Since Talk Talk’s data breach in October 2015 it feels as though stories of hacking have become more and more commonplace. The truth is that malicious and accidental data leakages have been happening for the last twenty years but with the massive increase in unstructured data and files being shared both internally and externally via a number of different sharepoint and cloud-based tools, the vulnerability of UK businesses has been intensified in the last decade.

Talk talk

Surprisingly for some, the health sector is the most affected sector in the UK according to the ICO and this was typified last week by the NHS being hacked and held to ransom.

According to the Telegraph online “the medical records of 26 million patients are embroiled in a major security breach amid warnings that the IT system used by thousands of GP’s is not secure.

The Information Commissioner is investigating concerns that records held by 2,700 practices – one in three of those in England – can be accessed by hundreds of thousands of strangers.”

Hospital

With this massive breach affecting millions across the UK, what are the outcomes that companies and individuals should be considering?

Firstly, information sharing is part and parcel of a growing business and economy – it’s not slowing down any time soon. Businesses shouldn’t discourage information sharing (obviously) but need to understand all the ways they’re sharing data across business departments and to external suppliers and organisations.

This goes right to the top of the business with CEO’s and senior management being some of the most vulnerable for malicious attacks and also biggest perpetrators of accidental data leakage. That’s because they naively think they should have access to every folder in the company because ‘they’re the boss’. The reality is that no matter what position you hold within the business, you should only have visibility of the data you need to have oversight of. And no more.

For the NHS it was actually the doctors that made a simple mistake that left their records accessible to thousands of strangers

nhs

“Unbeknown to doctors, switching on “enhanced data sharing” – so records could be seen by the local hospital – meant they can also be accessed by hundreds of thousands of workers across the country.

It means receptionists, clerical staff, healthcare assistants and medics working in pharmacies, hospitals, GP surgeries, care homes and prisons can look up sensitive information about individuals – even if there is no medical reason to do so.” Source: Telegraph Online

This clear case of human error leads us on to our second point – spend more on cyber security training for employees across the board!

Typically, over 90% of a cyber security budget gets spent on firewalls and technology at the perimeter to stop ‘the bad guys’ getting in. It’s also about 90% of the time that human error becomes the cause for cyber breaches and leakages to occur. DON’T CLICK THE LINK.

You can have the best cyber defence in place but if your receptionist who has been given no training clicks on a link or attachment from an untrustworthy source all that money might have well been spent on the Christmas party instead.

And, even more importantly is that you don’t just assume that your receptionist or anyone in your company for that matter wouldn’t make a malicious breach against you either. According to a 2015 McAfee report internal stakeholders were responsible for over 40% of all data breaches, and, more concerning was that of that 40% half of those were intentional.

CEO1

That’s why more and more businesses are looking to identity access management solutions to be able to manage permission structures (including the certification and re-certification of data), monitor who is accessing what data, and even plant something called “honeytraps” which leading Identity Access Management software vendor Sailpoint say is a technique used to plant fake sensitive data in certain locations to be able to see who is trying to access folder structures and for what reason.

The people who are trying to exploit and monetise your most sensitive information are becoming more skilled and therefore the techniques to prevent and detect breaches need to be more comprehensive also.

In summary, whilst sensitive data and information can be monetised, breaches both internally and externally are going to be attempted. For both private and public sector organisations the need to reduce the attack surface as much as possible is critical and having the ability to detect attacks is paramount.

Whether you’re the NHS or a sole trader, make sure you’re not next on the hit list.