Data leak: how it happens and what to do with it

[Father]

Table of contents

1. Culprits of information leaks
2. How data leaks
3. Security measures
4. What should I do if an information leak occurs

Information leakage is one of the most "media" negative events from the point of view of information security. They are regularly reported in the media. This year, public attention to the topic of data leaks has grown to such an extent that government agencies have decided to review existing measures of liability for information leaks for companies.

The most high-profile information leaks are related to the personal data of company customers, as they affect a large number of individuals and cause increased attention of ordinary citizens. However, the loss of corporate data related to strategy, financial performance, or future developments is often much more critical for businesses than for clients.

Culprits of information leaks​

The primary source of any leak is always a person. Conventionally, two channels of information leakage can be distinguished:

1. Interventionists. This is an external attacker who wants to get confidential information. A hacker, phisher, or representative of a competing company.
2. Insiders. This is an employee of the company who has access to certain data. They can either intentionally sell this information, or accidentally transmit data to attackers that will help them get the information they are looking for.

Insiders can also include contractors who do not represent the company, but have access to information. This can be a team of outsourced developers or a contract organization.

Andrey Slobodchikov
Information Security Expert of the League of Digital Economy

Leaks within an organization can be divided into two categories: intentional and unintentional. The first ones are organized intentionally for self-serving purposes, the second ones are careless.

The main reason for accidental leaks is the lack of a corporate information security training system, including instructions for working with documents and classified data. Employees often exchange passwords and confidential information directly in instant messengers. This way, files can get into third parties ' hands, especially if the messages are not protected by end-to-end encryption. In addition, users may forget to update the app on their gadgets and skip important patches to fix weaknesses. This significantly increases the risk of leaks.

The reasons may be simpler — careless conversation about work problems in a public place or forgotten documents on the office printer. The human factor can lead to information leakage from technical devices (storage servers, database management systems, etc.) due to errors during their configuration and installation.

Deliberate leaks do not always occur with malicious intent. Sometimes employees do not commit malicious actions, but simply keep silent about potential threats that can cause serious damage to the company. In other cases, employees merge data due to conflicts with management, cooperation with competitors, or political views. To solve such problems, it is important to create internal information security departments and raise awareness among all employees.

How data leaks​

There are quite a lot of reasons why data can get to third parties. They can be divided into several large groups:

1. Administrative services. If a company does not have a variety of regulations, policies, and instructions for working with data and actions to detect a cyber incident, or if this data exists only to report to the regulator – then there is no real data protection.
2. Social networks. The most common "sores" are weak or compromised passwords, as well as providing excessive access rights and insufficient training in the basics of cybersecurity.
3. Technical issues. Any infrastructure has at least 0 – day vulnerabilities. But even in the case of the identified ones, everything is not so simple, because you need to install the latest patches and updates in a timely manner, which also takes time. This also includes the operation of networks that are infected with VPO.

Based on these reasons, it is possible to identify two of the most popular "tools" of intruders: vulnerability exploitation and social engineering. Sometimes hackers use a combined approach. As a rule, when conducting targeted attacks, since they are maximally focused on a specific company and can go along several vectors simultaneously.

Security measures​

It is almost impossible to protect yourself from data leakage one hundred percent, if you do not take into account companies and institutions where data security prevails over the ability to use it effectively.

However, you can significantly reduce the risk of leakage. The first step on this path is to create and adapt a real-life security policy that sets out the roles, actions, instructions, and responsibilities of employees. It is important that this set of documents not only meets the requirements of the state, but also has an "adapted" version that the employee can actually study without spending more than a week studying abbreviations alone.

The next step after creating regulatory documentation is training. Periodic training shows the greatest effectiveness when an employee takes the course several times during the year, which allows them to gain up-to-date knowledge about social engineering trends and methods. This example is most revealing in the context of phishing, where new "methods of influence" appear almost every week.

And the third step is effective administration. This includes the use of various security tools, encryption tools, and traffic analysis tools. The minimum measure that can be taken at almost no cost is an adequate distribution of privileges in the company's IP.

What should I do if an information leak occurs​

The process of responding to a data leak is complicated by the fact that the company may find out about it not at the time of the incident, but much later, when attackers put the data in the public domain or apply to the company with ransom demands for non-disclosure of data.

Ivan Korol
Anwork Software Developer

In no case should the fact of a leak be hushed up. According to a PwC study, the majority of clients of Russian companies are concerned about the theft of their personal data and want to know about them. According to the survey, 88% of users will stop purchasing products or services of an organization that does not care about the safety of personal information and hides security problems from its customers.

The more openly a business acts in the event of a leak, the more trust there will be both on the part of customers and on the part of partners, since today no company, including public services, is insured against such a risk. This position is particularly relevant for companies operating in the healthcare, pharmaceutical, services and IT, telecom and banking sectors.

The most important thing is to find out the algorithm of actions of intruders and "close the gaps" that were found in the protection. At the same time, hasty actions during the reaction to a leak can only do harm. For example, deploying a system backup will most likely erase all traces of an attacker, and it will become much more difficult to restore the sequence of actions during a cyber attack.

It is also important to notify relevant agencies and companies that can help mitigate potential damage from the leak. For example, if your customers payment details were stolen, you should notify the banking service about it. Among other things, this approach will reduce reputational risks for the company.