As technology advances accelerate providing us with innumerable benefits, so too does it provide greater opportunities for fraudsters, digital criminals and opportunists. Most organisations understand the punitive consequences of data breaches but need to share data, so how can we continue to minimise the risks of data sharing?
Inconvenient as it may be, data is the modern-day gold. Increasingly, we need to share more data more often as more and more organisations digitalise. It’s unavoidable.
Nowadays, the pace with which hackers invent new ways of breaching company systems, physical or digital, is happening almost as frequently as data breaches occur. With the rise of artificial intelligence, security risks will rise further, making it ever-more critical to create a data-sharing framework that defends and mitigates potential cyber threats.
Ransomware, phishing and distributed denial of service have been around a while and remain a major threat, but hackers are quite the creatives, inventing ever-cleverer ways to dupe us.
Man-in-the-middle (MitM) attacks are another significant threat, where cybercriminals intercept data while it’s being transmitted between parties, especially over unsecured networks.
“Phishing and social engineering attacks present major risks, as attackers use deceptive tactics to trick employees into revealing credentials or sharing sensitive information without realising it,” says Darren Guccione, CEO and Co-founder of Keeper Security.
So-called CEO fraud, where people mimic the real CEO either via emails, deepfake visuals or audio, is increasing as criminals deploy more AI tools. Worryingly, insider threats – whether from malicious or negligent employees – are just as high risk as external attacks. Regular internal monitoring is just as important as external defences.
Using free data transfer sites or uploading files using unsecured networks are all common ways that employees can fall down on data-sharing security. Therefore it’s vital that robust controls, operations and procedures are in place and that all staff are aware of those.
Minimising data that companies store is another major issue to consider. It has never been easier to hoard data so organisations must have a data minimisation strategy to cut risks.
Craig Kennedy, Head of Cyber Risk at Lockdown Cyber Security, says: “Some organisations are holding data they don’t need. This can needlessly exacerbate data breaches and, of course, increase the potential sanctions that they face if the data is compromised.”
Operational issues are key in any data-sharing policy. Where is your data being transferred to? Are there any socio economic, or political reasons why it would be unwise to transfer data?
“In cyber security, a lot of faith is placed on technical solutions. People think ‘we've got respectable cyber-security solutions, so we'll probably be fine’. That’s part of it. But it would be quite easy to sleepwalk into a legal or regulatory issue if you don’t properly understand the legal, regulatory and operational aspects of cyber security as well,” Kennedy says.
Organisations should consider a multi-layered approach to data security. This includes adopting a zero-trust architecture where every data access request is validated and authorised, reducing the risk of unauthorised access.
“Organisations need flexible and scalable access controls as internal and external data sharing becomes essential. Attribute-based access control (ABAC) offers a dynamic solution, considering multiple factors – such as the data object, user, and purpose of access – ensuring that only authorised users can access the right data, at the right time and for the right reasons. This simplifies compliance with regulations and secures data sharing,” says Becky Stables, Data Management Expert at Catalyst BI.
A multi-layered approach assumes no implicit trust and continuously verifies both users and devices. And what might seem like basic solutions, such as using password managers, can further enhance security by generating and storing complex, unique passwords for each system, further alleviating the risk of a breach.
“Password managers can also securely share credentials with authorised users, ensuring that sensitive data is accessed only by those with proper authorisation and that passwords are transmitted securely,” Guccione says.
Security training for all
Regular organisation-wide cyber-security training is vital. Human errors remain a principal cause of many breaches, such as leaving sensitive documents or devices in unsafe places, or letting unknown people into offices.
Karen Morrall, CEO of Lockdown Cyber Security, says: “People often think that cyber security only concerns outside criminals. It doesn’t – the insider threat can be very real. Data can be taken and shared without permission, for example when some staff leave an organisation they may take some of your data with them without your permission. Staff may be incentivised or coerced by bad threat actors to assist them to gain illegal unauthorised access to your data, information or systems, by plugging in malicious software into computer systems, allowing them access, or sharing passwords or deliberately clicking on phishing links. This might be directly for monetary gain or for some sort of reward, or to cause harm or disruption.”
Staff ought to know how to recognise phishing attempts, follow secure data-handling practices and the importance of strong passwords. Regularly reviewing and updating access permissions based on job roles and responsibilities is also critical to guarantee only authorised personnel are able to access sensitive data. But they must also know the basic physical risks, too.
“Employees should also be trained on the company’s Acceptable Use Policy, the proper methods for sharing sensitive information and how to handle work data on personal devices securely. This policy must clearly define the boundaries for how employees and third parties can access, use and share company data,” says Adam Pilton, Senior Cyber Security Consultant at CyberSmart.
Ultimately, data security sharing must be a continuously collaborative approach. Collaboration ensures a comprehensive view of data-sharing practices including security risks. Data security is only set to increase, meaning all organisations must be aware of not just the technical risks, but also the physical and operational ones, too.