Cybercrime is all around us, both as individuals and in our businesses. The amount of money and valuable assets stolen or misappropriated through attacks like ransomware rank in the billions of dollars just in Canada, and obviously it is a worldwide issue.
Most businesses now recognize the dire threat of a cyberattack, and rank it near the top of the risks which can affect an entity. It is not exaggeration to say that a successful cyber hack can be an existential threat for any business, especially small and medium-sized enterprises that simply do not have the resources to recover.
None of this is new to you. You are probably tired of having to spend time and money to defend yourself, and you are likely even more tired of seeing all the standard advice – keep your anti-malware software up to date, educate employees, blah blah blah. Hey, I’m not saying that advice is wrong, or that you can ignore it. It’s just that we have heard it so often that it becomes utterly fatiguing.
I want to highlight a couple of things that are just as important but which do not get the same level of attention. These are fundamental principles to build into your organization’s infrastructure to reduce your attack profile, or at least your risk.
The risks are substantial. There are often statutory penalties, against both the organization and potentially its directors personally, for breach of relevant privacy laws; a potential public privacy commissioner investigation, and the related organizational and legal time and costs; negative publicity and reputational damage; the costs of being unable to carry on business, and potentially the business closing down. All of these are bad enough, but remember another very expensive one: privacy breach civil lawsuits that now seem to follow every significant data leak.
A serious problem with these civil lawsuits is that they are increasingly structured as class actions. This amplifies the problem for a defendant. While the damages suffered by a customer who has their information disclosed might be minimal, maybe only a few dollars each, multiply that by the number of customers affected. Several thousand, or even millions, of plaintiffs equals a very, very big payout by the victimized company, and can literally cause its demise.
But I won’t spend more time highlighting the risk – you have a pretty good idea about it already, even if it is something you don’t want to think about. I am going to just mention a couple of things you can do right now to at least lessen the risks. These do not replace all good IT practices and protections, but they are important.
The first thing is to remember that every piece of information you hold represents a risk/benefit calculation. Let’s consider the most basic material which nearly every business holds: contact information for its customers. Imagine the impracticality of having to phone the customer every time we need their address. That kind of data is always stored, but for the most part, it is not highly sensitive. Much of it is available through other public sources, and even if something more private, like an unlisted phone number, is disclosed, it probably will not be a financial catastrophe.
It does not take long, however, for the information stored to expand. Many businesses, for example, retain a customer’s credit card information in their files. This makes it much easier to handle future payments and subscription renewals, naturally, but it severely tilts the risk/benefit ratio. Credit card information is so valuable that it is literally the first thing most hackers look for when they penetrate a system, and once it is on the street, it can cause huge issues for the customer. And in turn, the business which allowed the information to leak.
Similar concerns apply for one of the other forms of data that is considered highly sensitive – health records. Any medical office knows this information is extremely confidential and must be closely guarded. Yet if your business is not in the medical field but holds some of that data – maybe insurance records which contain it – you face the same risk.
The solution to this is simple: don’t hold excess information. What do I mean by excess? Well, it depends, mostly on your risk tolerance. You need to remember that every morsel of information you hold increases your risk of liability if it is released. If it is just a customer’s address, well, probably not the end of the world, although if you are a business that must maintain confidentiality, like a law office, disclosure of just a name can be a big problem. The more information you hold, despite the convenience, the more risk you assume if there is a breach. You need to carefully assess whether the benefit you obtain by holding that information outweighs the risk of its release.
The second problem to assess is unstructured data. Things like search engines and even AI are now really good at finding relevant information within giant blobs of data. We often just dump all our emails into archives without much organization, or store documents in relatively unorganized folders. We then rely on the search tools in our operating systems or email clients to match keywords as fast as we can type them.
It works pretty well for finding information, but unstructured data has a serious flaw. Because it is unorganized, it is very difficult to determine what we actually have. Are there credit card numbers floating around in the blob, or sensitive health information? It can be hard to confirm.
Compare that to structured data. Like its name suggests, the information is organized and categorized to a higher extent. If you have ever worked with a formal database application like Oracle or Access, you know that you can set up records with fields, so there are separate entries for names, addresses, email addresses, specific customer data, and so on. In a structured database, it is usually pretty easy to see whether you are holding credit card numbers – just look for a credit card number field.
Structured data does not necessarily protect the information better, but it does give you much more insight into what you are holding. Not only can you exclude that sensitive information from the start, you can put extra measures into place if such information exists.
If your business has only used unstructured collections it is not easy to convert to structured, but if you are holding high-value information, it might be far cheaper to go down that road rather than suffer the costs of a breach. It will require some effort for your IT infrastructure, but will add protection.
One more thing to consider: if you absolutely must hold high-value data, segregate it from normal access. We are used to retrieving information over a network, over our internal LAN or the full internet. It is convenient, but similarly convenient for anyone that manages to penetrate your defences. Something like a sandboxed computer which has no network access can be useful here. Storing, say, credit card numbers on a standalone machine that is not connected to your LAN or the internet provides a valuable layer of security. Users must physically walk to this machine to retrieve information. Slightly less convenient, sure, but more expedient than calling the client for the details every month. And way more convenient than a breach, obviously.
These steps are straightforward but they clearly need some planning. You also have to investigate where your exposure and weak spots might be. An audit of your infrastructure can help with this. We do them often, and there can be advantages to having a lawyer who is familiar with cybersecurity and internet security conduct it on your behalf. If you would like more information on these types of services, or just have questions on elements in your own environment, don’t hesitate to reach out.