Data Privacy: Threats to our data are on the rise, here’s how to protect it

Irish Tech News Byline – Data Privacy Day. By Neil Thacker, Chief Information Security Officer (CISO) EMEA at Netskope. Our world is undergoing rapid digital transformation, driven by cloud and SaaS app adoption and, most recently, the AI boom. 

Data Privacy: Threats to our data are on the rise, here’s how to protect it

The workforce demands speed and efficiency, with the average employee engaging with countless applications every month. However, the pace of technological advancement has caused a surge in cyber threats, and it’s putting enterprises and their data at risk. The average number of enterprise apps used every month is rising by 19% each year and they are increasingly entwined with day-to-day business practice.

Malicious actors have capitalised upon this, drawn by a honeypot of private, confidential and sensitive data. No organisation is exempt from this threat, and the 2021 Health Service Ireland (HSE) ransomware attack, which caused all of its IT systems nationwide to be shut down, is a reminder of this reality. The lasting impact of the data breach was widespread, with ‘names, addresses, mobile numbers’ accessed by attackers and medical services seriously disrupted.

Recognising the tactics
Social engineering, the act of manipulating a victim to perform risky behaviour that helps give bad actors access to data and systems, is a highly common route for attackers to gain initial access to organisations. It can be broken down into two common tactics: tricking employees into downloading Trojans, and using phishing to prompt people into unknowingly sharing sensitive information.

Trojans are often found lurking on popular SaaS apps. As the most popular app used by enterprises, Microsoft OneDrive is also the most popular vessel for threat actor activity. It’s easy for an attacker to create their own OneDrive account to host malware and share a link with their victims without looking suspicious. The attacker presents a trusted OneDrive link that employees wouldn’t think twice about clicking during the working day, and once the Trojan is downloaded it can cause havoc for an entire company network.

For this reason, any application that provides free file hosting services is a platform likely to be abused by attackers. Security teams should be extra vigilant toward the most popular services including cloud storage apps such as Microsoft OneDrive or Google Drive, and file sharing services including DocPlayer or WeTransfer. Too often, rather than being extra vigilant of these popular apps, security teams actually by-pass them from standard security processes. Attackers also use phishing techniques to steal private SaaS and cloud app credentials, either to use for themselves or to sell on the black market. It’s a serious concern; with almost a third of employees expected to click on a phishing link or comply with a fraudulent request in 2023.

The impact of AI However, it’s not just the cloud and SaaS app revolution that is widening the attack surface for enterprises. The steep uptick in AI app use has also escalated concerns surrounding data privacy. Generative AI apps have rapidly permeated the fabric of many enterprises and 92% of the Fortune 500 have used ChatGPT to streamline operations. The huge increase of generative AI app use, with ChatGPT setting the record for the fastest growing user base in 2023, has led to a cultural shift in how we view automation, with AI evangelists encouraging companies to treat the tool as a colleague. The pervasive nature of these tools has caused a spike in malicious activity.

Protecting your data
This year’s Data Privacy Day has been a reminder for organisations to prioritise their most important asset. Here are three steps business can take to keep data safe from criminal actors.

Adopt ‘Zero Trust’ principles

The Zero Trust model starts with an assumption: your system can be breached, and it will be breached. Following Zero Trust principles, you must take every single request at face-value and hold every interaction to the same standard. Most organisations are in their infancy of a ‘Zero Trust’ approach but a good starting point is to take steps to verify not only the individual employee but also the device, their location and the activity they are undertaking.

Educate the workforce on threats in real-time

Most organisations take an annual approach to cybersecurity education. The efficacy of this education is questionable, with Lisa Plaggemier, the director of the National Cybersecurity Alliance, stating these trainings were an ‘epidemic of boringness.’

In reality, constant education is necessary to combat cyber threats. It is an impossible task for security teams to catch all risky behaviour across an enterprise, yet organisations can turn to AI-assisted security tools to identify and intercept risky behaviour before they happen. Using real-time employee coaching, employees can be prevented from uploading potentially sensitive information to cloud and AI apps and are presented with safer recommendations. It’s this 2-3 second coaching between the AI ‘smart layer’ and an employee that brings a potential data breach (and the extensive investigations that follow) to a halt.

Review app activity and behaviours to identify risks

To defend against attackers, enterprises should review applications their employees use and block access to apps that do not serve any legitimate business purpose or apps that pose a disproportionate risk. Organisations can then create a bespoke policy to allow sanctioned and reputable apps currently in use, while blocking, or limiting the use of, all non-IT managed apps and preventing potential data leakage. Policy should be granular so as to not interrupt business productivity – perhaps teams need access to less trustworthy apps to view data, but you can set policies to stop them downloading or uploading from the app, for instance.

With the rapid pace of technological change and emerging cyber threats, data has never been more valuable or more vulnerable. Let Data Privacy Day be a stimulus for you to assess how your organisation is protecting data, and set out on a path to greater security.

Neil Thacker, Chief Information Security Officer EMEA at Netskope

Neil holds over 25+ years of experience within the information security industry, currently serving as EMEA CISO for Netskope. He has been recognised by his peers as a leader in the industry including being selected in the CSO30 for 2022, shortlisted for an unsung hero award (CISO Supremo category) and awarded MVP in consecutive years (2021 & 2022) by his Netskope peers. Neil is advisory board member to the Cloud Security Alliance (CSA) and former advisor to ENISA EU agency for Cybersecurity.

Neil is also co-founder and board member to the Security Advisor Alliance (SAA), a non-profit organization focused on promoting the industry to the next generation and ensuring that students, teachers, and schools have the resources and mentorship necessary to foster the cybersecurity professionals of the future. Neil is CISSP, CIPP/E and CEH certified and is a frequent speaker and author on cyber security, data

See more articles here.