In this article, I will answer the question “What is data leakage?”. I will also explain the difference between data leakage and a data breach and what companies can do to protect the sensitive information in their custody.Table of Contents
The term “Data Leakage” describes any event where confidential information is exposed to potential unauthorized access. When data leakage occurs a cybercriminal can gain unauthorized access to sensitive information without needing to bypass security controls.
Examples of data leakage include:
While data leaks and data breaches are similar (and the terms are often used interchangeably), the core difference is that a data breach describes when an attack results in a threat actor accessing sensitive data, whereas a data leak describes the accidental exposure of sensitive data.
Data leakage often occurs due to security vulnerabilities, poor data protection practices, human error, or accidental inaction by a user. While a breach can be made more viable through these factors, they require purposeful effort from a cybercriminal to occur.
When sensitive information is exposed to unauthorized parties through a data leak or malicious attacks it can result in serious consequences for the organization such as compliance violations, financial penalties, loss of competitive edge, and becoming a more viable target for a spear-phishing attack.
Though data leaks will often not directly lead to a breach, the offending organizations are still required to perform similar incident response plans. They must notify any supervisory authorities about the sensitive information that was made accessible to the public as the data leakage could have provided an opportunity for exfiltration.
They will also be required to perform validation on their existing controls and practices to prevent future attacks, data leakage, and/or data breaches.
The term “Sensitive Data” describes confidential data such as trade secrets, personally identifiable information (PII), protected health information (PHI), financial data, and other related internal documents that organizations are responsible for the protection of.
In June of 2018 security researcher Vinny Troia discovered an unprotected database that belonged to Exactis, a compiler and aggregator of business and consumer data. The exposed database contained nearly 340 million individual records, many of which contained personally identifiable information of individuals.
In 2015 Data Breach Today reported on two incidents where healthcare staff members at the North Carolina Department of Health and Human Services sent unencrypted email messages containing PHI to other local health departments in the state.
While in this example they did not detect any sign of these internal resources being breached, the lack of encryption created the potential for a data breach, making the incident a HIPAA violation.
HIPAA (The Health Insurance Portability and Accountability Act of 1996) is a security compliance framework that is specific to the healthcare industry. Under HIPAA covered entities are held to stringent network and data security requirements.
North Carolina public health officials stated that they would remind their staff to encrypt emails with confidential data and they would search for tools that can encrypt emails automatically to avoid human error in the future.
As with any cybersecurity topic, there is no definitive answer for avoiding data leakage 100% of the time. As technology evolves it will introduce new ways that data leaks and data breaches can occur.
That said, there are best practices that organizations can take to prevent data leaks and protect the repositories containing trade secrets and the personal data of their customers.
When employees are given unrestricted use of portable storage devices, the leakage of data can be caused by something as simple as a misplaced USB flash drive. To mitigate against this risk you should use USB control software to monitor and control the use of removable media devices.
With these solutions, you will have the features you need to ensure that only trusted devices are allowed to be used in your network. You’ll also be able to set USB device policies that only allow authorized users to transfer data to portable storage devices.
Get started today—Download the FREE template and customize it to fit the needs of your organization.
Employee monitoring software solutions are essential security tools. By monitoring transfers to portable storage devices, the applications that employees use, and web browsing habits you can detect anomalous and high-risk behavior to protect your business from accidental and malicious insider threats.
The role that accidental insider threats have in the leakage of data simply cannot be understated. According to CybSafe’s analysis of data from the UK’s Information Commissioner’s Office (ICO), 90% of data breaches in 2019 were caused by human error.
For this reason, any organization that takes its cybersecurity responsibilities seriously must invest in training its users on the security risks and responsibilities that come alongside their roles.
Security awareness includes phishing and social engineering awareness, cybersecurity policies, internet security best practices, password security training, and the unique data security responsibilities of their role.
When data is leaked a malicious actor could gain access to it. Encryption will make the data illegible to anyone that does not have the associated encryption key, reducing the chances that the data can be used for personal gain. Any authorized employee that needs to decrypt the data can be provided with the means to do so.
To protect your business and your customers, you need to ensure that trade secrets, personal information, and other forms of sensitive data are only accessible on an as-required basis. If any user in your company can access this data it is far more likely that data leakage will occur.
This best practice is not just for your organization’s immediate employees, either. All third-party entities need to be vetted and restricted accordingly. Even with a documented chain of custody your organization is equally responsible for a data breach that is caused by a third party.
While cloud servers are a valuable solution for the modern workforce, these resources must be adequately protected to prevent unauthorized users from accessing them.
Many data leaks are the result of data repositories being made accessible to the internet without proper security measures in place. Repositories such as Amazon S3 buckets, Azure file shares, and GitHub repositories must have a secure password and multifactor authentication enabled at the bare minimum.
If these repositories have sensitive data stored on them further security measures such as encryption, restricting public access, and implementing an identity and access management solution.
Meeting (or exceeding!) security standards must be a priority throughout your entire organization.
Performing regular vulnerability assessments helps your organization identify its weaknesses, test the effectiveness of its current mitigation measures, and identify opportunities to improve your security posture.
Unfortunately, Netwrix research found that though 70% of companies are already doing risk assessments, the majority of them do not do it regularly.
Risk assessments simply aren’t a one-and-done deal; identifying and mitigating risks needs to be a continuous process to ensure that your organization is prepared to address new threats as they arise.
How often should IT risk assessments be done? The recommended best practice is to re-evaluate your risks at least every one to three years. This ensures that your security controls remain adequate as your IT assets change and new threats and vulnerabilities emerge.
During this process, you should perform a data discovery and classification assessment that identifies what sensitive data your business is responsible for, where it is stored in the network, who could have access to it, and what measures are required to ensure its confidentiality, integrity, and availability.
Misaddressed emails are one of the most common causes of data leakage. To help protect against this vulnerability you can implement a Secure Email Gateway (SEG) that detects when sensitive data is being transmitted via email and blocks its transmission.
Rather than sending sensitive data via email, the company can create a secure repository to store data on that only allows an authorized user to access it. This centralization of data further protects against data leaks by reducing the number of copies that need to be protected.
Now what you know what data leakage is and how to prevent the leakage of data, you can learn more about insider threat management and cybersecurity with these articles and other resources.
Need to protect against data leakage to portable storage devices, printers, and other peripherals? Get started today with a free trial of AccessPatrol, CurrentWare’s Device Control Software Solution.
Are your employees putting sensitive data at risk by using consumer-grade cloud storage accounts? In this article you will learn the security risks of shadow IT cloud platforms (“bring your own cloud”), multiple cloud DLP tips, and how to block employees from accessing Dropbox, Google Drive, and other consumer-grade cloud storage platforms.
The damage that trusted insiders can cause is extraordinary. According to the 2020 Ponemon Institute Cost of Insider Threats report the average cost per insider incident was a staggering $11.5 million in 2020. Follow these tips to protect your company’s sensitive data against theft, misuse, and loss from malicious and negligent insider threats
Are you concerned about the damage a terminated employee could cause with sensitive corporate information, account passwords, and other proprietary data? Follow these 5 data security tips to protect your sensitive data against insider threats when offboarding employees.