Know in depth the CIS Security Control 3 v8, a set of security safeguards to help organizations on data protection, the new changes compared to v7, all the safeguards and how to implement CIS Control 3 effectively.

A brief background about data breaches

IBM and the Ponemon institute released a report on the cost of a data breach in 2022, surveying 550 breaches with data gathered from over 3,600 interviews across 17 countries, and the result was mind-blowing. The results show that the average data breach cost US$4.35 million in 2022, indicating that the figures have further risen from the $4.24 million recorded in 2021.

Every year, IBM statistics for the cost of data breaches indicates that the figures keep rising by at least 2.6 per cent, and numbers are expected to shoot up in the coming years.
However, in the US, the figures and drastically different, as the average cost of a data breach was found to be $9.44M, more than double the global average. Know how is the Data Breach loss cost estimate obtained?

The IBM report also showed the causes of most breaches, with stolen or compromised credentials accounting for 19% of breaches, phishing being responsible for 16%, and Cloud misconfiguration causing 15% of breaches.

It’s essential for organizations to deploy a robust data protection strategy to reduce the possibility of a data breach or data leakage, which often leads to financial loss. The CIS Controls is a collection of the best data and computer security practices to mitigate attacks on cyber systems and networks.

CIS Security Controls v8, Data Protection

The CIS Critical Security Controls (CIS Controls) is a set of security Safeguards to help organizations mitigate the most prevalent cyber-attacks against computer systems and networks. These Controls are improved from time to time to address constantly evolving cyber threats and keep up with modern systems and technologies.

More specifically, CIS Control 3 focuses on ensuring data protection both in storage and when transmitted through data management for mobile devices and computers. The Controls map out processes and techniques to identify, classify, safely handle, retain, and dispose of data in a way that minimizes the risks of a data breach.

It’s no news that an organization’s data is no longer restricted to its borders. Some data are now stored in the cloud, shared with partners, transferred over portable end-user devices, and so on. This diverse handling of data opens it to more risks of attack, making data protection a great concern for organizations.

Although encryption offers a lot of protection to data, it doesn’t offer much help in the face of malicious actors with deep-rooted knowledge of bypassing encrypted data. As a result, organizations need to incorporate a holistic data protection strategy outlined by CIS Control 3 to strengthen their security and mitigate cyber-attacks.

Changes compared to v7 where Data Protection is now the Control 3

CIS Control 3v8 is a comprehensive revision of the 3v7 and contains safeguard updates to improve data security and reduce the risks of a breach. Some of the changes include:

– the addition of Service Provider Management Control: a new control that tackles the sensitivity of data in SaaS platforms, including their storage and processing.

– moving Data Protection from the number 13 spot to number 3 and adding five new Safeguards to this Control. These five new Safeguards are focused on managing and identifying data in a more secure approach to minimize vulnerabilities.

Other changes involved Controls, such as Controls 4,5,6,14, and so on.

What data protection safeguards does CIS Control 3 include?

Below are the safeguards of CIS Control 3

3.1: Establish and Maintain a Data Management Process

Organizations should put in place an effective data management process that handles data sensitivity, ownership, storage, retention, backup, and disposal. The data management process should align with the regulations of your specific organization and be reviewed annually or wherever there’s a major policy change.

3.2: Establish and Maintain a Data Inventory

Your inventory outlines the type of data your organization produces, the degree of sensitivity, and how they’re retained and consumed. Typically, your inventory should reflect both structured data (e.g., data stored in databases) and unstructured data (e.g., documents and photos) to ensure a comprehensive data protection policy.

3.3: Configure Data Access Control Lists

Restricting each user’s access is a crucial part of data security, and each user should only have access to the data, applications, and systems on the organization’s network that they require to do their job. Having access to other than what they need (especially sensitive data) increases the risk of a data breach and security compromise, either deliberately or accidentally.

Regular review of access control lists should be done to detect and swiftly remove any unauthorized permissions that a user has, such as when they move to a new department, branch, or role.

3.4: Enforce Data Retention

Data should have minimum and maximum timeframes to control the extent to which different types of data should be retained. To ensure full compliance, you should consider automating the data retention process so that certain types of data do not stay beyond their expiry period due to forgetfulness.

3.5: Securely Dispose of Data

Whether you need to dispose of data because it’s old and irrelevant or due to standard regulations, ensuring secure disposal is crucial to preventing unauthorized access to the data. You should dispose of data according to their sensitivity, making sure that sensitive data are entirely eliminated in a way that no user can access.

3.6: Encrypt Data on End-User Devices

In certain scenarios, company devices get compromised by internal or external threats. Encrypting data on end-user devices helps prevent data misuse when such scenarios arise, adding an extra layer of security to your organization. Typical examples of encryption tools are Windows BitLocker, Linux dm-crypt, and Apple FileVault.

3.7: Establish and Maintain a Data Classification Scheme

Not all the data in your organization are on the same level. Some are sensitive, while others aren’t. Establishing and maintaining a data classification scheme helps you to distinguish sensitive data from non-sensitive data, so you can provide more protection for sensitive ones. Even non-sensitive data can also be further classified as private or public to enhance data protection.

Organizations should review their data classification scheme annually or whenever there’s a significant policy change.

3.8: Document Data Flows

Organizations should keep tabs on the movement and flow of data in and out of the enterprise in order for timely detection of vulnerabilities that could weaken their cybersecurity. You should review documentation annually and apply necessary updates whenever a significant change that could potentially impact this safeguard occurs.

3.9: Encrypt Data on Removable Media

Organizations should prepare for scenarios of device theft by encrypting the data on external hard drives, flash drives, and other removable media. These devices may also be misplaced and eventually land in the wrong hands, but with encryption, you can rest assured that the data will not be misused or exploited.

3.10: Encrypt Sensitive Data in Transit

Organizations should encrypt critical data in transit to ensure optimal protection wherever the data goes. Popular encryption options for companies are Open Secure Shell (OpenSSH) and Transport Layer Security (TLS). All encryptions must also be adequately authenticated. For example, OpenSSH validates host keys and investigates any connection warnings, while TLS uses valid DNS identifiers with certificates signed by a trusted and valid certification authority.

3.11: Encrypt Sensitive Data At Rest

Sensitive data at rest either on servers, databases, or applications, should be encrypted with at least Storage-layer encryption. Additional encryption methods can be deployed to ensure that only authorized users can view and use the data, even if the storage device gets into the wrong hands.

3.12: Segment Data Processing and Storage Based on Sensitivity

Data processing and storage should be segmented based on data classification to ensure that sensitive data is treated with more caution than less sensitive data. Avoid processing sensitive data on enterprise assets that manage less sensitive data at the same time. Doing this will prevent a hacker from automatically accessing all company data once they gain access to some less sensitive data.

3.13: Deploy a Data Loss Prevention Solution

Data loss protection (DLP) is a powerful automated system for protecting on-site and remote data from accidental loss and exfiltration. The tool identifies all sensitive data processed, stored, or transmitted through enterprise assets and updates the data inventory. Know more about DLP vs IRM here.

3.14: Log Sensitive Data Access

All sensitive data actions should be logged, including access, modification, and disposal, as this is essential for timely detection and response to malicious activity. Post-attack investigations and detection of breach culprits for appropriate accountability also require data access logs to be fully carried out.

How a data-centric security approach can help you to implement CIS Control 3

Organizations deploying data-centric security can better implement CIS Control 3 because their technologies, processes, and policies are concerned with the lifecycle of data, including its location, collection, transfer, storage, and visibility.

Key Elements And Benefits of a Data-Centric Security Approach

The key elements of an effective data-centric security system include the following:

1. Identification, discovery, and classification of sensitive information

An internal or external attacker’s primary target is to access the most sensitive company information since they carry the highest benefits. They may as well go after other data, e.g., regulation data like EU-GDPR, PCI, or others. Often, these data are stored in specific repositories known to only the company’s team; however, they can be shared, putting the data at risk. Organizations interested in implementing data-centric security controls need tools and technologies that help to identify where their data is at all times to prevent unauthorized access. Know the Advantages of Data Classification boosted by AI and Machine Learning.

2. Data-centric protection

Data-centric security controls focus on monitoring and securing an organization’s sensitive information to prevent unauthorized access due to cloud, network, or data leakage. You know where your data is and where it goes while having absolute control over it, regardless of how far it travels.

3. Audit and monitoring of access to data

Organizations must analyze data use and determine if users’ behavioural patterns are within the acceptable standard so as to know the level of risk associated with the data at any time.

4. Administration and management of data policies

Employees come and go, but company data remain relevant at all times. A data-centric security approach allows organizations to determine who should or shouldn’t have access to certain data, depending on their policies. So when you stop collaborating with someone or find out they’re at risk, you immediately revoke access to the data, destroy it, or prevent it from leaving the corporate network.

How can SealPath help?

When it comes to improving your organization’s data protection strategy, SealPath can offer a data-centric security system that effectively monitors your data at rest, in transit, and in use. Thus, regardless of how far your data travels, you are not only aware of its journey, but you still have absolute control over it and can destroy it in case of a breach risk.

SealPath offers you Information Rights Management (IRM) / Enterprise Digital Rights Management (E-DRM) / Enterprise Information Protection and Control (IPC) over all your data, preventing a breach incident.

