Data Breaches: They Don’t Just Happen in the Data Center
Last year was marked as the year of ransomware and data breaches, with both topics making the headlines in mainstream media. Also making news was the topic of the General Data Protection Regulation (GDPR) that, to some degree, links these two topics together. Laptops, not data centers, are often the entry-point into an organization for malware, and it’s generally these devices - also known as endpoints - that are the initial target. Once infected, laptops form a beachhead to spread malware throughout the organization, whether for profit or mischief.
For a would-be cyber criminal, encrypting user data on just one laptop is extremely unlikely to bring a business to its knees, but it does beg the question: exactly what data is being encrypted? Some personal data, for sure, and maybe a contraband episode or two of "The Game of Thrones," in addition to that all-important business data. The exposure in this case is limited to lost productivity, maybe up to a week or two for the individual affected whose actual impact will vary by their role to a large degree.
But what if the crypto-locker encrypted a spreadsheet of a sales database export with 30,000 names on it? Or some medical files with Personally Identifiable Information (PII)? Perhaps some resumes, or financial records too. The truth is that it wouldn’t matter at all from a ransomware perspective. However, the presence of that data does matter largely, given the risk of breaching GDPR or any number of other regulations regarding personal data and privacy.
Consider instead that the laptop is lost or stolen and not attacked by ransomware. Now consider that some personal data from that laptop is found up for sale on the dark web, and that it’s tracked back to your business. From this point, most people "in the know" would speculate that your conversations with the regulator aren’t going to go well.
Now think about the same thing happening, but instead you have Commvault’s laptop backup system with its compliance and data-loss prevention capabilities. This means you can accurately assess your exposure and reduce risk, so when a laptop is reported missing:
- You can use geo-location to alert the authorities
- Remote-wipe the laptop to mitigate the risk
- Use the compliance index to profile the backup data for PII
The last bullet is extremely important. With the information from the compliance search, you can alert the regulator straight away (within 72 hours) and ensure you are also able to alert those affected without undue delay, if needed.
This leads to a different kind of conversation with the regulator. This is only part of the story though. The same system can help you reduce the risk in the first place, even from malware. It's aim is to leak data, not encrypt it.
- You can profile data on laptops to alert users that they have sensitive data that should not be there
- For staff that needs sensitive data to do their jobs, you can remotely encrypt it, with no impact to them
- You can detect cloud sync and share replication services and send alerts if it’s not supported
You can, of course, use technology to lock down systems and laptops, and for many that might be preferable, but you also stifle flexibility and productivity. And unless you stop any kind of local storage, you are still open to leaks of PII/personal data.
The choice NOT to protect laptops in this way has traditionally been a "head in the sand" approach at best, with most organizations still focusing exclusively on their data centers. However, in light of data breaches from ransomware and GDPR, it’s now something that can no longer be ignored, especially when it provides an additional alerting function for ransomware attacks that could prevent production systems from being taken down.