Security Think Tank: Tighten data and access controls to stop identity theft

A data breach at a company or enterprise can lead to identity theft where the breach involved the exfiltration of company data that included data relating to people – personal and personally sensitive information.

The situation can be made far worse for the enterprise suffering such a breach where the initial attack has been coupled with the encryption of the company’s data and a ransom demand.

Such is this form of attack that, if successful, it means the enterprise would have to recover from two major incidents simultaneously where the overall risk profile is much larger than the sum of the individual risk profiles. 

Given this scenario, what steps can an enterprise take to lessen the risks? The starting point is to accept that such attacks are possible and so the first thing to do is to recognise that different data types need to be kept separate to limit data exfiltration opportunities.

The follow on from segregating different data types is the application of strict access controls to each data type (“need to know” principle) and for certain types of data, such as that identified as “personally sensitive”, the application of encryption would be required.

Such encryption could be either at file level or data element level in a database, and so should protect any exfiltrated data from exploitation, assuming of course that good encryption standards and controls are used, such as FIPS 140-2 or later using the AES 256 algorithm.

The above measures, coupled with good basic security hygiene, will go a long way to mitigate the risks associated with the breach scenario discussed above. So what is good basic security hygiene?

• General staff are not given any form of administrator privilege, even on their own PC or laptop.
• Password policy requires a complex password and is enforced at network level.
• Administrator privileges only given to competent IT staff.
• IT staff with administrator privileges are given two IDs, one solely for administrative work and one for day-to-day office tasks, such as email or report writing.
• Firewall-type functions are employed within the IT infrastructure to segregate and control access to the different data types.
• IT infrastructure is fully maintained to the latest supported software levels and patches.
• IT infrastructure and data stores are regularly backed up with copies both off-site and on-site.
• IT infrastructure and supporting policies are regularly audited (at least annually) against good security standards, such as ISO 27001 or Cyber Essentials Plus. In addition, IT Security Health Checks (ITSHC) and external penetration tests are undertaken more frequently. Here I suggest at least six-monthly for an ITSHC and at least monthly for an external penetration test. My preference, though, would be monthly ITSHCs and weekly or daily external penetration tests.
• I also recommend regular reference be made to the National Cyber Security Centre for up-to-date guidance.