Information Rights Management (IRM)/Enterprise Digital Rights Management (E-DRM)/Enterprise Information Protection and Control (IPC) solution

The IPC (Information Protection and Control), or IRM / E-DRM (Information Rights Management / Enterprise Digital Rights Management) technologies give you the power to control information wherever they are, even if it’s outside the cloud. It combines identity control + encryption + auditing + remote control and takes them beyond the sphere of traditional encryption.

Some of the capabilities of this technology include the ability to:
• provide protection that travels with the information
• monitor access to information and limit the permissions on the documentation (Only View, Edit, Print, etc.).
• revoke access, no matter where the files are stored

A data-centric approach to security makes protection user-driven or managed by the administrator in order to secure certain folders. In the cloud, folders or documentation repositories are automatically protected by encrypting them in systems with O365, Box, etc.

These technologies can be integrated with classification tools so that classified data within or outside the corporate network or cloud are automatically protected, depending on their level of confidentiality, DLP, or CASB.

5 tools to prevent data exfiltration when sharing files from mobile devices are analyzed to help you take the best steps to protect the business information. Learn how to improve security, make informed decisions and understand the effectiveness of each option based on our more than 10 years of experience helping organizations with their data security.

1. Limitations of secure file sharing from mobile devices

Although we come from a security mindset where everything is perimeter-focused and every action is blocked, the reality is that business professionals often need to share sensitive documents with others. And if they have blocking measures in place, they may even bypass them in order to be productive, agile, and meet business objectives. It is therefore undeniable that the secure sharing of sensitive documents with others is a gap.

And of course, the fastest and most convenient way to share documents is via mobile devices. There may be several reasons for this: not having a PC at hand, not being in a good location to access a PC, or simply not having much time because you are traveling, at a business lunch, or away from the office. But at the same time, you need to send a document right away, you need to share it urgently. We take risks when we send sensitive files without any security measures. We sacrifice security for convenience and speed.

The risks run are not only when storing sensitive documents on the mobile device but also when sharing this information with third parties. Nor do you have any guarantee that the person you send sensitive files to will apply effective security measures to prevent your sensitive information from being exfiltrated. Mobile devices are one of the main risk vectors for companies, where less security is applied, as detailed in this Security Intelligence article.

Therefore, it’s crucial for organizations to recognize that data exfiltration from mobile devices is a far more serious threat than it appears. Businesses must strike a balance between the necessity for mobile productivity and the imperative to protect sensitive data from unauthorized access. Related Article: 9 tools to prevent data theft in your organization.

2. Real-World Use Case

Busy executives traveling

Imagine the life of a busy executive, Sarah, who is always on the move, traveling between cities for high-stakes meetings. One afternoon, while waiting for her next flight in a bustling airport lounge, she receives an urgent message on Microsoft Teams from her company’s internal channel. It’s a sensitive document outlining the latest corporate strategy, meant only for top-tier management.

The urgency of the situation presses Sarah to act swiftly; she contemplates sharing it with a few key colleagues via WhatsApp for immediate input. Unbeknownst to her, this seemingly simple act of convenience could expose the company’s sensitive data to unauthorized access, compromising corporate confidentiality and security.

Sales representatives on the road

Now consider Alex, a dedicated sales representative who spends his days maneuvering through endless hours of travel between client meetings. His effectiveness depends on agility and the ability to instantly respond to clients’ needs.

While on the road, Alex receives a personalized technical guide through Slack, crafted specifically for a high-profile client. Time is of the essence, so Alex decides to forward the guide to the client using Outlook on his smartphone. While his intention is to offer exemplary service, this act of expedience could potentially bypass security protocols and put proprietary company information at risk.

These scenarios underscore the pervasive threat of data exfiltration from mobile devices in the enterprise world. The need for a balance between efficiency and data protection has never been more critical, as data exfiltration incidents can occur at any moment. This highlights the necessity for businesses to establish comprehensive mobile security strategies that safeguard sensitive information, even amidst the constant urgency and demands of corporate operations.

3. File Sharing Options and Tools

Preventing data loss in organizations requires a multifaceted approach, leveraging various tools and methods designed to address specific use cases and contexts. Each tool offers unique strengths and capabilities, aimed at minimizing the risk of data exfiltration and ensuring the secure sharing of files across mobile devices. Let’s take a look at what our options are:

Password Protection

It’s as simple as creating a password for your document or folder with documents and sending that password through another channel to the recipient so that only the person with the password can access it. File encryption tools such as AxCrypt, SecureZIP, or GnuPG are a good option.

Pros:

• Useful for very ocasional sends: It’s useful if you need to send sensitive documents a very small number of times. Password encryption is simple and can be fast.

Cons:

• You have no control over the document: There is a risk that unauthorized persons can access it. Either because the password and file was obtained (or stolen) or because the authorized person shared the password and file with others.
• Manage and remember passwords: It is not safe to send documents always with the same password, so you will have to manage the different ones you create, store them securely and/or remember them.
• It is not an agile method for everyday use: Every time you want to send sensitive documents, you have to create new passwords, store them, and send them securely through a different channel.

Virtual Private Networks (VPNs)

VPNs create a secure tunnel between the user’s device and the internet or a remote network. They provide an encrypted connection. This helps protect data transmitted over public or unsecured networks by ensuring that the data remains private and concealed from unauthorized access or interception. Commonly Used VPN Services are Palo Alto GlobalProtect, Cisco AnyConnect, OpenVPN and NordVPN.

Pros:

• A good choice for securing data in transit: This option is good to make sure that no one intercepts the files while they are being sent, while they are in transit.

Cons:

• The data is not protected once downloaded or at rest: They do not provide protection for data once it has been downloaded. If the recipient does not follow security best practices, the data could still be compromised.

Upload the files to a Repository, Cloud Storage or File Sharing Service

These tools make collaborating easy by allowing users to access files from any Internet-connected device. Commonly Used Services are Google Drive, Dropbox, OneDrive, SharePoint and Box. Users can upload documents, images, or videos to the platform. These files can then be shared with others via direct sharing invitations or private links. To learn more about how to secure business documents in file servers, cloud repositories, or on-premises document storage systems, read this article.

Pros:

• A great choice for collaboration: They are a great way to store files or collaborate on the same document.

Cons:

• It requires that the documents be uploaded first: This is an essential step that can be a hindrance to the user, making them less agile, adding an extra step and taking more time.
• You lose control once they are downloaded: Even if you only give access to authorized people who have to log in, once they download the file, you run the risk of exfiltration again. And it is not always enough to simply allow viewing of documents and block downloads.

Email Encryption Services

Email encryption services are designed to protect the content of email from being read by unauthorized parties. These tools ensure that only the intended recipient can access and read email content by encrypting it during transmission and storage. Commonly Used Email Encryption Services are ProtonMail, Microsoft Purview Message Encryption or Zix. Learn about the 3 common types of encryption in our in-depth article.

Pros:

• This is a good way to send secure e-mails: They are a good option when only sending sensitive documents via email.

Cons:

• It limits the channels of secure communication: Nowadays we communicate through different channels such as Teams, WhatsApp, Slack… Limiting it to email only can present obstacles for users and they may decide to skip it. Or, the conversation with the recipient may be on a different communication channel.
• Large Attachments: Sending very large files as email attachments can be cumbersome and might not be supported by all email encryption services.
• You lose control once they are decrypted: The document is sent securely but once the recipient has decrypted the document and downloaded it, you lose all control over it. You run the risk of it being exfiltrated.

Enterprise Digital Rights Management (DRM) Solutions

The primary purpose of enterprise digital rights management (DRM) solutions is to protect sensitive digital content from unauthorized use and distribution inside and outside an organization. These tools control access, usage, and distribution of digital files, ensuring that only authorized parties can view, edit, or share the content. They enforce protection on the document itself. DRM solutions protect digital content by encrypting files and applying policies that dictate how the content can be accessed and used.

Pros:

• Protection is permanent: It is a good option because it focuses its security and protection on the data itself, accompanying it wherever it goes or travels, in all three data states: at rest, in transit and in use. If you want to know more about the 3 data states, visit our article.

Cons:

• User Frustration with Restrictions: EDRM can lead to user frustration if it interferes with usability or creates a poor user experience.

It is perhaps the most comprehensive and versatile approach to mobile data security because it focuses security on the data. For us, it is the safest way, and we believe so strongly in this technology as a game changer.That is why we have developed an EDRM product specifically for mobile devices. We present it to you below.

4. Introducing SealPath Information Protector App

SealPath is the most advanced EDRM solution that provides persistent protection for documents regardless of how they are stored and shared, and has been in the market for over 10 years. Satisfied with SealPath protection on their PCs and Macs, our customers asked us to bring protection to their mobile phones and tablets. They wanted a flexible yet robust way to protect documents on the go. And it is with this in mind that we present the SealPath Information Protector App, so that they can continue to be productive and agile in their day-to-day work while protecting the information with the highest level of controls.

