What is data leakage?
Data leakage is the unauthorized transmission of data from within an organization to an external destination or recipient. The term can be used to describe data that is transferred electronically or physically.
Data leakage threats typically occur through web and email, but may also occur via mobile data storage devices such as optical media, USB keys, and laptops.
A common type of data leakage is called cloud leakage. Data leakage happens when a cloud data storage service exposes confidential consumer data to the Internet. Cloud services offer great advantages to on-premise but they bring new risks that could result in security breaches via data leaks.
The worst part is once a data exposure has happened, it is extremely difficult to know whether the data was accessed. This means that your confidential data, trade secrets, source code, customer data, personal data, and anything else stored on information systems could be exposed or used as part of corporate spying.
Data leaks are caused by simple errors but those whose data is exposed don't care about how the data was exposed only that it was. The breach notification requirements for data leaks are the same, as is the potential for reputational, financial, legal, and regulatory damage.
The biggest scandals
Data breaches happen to the biggest companies, like Microsoft, Marriott Hotels, Facebook. The intrusion on these companies is a reminder that after years of headline-grabbing attacks, the computer networks of big companies are still vulnerable.
In 2019, the phone numbers of 20% of Facebook users, which translates to 419 million individuals, were leaked. It’s important to note that Facebook itself has not been hacked. Rather, the databases contained scraped information about Facebook users when Facebook still allowed developers access to user’s phone numbers.
In 2018, the Marriott reservation system was attacked by hackers. Marriott International revealed that hackers had breached its Starwood reservation system and had stolen the personal data of up to 500 million guests. The names, addresses, phone numbers, birth dates, email addresses, and encrypted credit card details of hotel customers were stolen. The travel histories and passport numbers of a smaller group of guests were also taken.
What can we do to prevent it?
DLP policies provide organizations with a basic framework for managing this landscape and adapting to evolving data security best practices, while still capturing the benefits of enterprise mobility. Here are five DLP policy principles upon which to build a solid security strategy, as explained by Eric Williams, the founder of threat defense software Ijura.
Organizations must be aware of what constitutes valuable and/or sensitive material and prioritize protection level before a DLP policy can be implemented. High-value classifications might include intellectual property, sales and/or payment data, financial data, customer data, governance or compliance data, employee tax or health data, etc. All of this information should be identified and classified to inform general policies on controls for safe data storage, access, and exchange.
Monitoring the flow of sensitive information and the vectors through which it travels is foundational to DLP. It provides organizations with situational awareness, surfaces vulnerabilities, and aids in detecting anomalous traffic that can indicate data leakage. Observable leakage vectors are the channels through which data flows and may include smartphones and laptops, email, collaboration software, and chat tools, cloud or database storage, internal networks, and the internet, printouts, USB drives, etc.
In addition to observation, some form of logging aids DLP by accumulating an auditable history of data movement and access should leakage occur. You have to be able to trace what happened to remediate a problem. And logging can also aid in proactively setting or adjusting DLP policy as needs evolve, new usage patterns emerge and data classifications are added or recalibrated.
Elevating security awareness is one of the most powerful principles of DLP. In many instances, employees or partners circumventing organizational security processes or engaging in risky data-handling behavior are completely unaware of the danger. Education programs, pop-up alerts, usage option menus and automated email reminders that are generated by access to sensitive data or DLP policy violations can go a long way toward instilling a security mindset across the organization and reducing negligent data leaks.
Nobody in the enterprise wants to be the gatekeeper who impedes business functions, which is a huge issue in DLP policy adoption. The fear is that too many controls on data access or movement will slow the pace of work and interfere with legitimate business transactions. However, in an age of proliferating cyber threats, some form of blocking capability is required for effective DLP. Blocking doesn’t have to mean strict denial of access; it can involve simple authentication controls, quarantining, and approval mechanisms for sensitive data transfer or automatically redacting or encrypting protected data in email.