” when it’s in a non-persistent digital state. That means that somebody is accessing, reading, processing, updating, or erasing data within the system. Data in use is at risk from both malicious and accidental threats, such as accidental overwriting or deletion.

Data in Motion

To get data from point A to B, you have to set it in motion. When this data is in transit, it is vulnerable to attacks, especially if you are moving it outside of the business’s firewall (for example, sending a contract to an external vendor).

Data at Rest

When data is not in use or in motion, it is in storage. This “at rest” data may be stored on a physical computer or in a cloud-based storage solution. While data at rest is less vulnerable than data in motion, it’s an appealing target for malicious actors because of its volume and value.

Internal Data Loss Threats

Alan explains that while most data loss threats come from external actors, sometimes the call is coming from inside the house – internal actors (either well-intended or malicious) can also cause data breaches.

Accidental

Most of your employees and colleagues are likely to be well-intentioned. However, not following the right procedures (or not knowing the right procedures to follow) can leave your company vulnerable and exposed to the threat of data loss.

While much of data loss prevention focuses on malicious attacks, simple errors like deleting or overwriting data can also be costly. The first example Alan gives is an employee accidentally emailing unencrypted data to the wrong recipient—this kind of innocent mistake can have serious consequences, so businesses must have the right safeguards in place.

One such safeguard is Terminal B’s ability to flag unusual ingoing and outgoing emails, giving users a short window of time to turn back the clock and unsend an accidental email.

Businesses should implement and enforce data policies that restrict access to sensitive documents (users should be able to access only the documents they need to perform their job), prevent users from copying documents onto unencrypted devices and monitor for unusual email or network activity.

Malicious

In much the same way as malicious external actors, malicious internal actors pose a significant risk to your data security. Internal actors like disgruntled former or current employees and independent contractors are uniquely dangerous because they have access to more data and can do more damage than most external actors.

Methods of stopping malicious internal threats include preventing emails between business and personal accounts, restricting access to copying or moving documents, and layering access to the “crown jewels” of the company – top-priority data like recipes, source code, or financial accounts that internal actors may feel motivated to target.

Another important precaution is credential maintenance. Making sure that employees use secure credentials and that former employees and contractors no longer have access to private information is a key component of data loss prevention.

External Data Loss Threats

The most common data loss threat comes from malicious external actors. These malignant forces use various techniques to steal, modify, or corrupt your data – and today’s businesses need to be familiar with these threats.

Hacking

While “hacking” evokes images of frantic tech geniuses in dark rooms, the reality is more mundane – and costlier.

Methods today’s hackers use range from the very simple (like guessing someone’s password) to the more complex (like escalation of privilege or man-in-the-middle attacks). Hackers have many ways to gain access to protected information, and your company needs up-to-date data loss prevention solutions to combat these evolving tactics.

Alan suggests several strategies to mitigate the risk of unauthorized access, such as geo-fencing, multi-factor authentication, blocking vulnerable connections, and implementing data rules.

Phishing

A phishing attack impersonates a legitimate request for information (often by pretending to be an established company or even a specific individual) to trick users into providing confidential information. Phishing is one type of social engineering that costs companies millions of dollars each year.

“Spear-phishing” (or “targeted phishing”) is a phishing campaign that targets specific individuals, while “whale-fishing” or “whaling” exclusively targets top executives.

After gaining access, phishers may simply sit and wait—rather than “killing the golden goose,” Alan explains that phishers can infiltrate organizations for the long term, passing through fraudulent account numbers and poaching financial information over a period of weeks, months, or even years.

To prevent phishing, Alan recommends simulated phishing testing and ongoing monitoring to retroactively secure vulnerabilities.

Malware

One common type of malicious threat is malware – software that a hacker may attach to a system or that a phisher may trick users into installing.

Malware comes in many varieties, such as:

• Ransomware – Locks down a system until the owner pays a ransom
• Keyloggers – Stores a complete record of every keystroke on a device
• Trojan horse – Can do everything from disabling your firewall to locking your entire system.

Physical Theft

While it may seem mundane, physical theft of unencrypted laptops and hard drives (or even post-it notes with credentials written on them) is a significant driver of data loss.

A data loss prevention solution can’t stop burglars from breaking into your office, but it can guide them to where and how you store sensitive information.

Consequences of a Data Loss: What’s at Stake?

Data is one of your most valuable assets, and a data breach can be costly. Lost business, damaged reputation, and regulatory fines are all significant losses to your company. This makes data loss prevention a top priority for every industry

Compliance

Depending on your industry, geography, and the size of your company, different regulations may apply to your organization, but some major regulations you should be aware of are:

• The Health Insurance Portability and Accountability Act regulates how healthcare and healthcare insurance companies must disclose (or not disclose) private information.
• PCI DSS. The Payment Card Industry Data Security Standard sets rules for how businesses must process, store, and transmit credit card information.
• CCPA and The California Consumer Privacy Act allows California residents to request all the data any company of a certain size collects about them – even if the company is not located in California. The California Privacy Rights Act expands on the CCPA to add more options for consumers to opt-out of data collection.
• The Sarbanes-Oxley Act of 2002 dictates what kind of information public companies must record and store and how they must disclose that information.

Alan draws attention to an important reason companies use data loss prevention: having a written policy for compliance is important, but when employees diverge from the policy, a technological safeguard is an extra layer of security.

Reputation

Data breaches cause reputational damage to 46% of companies – 60% of which are likely to go out of business from reputational damage. Once your stakeholders lose trust in your organization, earning that trust back is an uphill battle.

Financial Loss

Data breaches are too costly to ignore, and they get costlier every year. A data breach in 2022 costs nearly 3x as much as a data breach in 2006. The financial risks of a data breach include regulatory fines and settlements, ransoms paid to hackers, the cost to replace stolen or deleted documents, and the cost of losing business due to reputational damage.

Following a 2015 data breach, Anthem learned how expensive falling out of compliance can be, to the tune of $16 million in HIPAA settlement costs. While $16 million is a significant outlay, it’s far from the most expensive data breach, as the cost of high-profile breaches like Equifax’s 2017 breach or Epsilon’s 2011 breach could be in the billions.

Data Loss Prevention Through Terminal B

Is your data secure? Do you know that it’s secure?

Data loss prevention has historically been expensive, with only the biggest companies able to afford high-functioning security. Today, Terminal B makes cybersecurity simple and accessible to a wide range of businesses. As one of the only locally owned managed service providers, we can bring you the best of both worlds: worry-free service from experienced professionals paired with a level of personal attention that larger firms can’t provide.

You shouldn’t have to be a DLP expert to stay secure. Rest assured that you are secure and compliant by trusting Terminal B’s worry-free IT ecosystem.

Don’t leave your security up to guesswork, and don’t leave yourself vulnerable to data breaches. Terminal B is one of only a handful of Microsoft Gold Cloud Service Providers in the country: with this level of experience and expertise at your disposal, let our experience be your competitive advantage.

Ready to experience what it’s like to have technology you can trust? Contact us today to learn more.