How does it work SealPath Information Protector App

• 1. Open the File: Open the file within your desired app such as Slack, Outlook, or WhatsApp on your phone or tablet.
• 2. Share the File: Tap on the options menu and select the share option.
• 3. Protect the Document. Inside the SealPath Information Protector App, tap the “Protect Document” button.
• 4. Select Protection Policy: A window will open allowing you to search and select your desired protection policy. You can type the policy name for quick access.
• 5. Final Steps: The app will protect the document. A window will open offering you the choice to either share the protected document via your desired app or save it on your phone or tablet .

Note: The entire process only takes a few seconds to complete.

Secure File Sharing with Real Use Cases

From Teams internal channel to board members via Whatsapp

John, an executive at a multinational company, is traveling for business. While at the airport, he receives a sensitive document containing strategic information through Teams on an internal channel. John needs to share this document with other executives quickly and securely. Using his tablet, he opens the document, taps the share option, and selects the SealPath Information Protector App.

Within the app, he taps “Protect Document” and chooses the “Confidential” policy, ensuring that only a small group of executives have permission to access the document. Once the app protects the document, John shares it via WhatsApp. This process ensures the sensitive information is secure while allowing him to stay productive and efficient.

Receive a document in Slack and email it to a client

Emily, a sales representative, spends most of her time on the road, traveling between client and partner meetings. During a break, she receives a personalized technical guide with important customer details through Slack’s internal channel on her phone. Emily needs to protect this sensitive information before sharing it with the customer.

She opens the document, taps share, and selects SealPath Information Protector App. She then taps “Protect Document” and secures the guide with the appropriate protection policy. After protecting the guide, Emily shares it with the customer via Outlook. This ensures the document is secure, and Emily can maintain her agility and responsiveness, even while on the go.

Key Features of SealPath Information Protector App

• Protect and unprotect from your usual apps: Protect and share in seconds via whatsapp, slack, teams, gmail, google drive, sharepoint, OneDrive, Telegram… You can also unprotect files using the same process.
• Easy and fast: Protecting files is very easy with an intuitive interface, and the process is very fast so it takes very little time.
• You control the data wherever it goes: You have the ability to limit who can access it and what usage permissions they have (edit, view only, print…). You can even block access after the document has been sent and monitor accesses.
• Secure login: To prevent anyone from unprotecting confidential files on your device and to make it more convenient to log in, you can use your fingerprint or face.
• Available for phones and tablets: Available on the App Store and Google Play for iOS 11 or higher and Android 5.0 lollipop or higher.

5. Balance Between Convenience and Security

In the quest to secure mobile document sharing, organizations must weigh convenience against security to select the optimal solutions. It’s crucial to implement tools that secure data without hindering user experience, as overly complicated systems may lead to user workarounds. Key considerations include ensuring robust encryption to protect data at rest and in transit, and implementing user-friendly authentication processes to streamline access without sacrificing security.

Solutions should offer seamless integration with existing applications and workflows to minimize disruption. Real-time monitoring and alerts can help detect and mitigate exfiltration attempts swiftly. Ultimately, the chosen approach should provide strong data protection while maintaining efficiency and productivity, fostering a secure yet convenient environment.

9 tools to prevent data theft in your organization are analyzed in this essential guide that provides expert insight into protecting your business data. Learn how to improve security, make an informed decision, and understand the effectiveness of each tool.

1. The Rising Threat of Data Theft in Companies

The security of sensitive information has transcended the confines of IT departments, becoming a boardroom imperative. The threat of data theft looms larger than ever, casting a long shadow over the corporate landscape. But just how pervasive and damaging can data theft be for companies? Let’s dive into some real-world case studies and statistics that throw light on this growing concern.

• Equifax: In a landmark event of digital compromise in this century, Equifax revealed in September 2017 the unsettling news that the personal details, inclusive of Social Security numbers, belonging to about 147 million consumers had been exposed. The financial repercussions? Equifax had to part with $575 million in settlements.
• MOVEit: In 2023, a significant breach occurred within a managed file transfer (MFT) application, known for its secure file transfer capabilities and relied upon by a wide range of organizations and government agencies. A ransomware attack resulted in the extraordinary exposure of sensitive data belonging to approximately 77 million individuals and approximately 2,600 organizations worldwide. Notable organizations affected included the U.S. Department of Energy, all of which saw their data dramatically exposed. The global financial impact of this breach is estimated to be in excess of $12 billion.

Diving into the findings of IBM’s Cost of a Data Breach assessment for the year 2024, we find ourselves looking squarely at a daunting figure: the worldwide average fiscal fallout from a data breach now sits at $4.88 million. This isn’t just another statistic; it’s the crest of a menacing wave, representing a sharp 10% climb from the previous year and setting a new record high. It’s a stark reminder of the hefty price tags attached to breaches in the digital era. This upward trend in data breach expenditures is partially attributed to an 11% swell in two key areas: the business losses resulting from interrupted operations and the expenditures tied to the response after a breach.

Think of the painstaking marathon many organizations undergo post-breach—over three-quarters find themselves caught in a recovery bind extending past 100 days, and a substantial 35% crossing the 150-day threshold. Zoom in on the anatomy of the average $4.88 million price tag for these data breaches, and we unearth that a considerable chunk—$2.8 million—is stemming from the toll of lost business. This encompasses the ripple effects of downtime and the departure of customers, as well as the scaled-up efforts in customer support and compliance with surging regulatory penalties. Remarkably, this sum stands as the heftiest record of financial impact from such losses and breach-mitigation endeavors in a six-year span.  How is the Data Breach loss cost estimate obtained?, We break it down here.

2. Understanding the Types of Information Theft

Data theft is the unauthorized acquisition of sensitive, proprietary, or confidential data. This could involve personal details, financial information, or intellectual property. It is a clandestine operation that infringes on privacy and can have catastrophic consequences as we have seen in the previous section.
→ Find out about all the different types of sensitive information here.

Forms of Data Theft

• Direct Theft: It involves directly accessing and copying data from networks or devices, often through hacking or malware.
• Interception: Here, data is captured while it’s on the move. For instance, data being transmitted over unsecured networks can be intercepted using eavesdropping techniques.
• Unintentional Disclosure: Sometimes data is not stolen but rather exposed accidentally, often due to lax security measures or human error.

The Agents of Data Theft

• Internal Actors: It involves directly accessing and copying data from networks or devices, often through hacking or malware. Employees are often overlooked threats. From the highest levels of management to the operational staff, anyone with privileged access can become a vector for data theft. Insiders might include contractors or anyone else who has temporary but integral access to systems and information.
• External Actors: Here, data is captured by all available means in its 3 states: At rest, in motion, and in use. For instance, data being transmitted over unsecured networks can be intercepted using eavesdropping techniques. Hackers from lone wolves to organized syndicates, these are the profilers of the digital world, always on the lookout for vulnerabilities for financial gain. Competitors are also a threat, believe it or not, industrial espionage is a common motivator for data theft. → Find out the three states of data here.

Data theft location:

• Inside the Network: Data theft isn’t always an external assault. It often occurs within the supposed safety of an organization’s own network.
• Beyond the perimeter: On many occasions it is necessary for data to travel outside the control of the organization, i.e. outside its security perimeter, such as to the supply chain, distribution… → Find out how to protect Intellectual Property in the Supply Chain.

2.1 Differentiating Theft by Insiders and Outsiders

At first glance, the act of stealing data may seem uniform, but the motivations, methodologies, and mitigation strategies for insider versus outsider threats are as distinct as they are complex.

Insider Data Theft

Imagine for a moment that you’re part of a crew on a ship. You know the layout, the schedule, and the weak points. An insider, much like a rogue crew member, has a deep understanding of the company’s defenses. An example that’s often shocking but not surprising is the disgruntled employee. Picture John, a long-time IT technician, overlooked for a promotion one too many times. Feeling undervalued, John decides to exit with a parting gift – sensitive client data that he casually slips into his personal cloud storage over weeks, undetected. John plans to use this data as a bargaining chip with a competitor or as a springboard for a new venture.

Insider threats like John exploit their access and in-depth knowledge of security measures to siphon off data, often slowly, to avoid detection. Beyond the obvious financial gain, insiders might be motivated by revenge, a sense of injustice, or ambitions that align with a competitor’s interests. Their actions are facilitated by their legitimate access and their intimate understanding of the company’s data landscape and security protocols.

Outsider Data Theft

Now, envision your ship encountering pirates. Outsiders, much like these pirates, are external entities lacking authorized access but are skilled in navigating through or circumventing defenses. These digital marauders deploy a gamut of tactics, from phishing expeditions to brute force attacks against the company’s digital infrastructure. Consider the example of a hacker collective targeting a multinational bank. They initiate a sophisticated phishing campaign, tricking employees into disclosing their credentials.

With these keys to the kingdom, they bypass security measures designed to repel unauthorized entry, making off with millions of customer records. Typically fueled by profit, political agendas, or the thrill of the challenge, outsiders often deploy elaborate schemes to breach defenses. Their lack of inside access necessitates the use of technical skills to exploit vulnerabilities in software, human psychology, or both. A current example of attacks that cause a lot of damage is the new generation of ransomware. → Dive into the digital underworld of 2024’s ransomware here.

The fight against data theft requires a two-front battle. Against insiders, it’s about fostering a culture of accountability, employing strict access controls, and maintaining an environment where loyalty is appreciated but not exploited. For outsiders, the emphasis must be on robust security measures, employee training to recognize phishing attempts, and adopting a layered defense strategy that assumes breach attempts are not a matter of if, but when.

