What is Data Leakage?
Data leakage is when sensitive data is unintentionally exposed to the public. Data can be exposed in transit, at rest or in use. Data exposed in transit can include data sent in emails, chat rooms, API calls, and so on.
Data exposed at rest may be the result of a misconfigured cloud storage facility, and unprotected database, or from lost or unattended devices. Data exposed in use may be from screenshots, printers, USB drives or clipboards. A data leak is not the same as a data breach, although a data leak can sometimes result in a data breach. The key difference is that a data leak is not the result of a hacking attempt, but the result of employee negligence.
How Can Data Leaks Be Exploited?
What makes data leakage so problematic is that it’s practically impossible to know who has access to the data once it has been exposed. Were a cyber-criminal to gain access to the leaked data they can use it for a variety of purposes. Firstly, they might try to use it to launch a targeted social engineering attack (spearfishing).
Naturally, the more confidential data they have access to, the easier it will be to impersonate an employee or executive. This is especially true if the leaked data contains psychographic data, such as a data subject’s values, opinions, attitudes, interests, and lifestyles choices. Likewise, behavioural data, such as the data subject’s search history, pages visited, apps and devices used, can also be used to customize the phishing emails. Attackers can also use leaked data for the purpose of marketing, doxxing, extortion, surveillance and intelligence, or to simply cause disruption to the organization who’s data was leaked.
Even-though, in most cases, data leaks don’t directly lead to a breach, they are still treated in much the same way. After all, any company who operates in a regulated industry will be required to notify the supervisory authorities about any personal data that was leaked to the public, regardless of whether or not the data was used for nefarious purposes. As such, companies must take data leaks very seriously in order to avoid any reputational or financial damage that might incur as a result.
10 Ways to Prevent Data Leaks
The techniques and technologies used to prevent data leaks are mostly the same as those used to prevent data breaches. Most data loss prevention strategies start with carrying out risk assessments (including third-party risk assessments) and defining policies and procedures based on those assessments. However, in order to carry out a risk assessment, you must first understand what data you have, and where it is located.
1. Data discovery and classification
Use a solution which can automatically discover and classify your sensitive data. Once you have done this, carefully remove any ROT (Redundant, Obsolete and Trivial) data to help streamline your data protection strategy. Classifying your data will make it easier to assign the appropriate controls and keep track of how users interact with your sensitive data.
2. Restrict access rights
As always, it’s a good idea to limit the number of users who have access to sensitive data, as this will reduce the risk of data leakage.
3. Email content filtering
Use a content filtering solution that uses deep content inspection technology to find sensitive data in text, images and attachments in emails. If sensitive data is found, it will send an alert to the administrator, who can verify the legitimacy of the transfer.
4. Controlling print
Sensitive files can be stored on printers that may be accessed by an unauthorised party. Ask users to sign-in to access the printer, limit the functionality of the printer based on their role and ensure that documents containing sensitive data can only be printed once. You will also need to make sure that user’s don’t leave any printed documents containing sensitive data in the printer tray.
It’s always a good idea to encrypt sensitive both at rest and in transit. This is especially relevant when storing sensitive data in the cloud.
6. Endpoint protection
A Data Loss Prevention (DLP) solution can be used to prevent endpoints (desktops, laptops, mobiles, servers) from leaking sensitive data. Some DLP solutions can automatically block, quarantine or encrypt sensitive data as it leaves an endpoint. A DLP solution can also be used to restrict certain functions, such as copy, print, or the transferring of data to a USB drive or cloud storage platform.
7. Device control
It is common for users to store sensitive documents on their smartphones and tablets. In addition to device management policies, you will need a solution which monitors and controls what devices are being used, and by who. You will also need to use Mobile Device Management (MDM) software, as this will make it easier for security teams to enforce the use of complex passwords, service the device remotely and control which applications can be installed on the device. Most MDM solutions can also track the location of the device and even the wipe the contents of the device if it gets lost or stolen.
8. Cloud storage configuration
Data leaks caused by misconfigured storage repositories are common. For example, many data breaches were reportedly caused by Amazon S3 buckets being exposed to the public by default. Likewise, GitHub repositories and Azure file share have also been known to expose data when they are not configured correctly. As such, it is crucially important to have a formalized process for validating the configuration of any cloud storage repositories you use.
9. Real-time auditing and reporting
Arguably one of the most effective ways to prevent data leakage is to keep track of changes made to your sensitive data. Administrators should have an immutable record of who has access to what data, what actions were performed, and when. The administrators should be informed (in real-time) when sensitive data is accessed, moved, shared, modified or removed in a suspicious manner or by an unauthorized party. This can be especially useful for monitoring access to sensitive data stored in the cloud. If an alert is raised, the administrator can launch an investigation into the issue – perhaps starting off by verifying the permissions of the storage container.
10. Security awareness training
As mentioned previously, data leaks are caused by negligent employees. The reality is, people make mistakes. Such mistakes might include emailing sensitive data to wrong recipient, losing a USB drive, or leaving a printed document containing sensitive data in the printer tray. The most effective way to reduce the number of mistakes that our employees make is to ensure that they are well informed about data security best practices. Having an intuitive classification schema, such as public, internal and restricted, will help employees determine how certain types of data should be handled.