Now more than ever, organisations understand the importance of information security and data governance.
The GDPR (General Data Protection Regulation) and similar laws have imposed strict rules on the ways organisations must protect the information they process.
Anyone who fails to take appropriate steps could face sizeable penalties and be left dealing with the reputational damage accompanying a data breach.
One of the most severe types of data breach is data theft and interception. This blog explains why it poses such a serious problem, and how you can mitigate the risk.
What is data interception and theft?
Data interception and theft are two ways that an unauthorised actor can access an organisation’s sensitive information.
Both terms describe the improper access of information, but there is a slight difference between ‘data interception’ and ‘data theft’.
Data theft refers to any way sensitive information is compromised, whereas data interception is a specific type of data theft, referring to information that is captured during transmission.
An example of data interception is a MITM (man-in-the-middle) attack.
This is a hacking technique that exploits how data is shared between a website and a user’s device – whether that’s their computer, phone or tablet.
When an attacker compromises an Internet router, they can intercept and decrypt the victim’s transmitted data, giving them access to anything that the victim accesses online.
Meanwhile, data theft can be any way that someone obtains sensitive information. For example, a criminal hacker might break into an organisation’s systems or steal an employee’s USB drive.
Data theft isn’t limited to cyber attacks. It can also happen when an unauthorised actor discovers records that have been improperly disposed of or when someone uses social engineering techniques to enter the premises and gain access to classified data.
Data theft can also occur unintentionally. Employee error is a leading cause of data theft, and might happen when an employee takes home a file containing sensitive information and misplaces it.
How to prevent data interception and theft
1. Create password policies
Cyber criminals almost always begin their attacks by trying to capture an employee’s password.
There’s no need to spend time searching for vulnerabilities if you can find a leaked password online or trick an employee into handing over their details with a scam email.
It’s why organisations must adopt secure password policies.
They are simple to produce and ensure that employees understand the importance of creating strong, unique passwords and taking appropriate steps to protect them.
2. Identify and classify sensitive data
Information classification is a process in which organisations assess the data that they hold and the level of protection it should be given.
Organisations usually classify information in terms of confidentiality – i.e. who is granted access to see it.
A typical system will comprise four levels: public, internal, restricted and confidential.
Classifying data in this way limits who has access to – and who could potentially compromise – sensitive information.
3. Train your staff to understand the importance of data security
The measures we’ve described so far only work if employees understand their information security obligations.
Organisations must provide regular staff awareness training that explains information security best practices.
This training should be conducted whenever a new starter joins and be repeated once or twice a year to ensure that the knowledge remains fresh.
4. Properly dispose of sensitive data
Paper records must be shredded when you no longer need them.
This ensures that unauthorised personnel cannot view the information once it has left the organisation’s premises.
Likewise, organisations must wipe the memories of computers, phones and tablets before throwing them out or recycling them.
5. Seed your data
Data seeding is the practice of planting synthetic details in a database. It’s generally done to monitor how information is being used and to identify unauthorised access. If the seeded data is used, you will be notified with how and when the unauthorised access occurred.
This helps organisations detect and address breaches, and can also act as a preventive measure.
If employees know that an organisation can identify the source of stolen information, they are less likely to attempt anything untoward.
Data seeding can also be used as proof of ownership, ensuring you know when data has – or hasn’t – come from your systems.
Additionally, it can be used for process assurance, helping you follow a known user’s journey and the data flow.
You can find out more about data seeding with DQM GRC’s dedicated data seeding services.
These services have been used successfully for the past 20 years to track the use of valuable data assets on behalf of their owners.
Our team will create and share unique seed records with you, which you can insert into your data sets – or we can manage the process for you.
Once the seeds are in place, we will monitor any contact made with them.
If your data is stolen or misused, we can help you investigate and remediate the breach, protect your data subjects and take action against whoever is responsible.
We will also provide you with a detailed monthly report setting out the ways your data has been used, as agreed with you.
This typically includes the channels that were used, the time and date on which the use was identified, and evidence of the use, such as an image of a marketing campaign.