2.2 Thefts Inside vs. Outside the Network

it is paramount to draw a line—or rather, a firewall—between the threats that brew within the confines of our networks and those that lurk in the shadows beyond. Inside-the-network and outside-the-network data thefts are two sides of the same coin, yet they play by vastly different rules.

Inside-the-Network Data Theft

Visualize a fortress. Inside its walls, the keep, various chambers, and even the hidden passages are familiar grounds to its inhabitants. In the context of data theft, insiders operate within this fortress. They are your employees, contractors, or anyone who has been granted the keys to the castle. An illustrative scenario could involve a procurement officer in your supply chain. With access to vendor lists, pricing data, and contract details, this person decides to divert some of these treasures to a rival bidder in exchange for a lucrative kickback.

Here, physical access, legitimate credentials, and an intimate knowledge of the internal processes empower the insiders to exploit vulnerabilities from within the network’s protective embrace. In this case, vulnerabilities can also be exploited by intruders to gain access or credentials can be stolen to impersonate an employee without arousing suspicion. The amount of damage an insider can do is often directly proportional to the level of trust and access they are granted. Their intimate knowledge of the system’s architecture and operational blind spots allows them to navigate and extract information with alarming precision and discretion.

Outside-the-Network Data Theft

On the flip side, imagine adversaries scaling the walls, unseen, in the dead of night. These are the outsiders—hackers, competitors, or state actors—who have no sanctioned foothold within the network. Their approach? Identify and exploit vulnerabilities as data leaves the perimeter. An example that encapsulates this scenario involves attackers targeting a contractor who has sensitive information, sometimes smaller organizations with less security measures and therefore easier to penetrate.

Outside attackers are constrained by their lack of authorized access and intrinsic knowledge of the targeted network. Their success hinges on skill, persistence, and often, exploiting the human element of security. Today it is essential to send certain, sometimes sensitive, data outside the network. This data is no longer controlled by the organization once it leaves and we can only rely on the recipients to act diligently and have adequate measures in place.

Security measures must take this into account, adapting to the reality of organizations is imperative to ensure maximum effectiveness. It is no longer enough to protect only the perimeter, now it is necessary to go further as recommended in the popular cybersecurity strategy called Zero-Trust. → Know how to implement this strategye here.

3. Strategic considerations when investing in tools to prevent data theft

Deciding which tools are best for each organization’s needs can be a complicated task, as there are numerous technologies, each with its strengths and weaknesses. In an ideal world, it would be best to apply most of them integrated with each other, but this is not always possible. That’s why it’s important to keep a few things in mind before jumping into the first one you find.

• Gauging Your Cybersecurity Maturity: Just as a sapling differs vastly from an ancient oak, organizations have varying degrees of cybersecurity maturity. Before diving into the toolbox, take a step back. Assess where you stand on this continuum. Do you have a sufficient team to manage the new tools, are they trained, do you have basic measures in place? An organization’s maturity will dictate the complexity and sophistication of the tools that will be most effective and manageable. NIST Cybersecurity Framework can help you to know your cybersecurity maturity, access our guide here.
• Balancing the Budget with Board Commitment: In the realm of cybersecurity, the adage “You get what you pay for” often rings true. However, allocating resources wisely demands a dance between ambition and practicality, spearheaded by your board’s commitment. Your strategy should communicate the value of investment in cybersecurity, not as a cost, but as insurance against potential losses, ensuring the board’s alignment and support.
• Prioritizing Key Risks: Not all treasures are equally coveted by pirates. Identify the crown jewels within your digital vault. What data, if lost or compromised, could sink your ship? Prioritizing these key risks will guide your investment towards tools that offer the best defense where it’s most needed. Risk assessment is your treasure map; follow it diligently.
• Tailoring to Your Specific Context: Every ship has its unique build, and similarly, every organization operates within a distinct context—be it infrastructure, sector, or the types of information it holds dear. A cargo ship has different needs than a battleship. Perhaps your organization deals in sensitive health records, requiring HIPAA compliance, or maybe it’s a financial institution beholden to PCI-DSS regulations. Select tools that are not just best in class but best for your class.
• Implementing Continuous Monitoring and Response Strategies: Finally, remember that setting sail is just the beginning. Continuous monitoring and swift response mechanisms ensure that should a storm arise, your ship can weather it. Investing in tools that offer real-time monitoring and alerting capabilities means you’re always one step ahead, ready to batten down the hatches and repel boarders at a moment’s notice. A smooth data breach response plan can help you, check our detailed guide here.
• Embrace a Zero-Trust approach: A Zero-Trust approach operates on the assumption that threats could originate from anywhere, both outside and within your walls. You must therefore verify everything attempting to connect with your system, no matter how trustworthy it appears. It’s a proactive stance, where trust is earned and continually reassessed. This methodology not only strengthens your defenses but also significantly minimizes the impact of an intrusion, should one occur.

4. Key Tools by Problem-Solving

Each tool or set of tools addresses a unique aspect, from the specific use cases like guarding against sophisticated cyber threats, to broader applications such as ensuring compliance with global data protection regulations. Some of them work perfectly well together, but this does not mean that they are mutually exclusive, so we have organized them by the main problem they focus on. We know that data security challenges are a priority for organizations, on this article we detailed them, but its imperative to take action.

4.1 Firewalls and Network security solutions for Defending Perimeters

The primary purpose of firewalls and network security solutions is to act as the first line of defense for an organization’s digital domain. These tools are designed to inspect incoming and outgoing network traffic based on predefined security rules, thus determining which traffic is safe and which poses a threat. Let’s delve into some of the most commonly used tools in this domain and outline their roles:

• Traditional Firewalls: These act as a barrier between trusted, secure internal networks and untrusted external networks such as the internet. They inspect packets of data to determine if they meet the set of defined rules before allowing them into the network.
• Next-Generation Firewalls (NGFWs): Beyond the capabilities of traditional firewalls, NGFWs offer deeper inspection levels. They can identify and block sophisticated attacks by enforcing security policies at the application level, including intrusion prevention systems (IPS), and incorporating intelligence from outside the firewall.
• Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS): IDS are designed to detect potential threats and alert the relevant parties. IPS, on the other hand, not only detects threats but also takes preemptive action to block them from entering the network.
• Virtual Private Networks (VPNs): VPNs create a secure and encrypted connection over a less secure network, such as the internet. This shields the browsing activity from external inspection and makes data transmission more secure.

When Are They Best Used?

• Traditional Firewalls are most effective in preventing unauthorized access and guarding against large-scale attacks targeting the network perimeter. They are best suited for businesses of all sizes as a foundational security measure.
• Next-Generation Firewalls are particularly useful for organizations that require deep packet inspection and sophisticated defense mechanisms against malware and advanced persistent threats (APTs)..
• IDS/IPS systems are ideal in environments where continuous network monitoring for suspicious activities is paramount and where proactive measures are needed to prevent potential breaches.
• VPNs are most beneficial for companies with remote or mobile workforces, ensuring secure access to corporate resources from any location.

When Are They Not the Best Option to avoid data theft?

• Traditional Firewalls may not adequately prevent data theft as they do not inspect the content of encrypted traffic, which can be a significant loophole for data exfiltration.
• NGFWs, while more advanced, can struggle with encrypted traffic as well unless specifically configured to decrypt and inspect this data, which not only requires additional resources but also raises privacy concerns.
• IDS/IPS systems can miss data theft via sophisticated, low-and-slow data breaches that do not trigger the predefined threat thresholds, making them less effective against stealthy data exfiltration methods.
• VPNs, though crucial for secure data transmission, do not protect against internal threats or data theft from within the organization, as they primarily secure data in transit rather than at rest.

These tools are very useful when defending the perimeter or connecting from outside the network. They are basic measures that protect and hinder access from the outside. But like castle walls, they are not enough to prevent data theft. They are not targeted at insiders, or even disguised attackers, who are already inside the network and can access data with some freedom. There may be breaches such as vulnerabilities that bypass the controls as well. Its technology is not designed to prevent human error where sensitive data is disclosed or where it is sent outside the perimeter such as to partners. It fulfills its primary function, hindering access to the network.

4.2 Data Loss Prevention (DLP) for Insider Theft

Data Loss Prevention (DLP) aims to detect and prevent the unauthorized transmission of confidential information. DLP tools monitor, detect, and block sensitive data through deep content inspection, contextual analysis, and matching data fingerprints against pre-defined policies. It’s like being a policeman.

For example, an employee, Alice, works for a healthcare provider and has access to patient records. One day, she decides to download several records onto a USB drive, potentially to use them outside the company’s secure environment. The DLP tool has predefined policies to identify sensitive data, as Alice transfers the files, the DLP system monitors the data movement and recognizes the patient records as sensitive based on its content, the DLP tool automatically blocks the file transfer to the USB drive because it violates the company’s data handling policy.

When is The Best option?

• Against Insider Theft: Effective in mitigating risks posed by employees or contractors by monitoring user behavior and access to sensitive data, preventing intentional or accidental leaks. In a scenario where an employee attempts to transfer confidential financial reports to an unauthorized recipient, the DLP system can recognize the document as sensitive and block the transfer.

