Data Integrity Breaches: What CISOs Should Know
Data integrity breaches are set to send shockwaves throughout the world in 2017, with at least one ‘almighty’ breach disclosure of this type expected next year. In simple terms, data integrity is a promise or assurance that information can be accessed or modified only by authorised users. It attacks compromise that promise, with the aim of gaining unauthorised access to modify data for a number of ulterior motives, such as financial or reputational.
Data integrity attacks are nothing new, yet they remain under the radar of businesses who have an ever increasing reliance on data and make huge business decisions based on its analysis. These types of attacks are what I like to call the ultimate weaponization of data.
The first generation of cyber-attacks focused on stopping access to the data, which quickly moved on to stealing it. Today, we’re starting see to more and more evidence that the stolen data is being altered before transition, effecting all elements of operations. With the increasing uptake of the Internet of Things, hackers have more attack surfaces and personas that they can manipulate. Take a wearable fitness device such as the Fitbit for example, and look at the number of different people that touch it – the user, the manufacturer, the cloud provider hosting the IT infrastructure, the third parties accessing it via an API, etc. You can start to see how this can create a cross pollination of risk that the security industry has not seen before. And, this is just a personal “thing”, so when you take account of all the things that are connected to critical and national infrastructures, you can start to see how this can quickly get out of hand.
It’s scary, but data integrity attacks have the power to bring down an entire company and beyond; entire stock markets could be poisoned and collapsed by faulty data; the power grid and other IoT systems from traffic lights to the water supply could be severely disrupted if the data they run on were to be altered. And perhaps the greatest danger is that many of these could go undetected for years before the true damage reveals itself.
Here are some of the tips for businesses to avoid being the next big damaging headline:
1. Understand your data: In order for a business to protect itself, it should first conduct a data sweep to understand what data it has collected or produced and where the most sensitive parts of that data sit. It’s crucial for businesses to understand what they are trying to protect before they can even think about how to protect it.
2. Two-factor authentication: An organisation’s next step should be to focus on the adoption of strong two-factor authentication, which provides that extra layer of security should user IDs or passwords become compromised.
3. Encryption: While two-factor authentication is there to help to stop information being taken in the first place, encryption provides the layer to stop customers’ sensitive data being used if it is accessed. Companies need to utilise encryption to protect this data wherever it is found, that’s a given. Whether this be on-premise, virtual, public cloud, or hybrid environments. More importantly, the traditional data security mind-set has to evolve, with companies needing to approach it with a presumption that perimeters will be breached and, as such, prepare the correct encryption necessary, to protect the most vital aspect, the data.
4. Key management: Once a proper encryption strategy is in place, attention must switch to strong management of the encryption keys. Encryption is only as good as the key management strategy employed, and companies must ensure they are kept safe through steps like storing them in hardware modules to prevent them being hacked. After all, it’s no good having the best locks on your house and then leaving the house keys under the mat for any passing opportunist burglar to pick up!
5. Education: In order to build trust, companies need to educate their workforce and their consumers on the steps they have taken to protect their data. And it doesn’t just end there. Businesses need to employ a two-pronged approach, educating their employees and consumers on the steps they should also be taking to remain safe and protect their personal data themselves, which leads to them understanding how to protect the company’s data.
[Disclaimer: The views expressed in this article are solely those of the authors and do not necessarily represent or reflect the views of Trivone Media Network's or that of CXOToday's.]
- India Ranks 7th On Web Application Attacks: Akamai
- CXOs Still Wary Of Cloud Data Security: Study
- PNB Scam: Some Tech Lessons For Indian Banks
- Embracing Technology For HR Innovation
- IBM Steps Up Its Skills Development Efforts In India
- Why Financial Sector CIOs Should Get On Top Of Machine Learning
- Direct Co-ordination With CEO Can Maximise Cyber Security
- Cyber Security: Challenges And Potential For Indian Businesses
- F Secure Is Growing Much Faster Than The Market
- Weekly Rewind: Top 10 Stories On CXOToday (Feb 5-9)