How businesses can avoid data integrity breaches
If we take a look at the year that was, the security landscape of 2016 has certainly reigned supreme with an alarming number of local and global data breaches making headlines. So what's in store for 2017? It has been forecasted that 2017 will in fact be the ‘Year of the Data Integrity Breach' with at least one almighty breach disclosure set to send shockwaves throughout the world.
Data integrity is a promise or assurance that information can be accessed or modified only by authorised users. Keeping that in mind, data integrity attacks compromise this promise with the aim of gaining unauthorised access to modify data for a number of ulterior motives, such as financial or reputational. While sinister, data attacks are nothing new it is important to note that these types of attacks still remain under the radar of businesses who have an ever increasing reliance on data– this can be thought of as the ultimate weaponisation of data.
The way cyber-attacks have transformed over time is an interesting development as the first generation of cyber-attacks focused more so on stopping access to the data, this then progressed to the theft of the data itself. Today, we're starting to see more and more evidence that the stolen data is being altered before transition, effecting all elements of operations. With the increasing uptake of the Internet of Things, hackers have more attack surfaces and personas that they can manipulate.
For example, a wearable fitness device like a Fitbit is touched by a number of different people – the user, the manufacturer, the cloud provider hosting the IT infrastructure, the third parties accessing it via an API, etc. You can start to see how this can create a cross pollination of risk that the security industry has not seen before. Keeping in mind that a Fitbit is just a personal device, once you take into account all the things that are connected to critical and national infrastructures, you can start to see how this can quickly get out of hand.
It is unnerving, but data integrity attacks have the power to bring down an entire company and beyond; entire stock markets could be poisoned and collapsed by faulty data; the power grid and other IoT systems from traffic lights to the water supply could be severely disrupted if the data they run on were to be altered. And perhaps the greatest danger is that many of these could go undetected for years before the true damage reveals itself.
Gemalto's top tips for businesses:
1. Understand your data
It is absolutely crucial for businesses to understand what they are trying to protect before they can even think about protecting it. Therefore, businesses need to conduct a data sweep to understand what data it has and where the most sensitive parts sit.
2. Two-factor authentication
An organisation's next step should be to focus on the adoption of strong two-factor authentication, which provides that extra layer of security should user IDs or passwords become compromised.
Encryption provides the layer to stop customers' sensitive data being used if it has been accessed. Companies need to utilise encryption to protect this data wherever it is found. Whether this be on-premise, virtual, public cloud, or hybrid environments. Most importantly, companies need to adopt a new approach with a presumption that perimeters will be reached and, as such, prepare the correct encryption necessary, to protect the most vital aspect, the data.
4. Key management
Encryption is only as good as the key management strategy employed, and companies must ensure they are kept safe through steps like storing them in hardware modules to prevent them being hacked. Think of it like this, it's no good having the best locks on your house and then leaving the house keys under the mat for any passing opportunist burglar to pick up.
In order to build trust, companies need to educate their workforce and their consumers on the steps they have taken to protect their data. Businesses need to employ a two-pronged approach, educating their employees and consumers on the steps they should also be taking to remain safe and protect their personal data themselves, which leads to them understanding how to protect the company's data.