When It’s Not the Best Option

• Implementation and Operation Complexity: Smaller companies may find DLP systems complex and resource-intensive to implement and manage.
• Limited Outside the Network: DLP tools are less effective when data is handled outside the corporate network, such as on personal devices or in non-controlled cloud environments.
• Pre-configured Policies Required: The effectiveness of DLP hinges on well-defined policies; without them, unauthorized data transfers might not be detected. It can be complex to develop effective measures and may require expert assistance.
• Issue with False Positives: Overly strict or inaccurately configured DLP policies can lead to false positives, where legitimate data transfer processes are incorrectly flagged as security risks, hampering productivity and potentially leading to unnecessary investigative efforts.

A DLP is a very useful tool to control the actions that are performed with sensitive data within the network, intentionally or by mistake, either by camouflaged external agents or internal ones, but it has its limitations when certain data needs to leave the network.

4.3 IAM, MFA and RBAC for identity management and authentication

The main purpose of IAM (Identity and Access Management), MFA (Multi-Factor Authentication), and RBAC (Role-Based Access Control) is to enhance security by ensuring only authorized individuals can access sensitive company data and systems. IAM systems manage and track user identities and their associated access permissions throughout the organization. MFA adds an extra layer of security by requiring users to present two or more verification factors before gaining access. RBAC allows companies to restrict system access to authorized users based on their role within the organization.

When is The Best option?

• For Comprehensive Access Control: IAM is a good option when organizations need a detailed and overarching system for managing user identities and access permissions across all systems and applications. It’s particularly effective in environments where users require different levels of access. In a large healthcare institution, IAM can ensure that only certified medical personnel can access patient records, while administrative staff may only have access to scheduling systems.
• Against Credential Theft: MFA can prevent unauthorized access even if a user’s primary credentials are compromised. If a company executive’s password is stolen, MFA would still block an attacker since they lack the second factor, such as a fingerprint or a mobile device with a one-time passcode.
• Against Excessive Access Rights: RBAC minimizes the risk of data theft by ensuring employees only have access to the information necessary for their job, focusing specifically on access control based on roles. An accountant might have access to financial software but not to the company’s client databases, mitigating the risk of accessing and potentially leaking sensitive client information.

When It’s Not the Best Option:

• RBAC Rigidity: If job roles are not clearly defined or if they change frequently, maintaining accurate role definitions in RBAC can become complex and error-prone.
• IAM Complexity: Small organizations with limited IT resources may find IAM systems complex to set up and maintain.
• Internal Threats: While these tools are effective at managing how access is granted, they may be less effective once an authorized insider decides to act maliciously.
• Off-Network Access: If data is accessed from outside the network, say through a personal device that is not managed or monitored, these tools may not provide protection against theft.

Authentication and access control tools are very effective in ensuring that only authorized persons have access to confidential information. But once they have access they cease to exercise control, giving malicious employees or disguised attackers the freedom to do whatever they want with the data. It’s like a door that is locked but if you get hold of the key, you can do whatever you want behind it, and even take what you’re looking for.

4.4 EDRM to control the data in its lifecycle

EDRM (Enterprise Digital Rights Management) serves to secure and manage documents and sensitive information continuously, from their inception to their final disposal, ensuring protection irrespective of the data’s location or movement. EDRM secures data by embedding protection directly into the files, allowing only authorized users to access, edit, print, or share the information. It can control who has access to data, set permissions for different levels of interaction, and apply policies that persist with the data as it moves both inside and outside the organization. It is a mix of encryption, access and identity control and permissions management.

When is The Best option?

• Protecting Sensitive Documents: EDRM is ideal when organizations need to protect sensitive documents, especially after they have been shared outside the organization. A law firm sharing confidential case files with external and internal consultants can use EDRM to ensure that only the intended recipients can open, edit, or print the documents.
• Having traceability of shared data: If you want to be proactive by monitoring the accesses and permissions granted on the data in real time.
• Acting fast and responding to data threats: In cases where there has already been a leak or collaboration with other organizations has stopped, it allows you to revoke access even if the data is out of our reach.

When It’s Not the Best Option:

• Very Complex Environments: EDRM might be overly restrictive or challenging to implement in environments that handle a vast array of collaborative workflows.
• User Frustration with Restrictions: EDRM can lead to user frustration if it hinders usability and productivity due to strict control policies or poor user experience.

Considering that its technology arises mainly for data control, perhaps these tools are the ones that best protect against theft, whether against internal or external, outside or inside the perimeter, or even by human error. By having an approach that focuses on the data itself and accompanies it, it may be the measure that covers the most contexts in data security and therefore the most versatile.

4.5 Blocking accesses to data with Endpoint encryption

Endpoint encryption tools aim to safeguard data on devices such as laptops, mobile phones, and tablets by transforming it into a format that only individuals with the decryption key can access, effectively blocking unauthorized entry. Endpoint encryption tools encrypt the data stored on end-user devices, ensuring that data remains protected even if the device is lost, stolen, or compromised. Encryption can be applied to the entire disk (full-disk encryption), to specific files or folders (file-level encryption), or to data in transit.

When is The Best option?

• High-Risk Devices: These tools are best used for devices that frequently leave the secure physical controls of an office environment, such as laptops and mobile devices used by field employees. A sales company equips its remote sales staff with laptops that contain sensitive client information. Using endpoint encryption ensures that the data on these laptops is unreadable to unauthorized users if the laptops are lost or stolen.
• Having traceability of shared data: If you want to be proactive by monitoring the accesses and permissions granted on the data in real time.
• Acting fast and responding to data threats: In cases where there has already been a leak or collaboration with other organizations has stopped, it allows you to revoke access even if the data is out of our reach.

When It’s Not the Best Option:

• Performance Issues: Encryption can sometimes decrease system performance, which might not be suitable in highly performance-sensitive environments.
• User Experience Limitations: The need for encryption keys can sometimes complicate the user experience, particularly in terms of data sharing and collaboration.
• Insider Threats: Endpoint encryption does not prevent data theft by authorized users who have access to decryption keys.
• Mismanagement of Encryption Keys: If encryption keys are not managed securely, they can become a point of vulnerability, potentially allowing unauthorized access to the encrypted data.

Encryption is one of the oldest basic tools, it can be very useful for specific situations where something agile is required and we are sure to manage passwords with good practices. The limitations come when we want to continuously protect many different types of data, as applying the same password is not secure, and managing hundreds of them is not practical. Another point to take into account is that once someone has the password and decrypts it, he becomes helpless and loses all control. If you want to know the 3 encryption types go here.

4.6 Helping to enforce security protocols with Data Discovery and Classification

Data Discovery and Classification tools are designed to pinpoint and organize data dispersed throughout an organization’s digital assets, thus facilitating improved data management and bolstering security protocols tailored to the data’s level of sensitivity. These tools automatically scan data repositories to discover data and classify it according to predefined criteria such as sensitivity, regulatory compliance requirements, or business value. Classification labels help in applying appropriate security policies and controls, such as access permissions and encryption requirements.

When is The Best option?

• Compliance with Regulations: These tools are particularly useful in environments where compliance with data protection regulations (like GDPR, NIS2, DORA, HIPAA) is critical. A healthcare provider uses data discovery and classification tools to categorize patient information as confidential and apply stringent access controls and encryption, ensuring compliance with health data protection laws. →Learn everything you need to know about NIS2 here.

When It’s Not the Best Option:

• Low Complexity Environments: In smaller or less complex environments where data types and storage locations are limited and well-known, the cost and complexity of implementing these tools may not justify the benefits.
• Initial Setup and Maintenance Demand: The tools require initial setup to define data categories and policies, and ongoing maintenance to adjust for new data types and business changes, which could be resource-intensive.
• Limited Impact on Threats: While effective in managing how data is handled internally, these tools do not directly protect data against external or internal threats unless coupled with other security measures.
• Dependency on Accurate Classification: Misclassification of data can lead to inadequate protection measures, still exposing sensitive data to potential theft or loss.

These tools are very useful to inform users and other tools about the sensitivity of a data, so they will know how to act according to the guidelines established for each sensitivity level. However, they do not protect the data, they only inform about the sensitivity or policy that we must follow, so they do not play a decisive role in security by themselves, although it is worth noting that they are very valuable in conjunction with other proactive protection tools.

4.7 Proactive monitoring and real-time detection with UAM, SIEM and UEBA

User and Entity Behavior Analytics (UEBA), Security Information and Event Management (SIEM), and User Activity Monitoring (UAM) tools are primarily focused on offering proactive security. They achieve this by observing, analyzing, and reacting to internal and external threats in real-time, thus guarding against possible data theft incidents. SIEM collects and aggregates log data from various sources within an organization’s IT environment, analyzing that data to identify suspicious activities. UAM monitors and records activities of users across company systems and networks, identifying unauthorized access or operations that could lead to data breaches.

When is The Best option?

• Complex IT Environments: These tools are best utilized in complex IT environments where there are many endpoints, user activities, and data transactions to monitor. A financial institution implements SIEM and UEBA to monitor for unusual access patterns to sensitive customer financial data, enabling the IT security team to quickly respond to and mitigate unauthorized access attempts.

When It’s Not the Best Option:

• Small-scale implementations: For smaller companies with limited IT infrastructure and simpler data workflows, the cost and complexity of implementing and managing these tools may not be justified.
• Limited IT Resources: Organizations with limited IT security personnel may find these tools challenging to manage effectively, as they require constant tuning and analysis to provide value.
• False Positives: These tools can sometimes generate false positives, leading to unnecessary alarms and potentially diverting resources from genuine threats.
• Adaptation by Threat Actors: Sophisticated cybercriminals may adapt their tactics to avoid detection by these tools, necessitating continuous updates and adjustments to the security measures in place.

The real-time monitoring and analysis tools mentioned above are quite powerful in certain scenarios to detect threats, especially external ones, in time. However, with respect to data theft, the role they play is mainly in alerting about unusual access within the network. For cases where data has left the perimeter they no longer exert control. With them it is difficult to detect internal users with permissions who want to misuse the data. Working in conjunction with other proactive protection tools, they can enhance security with great success.

4.8 Controlling access and monitoring anomalous behavior in the Cloud with a CASB

Cloud Access Security Brokers (CASBs) aim to enhance organizational policies regarding visibility, compliance, data security, and threat protection by applying them to cloud applications and services. This ensures access to cloud resources is both secure and compliant. CASBs provide a comprehensive view of an organization’s cloud usage, including unsanctioned apps (shadow IT) and user activities. They also help enforce compliance policies across cloud services, aligning with regulations. They focus on threat protection, identifying and mitigating threats from compromised accounts, malware, and insider threats by analyzing user and entity behavior in the cloud environment.

When is The Best option?

• Hybrid and Cloud-First Environments: For organizations that rely heavily on cloud services or have a hybrid mix of cloud and on-premises applications, CASBs are essential for maintaining security parity across environments. An e-commerce company uses a CASB to enforce access controls and monitor for suspicious activities across its cloud-based inventory management and customer service platforms, effectively preventing unauthorized data exposure.

When It’s Not the Best Option:

• Cloud-Averse Organizations: For companies that primarily use on-premises IT infrastructure and have minimal cloud exposure, the investment in a CASB may not provide significant benefits.
• Simple Cloud Environments: Small businesses utilizing a single or few cloud services with straightforward security needs may find CASBs overly complex and not cost-effective.
• Dependency on Configuration and Policies: The effectiveness of a CASB in preventing data theft heavily depends on the accurate configuration of control policies and the understanding of cloud-specific risks.

CASBs can be very useful in controlling security within cloud platforms, being an additional policeman in charge of enforcing the policies established within the cloud perimeter. Similar to DLPs, their focus is on the inside and for internal users, they can get in the way when you need to send data outside the network, as they no longer have control. They are specialized in the cloud, so their use case is quite specific to organizations that have that specific need.

4.9 Awareness and training tools to prevent human error and social engineering

The main purpose of awareness and training tools is to educate employees about cybersecurity best practices, recognize and respond to potential threats such as social engineering attacks, and ultimately reduce human error that could lead to data theft. These tools deliver engaging content on cybersecurity topics, including phishing, password security, and safe internet practices, often using quizzes and simulations to test knowledge. They create realistic but harmless phishing campaigns to test employees’ responses to suspicious emails, providing teachable moments for those who fall for the simulations. By tracking participation and performance in training programs and simulations, these tools help identify areas where additional education is needed.

When is The Best option?

• Companies of Any Size: From small businesses to large enterprises, any organization can benefit from strengthening their human firewall against cyber threats. An industry organization implements an ongoing cybersecurity awareness program, significantly reducing incidents of successful phishing attacks amongst its staff, protecting sensitive intellectual property data from potential exposure.

When It’s Not the Best Option:

• Over-Reliance Without Supplementary Security Measures: Depending solely on training tools without implementing adequate technical safeguards does not provide a holistic security posture, leaving potential vulnerabilities unaddressed.
• Infrequent or One-Time Training: Organizations that treat cybersecurity training as a one-off event, rather than an ongoing process, may find these tools less effective over time as threats evolve and employees forget best practices.

Knowledge is power, training employees can make the difference between suffering an attack or preventing one. The continuous training offered by these tools is an essential value for organizations. Although it is important to be trained, this does not guarantee that there will be no human error, deception or malpractice. It is one more tool that improves the security posture but that needs proactive protection tools to shield itself in cases where people fail or there are gaps from which to perform malicious actions.

5. SealPath Recommendations

In today’s context, data is a gold mine, and malicious actors are constantly developing methods to extract this valuable asset and monetize it for their own benefit. Organizations need to be vigilant and proactive in defending their data against threats, and make the best decision by choosing the right tools based on their needs, context, and resources.

The stark reality is that data often needs to traverse beyond the traditional security perimeter due to remote working, cloud services, and the need for collaboration with external partners. The enclosure of company data within a secure perimeter is no longer sufficient. Given the flexible and dynamic ways in which data is accessed and shared, it’s crucial to implement a measure or a combination of measures that protect data across all scenarios to prevent security gaps.

Enterprise Digital Rights Management (EDRM) is recommended as a potent solution for companies aiming to deter data theft. EDRM is a versatile and powerful tool in the fight against data theft.

• Persistent Protection: It secures data consistently, regardless of where the data resides or with whom it is shared.
• Granular Access Control: EDRM allows organizations to define who can view, edit, print, or forward a file, providing fine-grained control over data handling.
• Audit Trails: The ability to track and log all actions performed on data enables better regulatory compliance and forensics in the event of a security incident.

EDRM differs from other tools in that it focuses on the data itself rather than the environment or infrastructure, making it uniquely suited to the modern, perimeter-less landscape where data mobility is a given.

6. Closing Thoughts

The gravity of data theft cannot be understated, posing immediate and long-term threats to a company’s operational integrity and its survival. Securing data transcends a simple technical requirement; it is a critical investment in the future of the business. The necessity of investing in prevention measures is paramount, given the complex landscape of threats. Organizations must adopt a comprehensive approach to protect their invaluable data assets, ensuring security across all possible scenarios and contexts.

Choosing the right tools to protect data is a significant decision for any organization. With a wide array of security tools available, making an informed choice that aligns with the specific needs and operational framework of a business is crucial. The effectiveness of a data protection strategy significantly depends on selecting tools that are adaptable, scalable, and well-suited to the unique challenges faced by the business. 

If navigating the selection of optimal data protection measures feels overwhelming, SealPath is at your service. We provide personalized and detailed advice, guiding your business toward implementing the best security practices and tools. Contact SealPath here for a consultation, and embark on a journey to ensure your company’s future is protected against the dangers of data theft.

1. Understanding Data Breaches Impact on Businesses

Additionally, the recovery time from these incidents is substantial, with businesses often taking months, if not years, to fully recover their operations and reputation. For example, breaches involving high-value data such as personal identification information or proprietary secrets not only escalate immediate costs but also lead to long-term losses in customer trust and potential legal repercussions. These insights underscore the importance of developing and maintaining an effective data breach response plan to mitigate risks, ensure compliance, and protect corporate assets. Reflecting upon the high-profile breaches at Equifax and Marriott, one sees vividly the tremors of neglecting an efficient response plan—extended legal battles, staggering financial losses, and a tarnished reputation that takes years to mend.

2. What is a Data Breach Response Plan and Why Is It Critical?

Consider this: The Ponemon Institute’s 2021 report found that companies equipped with robust incident response teams and a well-orchestrated plan curbed their financial bleeding by approximately $1.2 million compared to their less-prepared peers. Moreover, stringent regulations such as Europe’s General Data Protection Regulation (GDPR), Network and Information Security Directive (NIS2), or Digital Operational Resilience Act (DORA)…  don’t just advise but mandate a swift response following data breaches.

3. Where to start to develop the Data Breach Response Plan?

• • Examples and Templates as Your Guiding Light: Leverage well-crafted templates as your foundational guide. Check these: Federal Deposit Insurance Corporation Breach Response Plan, Biref Template, Template by the NSW Government of Australia, Data Breach Toolkit by the Liability Insurance company of North Carolina, Angus Council DBRP, Griffith University Data Breach Response Plan. These templates serve as a robust starting point, covering essential components like roles and responsibilities, notification procedures, and recovery steps. Do not hesitate to contact consulting firms specialized in cybersecurity and data to help you develop it in the most complete way without overloading your day-to-day.
  • Data Mapping: Understand where your data resides and how it flows through your organisation. This knowledge is critical to identifying potential vulnerabilities and planning containment strategies. Then determine what data you need to protect. Inventory digital assets to understand where vulnerabilities may exist. Watch the webinar we recorded to help address this issue and identify the data most at risk.
  • Defining the Output Format: Your plan should be easily accessible and understandable. Opt for a format that can be dynamically updated and shared across your organization. Tools like Microsoft Word or Google Docs are universally accessible and allow for collaborative editing. However, some prefer specialized software or Microsoft Teams for more integrated incident response functionalities.
  • Assembling Your Team: Crafting a comprehensive plan is not a solo mission. You’ll need a task force that includes, but is not limited to IT Staff for managing technical containment and eradication. Legal Counsel: To address compliance and regulatory matters. Human Resources: To handle communication with affected employees. Public Relations: To manage external communication and protect the company’s brand. Engaging with external consultants, especially if your enterprise lacks in-house expertise, can fortify your strategy with seasoned insights.
  • Notification Channels: Pre-plan how to communicate in the event of a breach. This includes internal notifications to executives and teams, and external communications to affected customers and regulatory bodies.

4. What Are the Key Components of a Data Breach Response Plan?

1. Preparation: The cornerstone of any response plan. This involves identifying your critical assets, understanding potential threats, and training your response team.
2. Detection and Analysis: Implementing tools and procedures to detect breaches quickly and accurately assess their impact.
3. Containment, Eradication, and Recovery:  Steps to limit the breach’s spread, eliminate the threat, and restore systems to normal operations.
4. Post-Incident Activity: Reviewing and learning from the incident to bolster future defenses.
5. Communication Plan: Establishing protocols for internal and external communication, including regulatory bodies and affected parties.

4.1 Phase 1: Preparation

• Risk Assessment: Begin by identifying and evaluating the risks that pose the greatest threat to your organization. This includes understanding the types of data you hold, how it’s used, and the potential impact of a breach on your operations.
• Asset Inventory: Create a comprehensive inventory of all your information assets across the organization. Knowing where sensitive data resides and how it’s protected is crucial for rapid response.
• Roles and Responsibilities: Clearly define the roles and responsibilities within your response team. This should include internal stakeholders from IT, HR, legal, and communications departments, as well as external partners like cybersecurity firms and legal counsel.
• Training and Awareness: Conduct regular training sessions and simulations for your incident response team and staff members. Familiarity with the response plan and understanding their role in a breach scenario is key to a successful response.
• Response Toolkit: Assemble a toolkit that includes contact lists for key team members and external partners, templates for breach notifications, and checklists for response actions. This ensures that necessary tools are readily available during an incident.

4.2 Phase 2: Detection and Analysis

• Detection Tools and Technologies: Invest in advanced cybersecurity tools that offer real-time monitoring and detection capabilities. These include Data-centric Solutions with monitoring controls, intrusion detection systems (IDS), security information and event management (SIEM) systems, and endpoint detection and response (EDR) solutions. Ensure these tools are properly configured to recognize threats relevant to your organizational context.
• Threat Intelligence: Utilize threat intelligence services to stay informed about the latest cybersecurity threats and vulnerabilities. This information can help you adjust your detection systems to new threats and reduce false positives.
• Analysis Procedures: Develop a structured approach for analyzing detected threats. This should include initial assessment criteria to determine the scope and severity of an incident, and detailed procedures for further investigation. Ensure your team knows how to quickly gather and analyze data from various sources within your network.
• Training and Simulations: Regularly train your analysis capabilities on current threats and practice incident analysis through simulations. This ensures that when a real incident occurs, your team can efficiently assess and escalate the situation based on a well-understood set of indicators and procedures.
• Communication Protocols: Establish clear communication lines within your response team and with external stakeholders. Quick and accurate communication is key to effective analysis and subsequent response.

Focusing on Detection and Analysis allows your organization to minimize the time between breach occurrence and detection, significantly reducing potential damages. This phase requires ongoing investment in tools, training, and processes to adapt to the evolving cybersecurity landscape.

4.3 Phase 3: Containment, Eradication, and Recovery

• Containment Strategies: Firstly, devise short-term and long-term containment strategies. The immediate goal is to isolate affected systems to prevent further damage while maintaining business operations. This could involve disconnecting infected machines, applying emergency patches, or adjusting access controls.
• Eradication Measures: Once the breach is contained, focus on completely removing the threat from your environment. This involves thorough malware removal, system cleanups, and security gap closures. Ensure all malware is eradicated and vulnerabilities are patched to prevent re-entry.
• Recovery Plans: Develop comprehensive plans for returning to normal operations. This includes restoring data from backups, reinstating network operations, and ensuring all systems are clean before reconnecting to the network. Validate the integrity of your data and systems before bringing them back online.
• Post-Incident Review: After recovery, conduct a detailed review of the incident to identify lessons learned and areas for improvement. Adjust your incident response plan based on these insights to strengthen your defenses against future attacks.
• Communication: Throughout these phases, maintain transparent communication with stakeholders. Inform them of the breach’s impact, what steps are being taken, and expected recovery timelines.

A well-structured approach to Containment, Eradication, and Recovery minimizes downtime and mitigates the impact of a breach. It necessitates detailed planning, including the establishment of clear procedures, roles, and communication protocols to ensure a coordinated and effective response.

4.4 Phase 4: Post-Incident Activity

• Incident Documentation: Fully document each incident, detailing the nature of the breach, how it was detected, the steps taken during containment, eradication, and recovery, and the effectiveness of the response. This documentation is crucial for legal, regulatory, and improvement purposes.
• Root Cause Analysis: Perform a thorough analysis to determine the underlying cause of the incident. This will help in identifying and fixing systemic issues that may not be apparent at first glance.
• Lessons Learned Meeting: Hold a meeting with all key stakeholders involved in the incident to discuss what was done effectively and what could be improved. This session should be constructive, focusing on enhancing the security posture and response processes.
• Update Incident Response Plan: Based on insights gained from the incident review and lessons learned, update the incident response plan. This should include adjustments to policies, procedures, and security measures.
• Training and Awareness Programs: Use the details of the incident to update training and awareness programs. This helps in educating employees about new threats or errors that led to the recent breach, effectively turning the incident into a learning opportunity.
• Review and Test: Regularly review and test the updated incident response plan to ensure its effectiveness. Simulated attacks can be very useful in keeping the response team ready and alert.

Post-Incident Activity not only aims to rectify faults that led to the incident but also strengthens the organization’s overall security stance. It is an opportunity for growth and enhancement of security measures and protocols, ensuring better preparedness for any future incidents.

4.5 Phase 5: The Communication Plan

• Internal Communication Protocol: Define who needs to be notified within the organization, how to contact them, and the information to be communicated. This includes setting up a chain of command and specifying roles.
• External Communication Strategy: Prepare templates and protocols for external communication. This includes stakeholders, customers, partners, media, and regulatory bodies. Being transparent and prompt in your communications can help manage the narrative and maintain trust.
• Regulatory Compliance: Be aware of legal and regulatory requirements regarding breach notification. Different jurisdictions may require different information to be shared at specific times.
• Spokesperson Appointment: Designate official spokesperson(s) trained in dealing with the public and media to ensure a consistent, controlled message.
• Sensitive Information Protection: Establish guidelines to prevent unauthorized disclosure of sensitive incident details that may exacerbate the situation or reveal too much to potential attackers. → Learn Best Practices for protecting sensitive information here.
• Status Updates Schedule: Plan for regular updates to affected parties to keep them informed about progress and resolution.

The Communication Plan should be clear, concise, and adaptable, accounting for various scenarios and audiences. Effective communication is crucial for managing an incident smoothly and maintaining the organization’s reputation.

5.  What Is the Response Strategy for a Data Breach?

• Immediate Identification and Analysis: The early moments following the discovery of a breach are critical. For example, when Equifax was hit in 2017, rapid identification helped them scope the enormity, affecting 147 million individuals, and underscored the urgency of quick action.
• Decisive Containment: This dual-phase effort entails short-term actions to stop the breach’s spread, followed by a longer-term strategy to ensure stability. Recall how Target, back in 2013, swiftly removed the malware infecting their POS systems to halt further data loss affecting millions.
• Thorough Eradication: After containment, it’s imperative to find and fix the root cause. Sony’s 2014 encounter with a massive cybersecurity attack prompted an exhaustive eradication of the infiltrating malware.
• Careful Recovery: Reinstating functional integrity and securing breached systems is critical. Post its 2016 breach, Yahoo! revamped their security measures significantly, deploying advanced encryption across user accounts.
• Transparent Notification: Trust is the lifeblood of customer relations. Compliance with laws such as GDPR, which mandates breach notification within 72 hours, is not just about legality; it’s about maintaining customer trust and transparency.
• Insightful Post-Incident Analysis: After addressing immediate threats, it’s vital to analyze the breach comprehensively to prevent future occurrences. Marriott’s creation of a dedicated resource center in response to their 2018 breach played a crucial role in restoring customer confidence.

Each of these steps, woven into your incident response plan, acts as a critical defense mechanism and learning tool. Review your existing plans, consider these principles, and fortify your organization’s preparedness. Let’s turn each incident into a stepping stone toward stronger, more robust cybersecurity defenses. Shedding light on vulnerabilities can transform them into powerful lessons in safeguarding our digital frontiers.

6. Data Breach Response Plan Checklist

1. Assess Your Data Landscape: Understand where your critical data resides.
2. Risk Assessment: Evaluate potential vulnerabilities and threat vectors.
3. Team Assembly: Form your Data Breach Response Team (DBRT), a mix of IT, legal, PR, and HR.

1. Define Procedures for Identification and Analysis: Establish protocols for detecting breaches.
2. Containment Strategies: Develop short-term and long-term containment plans.
3. Eradication and Recovery Tactics: Clearly outline how to eliminate threats and recover systems.
4. Notification Framework: Determine how and when to communicate the breach.
5. Post-Incident Review Plan: Set up a debriefing procedure to learn from the breach.

1. Document Everything: From your planning steps to the actual procedures, make sure it’s all written down..
2. Train and Drill Your Team: Regularly drill your response plan with your team to ensure everyone knows their role inside out.
3. Review and Update Regularly: Make it a living document that grows with your organization.
4. Engage with External Partners: Consider involving cybersecurity experts to review your plan.

7. Continuous Improvement: Incorporating Feedback to Refine the Plan 

• Establish Regular Review Sessions: Schedule quarterly or bi-annual sessions to solicit feedback from all stakeholders involved in the breach response.
• Create a Feedback Loop: Encourage continuous communication within your team to report any practical challenges or suggestions for improvements.
• Simulate to Innovate: Regularly test your plan under varied simulated breach scenarios to ensure all team members’ inputs lead to real-time improvements.

8. Take advantage of technological advances

• Regular Technology Audits: Conduct these audits to evaluate the effectiveness of current tools and identify areas for technological adoption or upgrades.
• Partnerships with Tech Pioneers: Collaborate with tech firms and security innovators to stay ahead of the curve and integrate cutting-edge solutions.
• Staff Training on New Technologies: Ensure that your team is not just equipped with the best tools but also trained to utilize them effectively.

Each step in refining your Data Breach Response Plan, each integration of fresh technological solutions, adds a layer of strength to your organizational safety net.

9. SealPath Recommendations

• Permanent Access Control: Restrict access to files by controlling which users can access, what they can do, and When and from where.
• Automatic and Transparent Protection: Enable a protection applied to files every time they are copied, moved, or uploaded to folders, without requiring continuous manual actions.
• Threat Detection and Identification: View which users access information and their activity for full traceability. Receive alerts with suspicious accesses and analyze detailed reports.
• Immediate Response and Remediation: Revoke access to users at any time or block a specific document in the event of suspicious actions. Change permissions on the fly.

→ Learn more about SealPath Solution here

10. Closing Thoughts

Theft of trade secrets is more topical than ever. According to the United States Government, theft of American IP currently costs between $225 billion and $600 billion annually, and part of this stems from cyber attacks. 

Technical documentation and CAD designs more shared than ever

The current trend in automation and data exchange in manufacturing technologies are responsible for the major transformation of the industrial sector known as Industry 4.0. The basis of the new smart industry entails thorough automation of factories, digitalization of the production processes and new communication channels. This increases the possibility of organized cyber-attacks since information that used to be kept inside the network security perimeter is now shared with various external systems and agents.

R&D investment in this sector is more important than ever before due to the rate of change and the need to adapt to the new environment. Digitalisation also means that there are more and more data in digital format that must be shared not only internally but also with partners, subcontractors, etc. The challenge is to maintain optimum communication processes while ensuring that the company’s intellectual property is safeguarded.

Industrial trade secrets. In the crosshairs of cyber attacks

Just in Europe there are about 2000 companies specialized in manufacturing that employ more than 30 million people directly. The sector is particularly prolific in terms of patenting and R&D.

If we look at how data leaks occur in companies, we see that a large part of them come from external suppliers (see Forrester’s Global Business Technographics Security Survey). Through a targeted attack on a partner, or through a security incident at a supplier, our information can be left unprotected, even though we have put in place measures within our organization to secure our working environment.

According to the “Data Breach Investigations Report” published by Verizon, in the manufacture/industry sector the main actor behind an information leak is in 93% of the cases an attacker who comes from abroad to attack our company or a supplier, partner, etc., motivated by reasons of espionage in 94% of the cases. In fact, the most common type of data, in 91%, stolen in this sector is Intellectual Property and industrial secrets.

It is a complex sector, companies collaborate with a wide variety of suppliers and customers and intellectual property has to travel outside the company. We can have visibility into what is happening with the data within the organisation, but this is much more complicated when it comes to tracing access to our information or protecting it throughout the supply chain.

IP leakage is more topical than ever with accusations between different countries of IP theft. According to this Forbes article, the U.S. government, foreign theft of U.S. intellectual property costs between $225 million and $600 million annually, and some of this is derived from cyber attacks. We have also seen a huge global controversy in recent weeks over the possible theft of intellectual property from Covid-19 vaccine research, with the US, UK and Canada directly targeting Russian hackers.

In this context, it is critical to protect the intellectual property stored in digital format inside are outside the organization. The sensitive information can be found found in various formats, from Word, Excel or PDF to images and, of course, CAD designs. A good deal of the company’s intellectual property is found in 2D and 3D CAD designs that must be shared both internally and with external collaborators. Protecting this information is vital to avoid the risk of leaks due to internal or external threats.

Customers expect that the information they share with their manufacturing and engineering suppliers will meet their information access control and protection criteria. A data-centric protection approach will comply with the strictest audit and protection policy criteria imposed by your customers.

What type of industrial information is at risk?

The following are examples of practical cases in which the data generated by manufacturing, energy, automotive and engineering companies etc. must be protected:

• Support documentation containing details of components, that are exchanged with customers, suppliers or manufacturing partners.
• Results from research that could be patented and we store in every type of digital formats (Word, Excel, PDFs, etc.).
• CAD designs created in tools such as AutoCAD, Dassault Systemes SolidWorks, Siemens NX, SolidEdge, etc., that contain details of components and are shared with internal and external recipients.
• Data related to processes that may be exchanged with distributors in various markets.
• Proposals made to customers to compete with other companies and which contain sensitive information on the company’s competitive advantages.
• Internal quality guidelines that contain know-how related to company’s production processes.
• Compliance with customers’ protection audits and policies, ensuring that the data they share with you are audited and protected by access control.

Download our Datasheet of Data Security in a company in the industrial sector.

“What makes SealPath very interesting is the possibility of revoking the privileges of user access to any file when it is no longer necessary, remotely and wherever the copy of that file is stored”

Vittorio Cimin. IT Manager – Bricofer

What can we do to protect our more sensitive files?

Below, we outline 6 steps that can be taken to protect our intellectual property and CAD files in our organization and throughout the supply chain:

1) Protecting intellectual property information sent by email to collaborators: One of the main forms of data sharing remains email. We continually send attachments with sensitive information to subcontractors, prospects, partners, etc. Applying rules to emails and attachments that allow us to control who accesses them, when, with what permissions (e.g. only viewing, editing, but not copying and pasting or printing, etc.) will help us keep our data under control, even if it is in the hands of the recipient.

2) Protect CAD designs and documentation in information repositories: In every company, sensitive documentation is stored in repositories such as File Servers, SharePoint, OneDrive, Box, Office 365, etc. Even if access controls are applied to the folder, we know that once downloaded we have lost control over them. It is necessary to have a protection that travels with the data so that, even if they have been downloaded, I can still have control over them in the same way I have when they are in the repository.

3) Protect the sensitive corporate data you share via collaborative work applications such as Slack or Microsoft Teams: It is an alternative communication channel to email and is becoming increasingly widespread for intra-corporate communication. Many sensitive files leave our repositories to our platforms so we must not forget to apply protection to them also when they travel by these means.

4) Protection of files downloaded from corporate applications: There are many applications developed internally in the corporations that allow exporting or downloading data in file format. Applying protection right at the moment the file is downloaded will help us have control over it wherever it travels.

5) Auditing information access: When it comes to our most sensitive CAD or document format files it is important to see who is accessing, with what permissions, at what time or if someone tries to access without having permissions. This well managed information can alert us to possible information leaks.

6) Block/Revoke access to information in case someone should no longer have access: If I have stopped collaborating with a subcontractor, a partner, why should it still be able to access my information? Mechanisms should be used to “destroy” or remove these documents that these ex-partners have in their possession.

“The main benefit SealPath offers is the ability to protect the information that carries the most weight for the company. Knowing that we have control over it both inside and outside the organization is critical because it allows us to send it to third parties without risk.”

Alberto Solís. Planning and Strategy of Information Systems Manager. Prodiel

All these protection measures I can apply with SealPath which offers a data-centric approach to protection. SealPath allows you to protect your sensitive documentation and CAD designs regardless of their location. You can control who accesses, when, with what permissions (view the design or modify it, but not print it or save it unprotected).

In addition, I can set watermarks on the documentation so that, if someone tries to take a screenshot, it travels with the email address of the person who opened it, IP address and date/time.  Or, for example, set expiration dates on documents and CAD drawings so that after an agreement or deadline has passed, only you have access to the documentation, regardless of how you share your data, where you store it, you can have control of it with SealPath mitigating the risk of loss your intellectual property.

In the following articles we will show you specifically how SealPath can protect in CAD format. Specifically in the following applications:

• CAD designs in .DWG, .DWF, DWS, .DWF, or .DWT format, managed in AutoDesk AutoCAD (Electrical Mechanical, Civil, LT, etc.) or in applications such as TrueView.
• AutoDesk Inventor 3D designs in .IPT, .IAM, .IDW, .DWG, or .IPN format so you can limit permissions on content (i.e. view and modify but not extract data)
• Intellectual property contained in Siemens Solid Edge in .ASM, .DFT, .PAR, .PSM or .PWD formats. Check if someone can print it, export it, modify it and audit all accesses.

SealPath goes beyond the protection of information in office formats and offers a unique solution for the protection of trade secrets and intellectual property in the form of CAD designs. Find out how in upcoming articles or contact us directly for a CAD file protection demo.