Page 62 - Cyber Defense eMagazine for September 2020
P. 62

businesses  and  governments  worldwide.”    Therefore,  it  is  believed  that  more  than  90%  of  an
            organization’s data is unstructured rather than data stored in traditional databases. We know it exists and
            we know it is growing but we also know that most businesses typically don’t take measures to protect it.
            Most feel it is a “hard to tackle” task to find unstructured data and get it under control and tamed, let alone
            protected.

            The reason why it is often overlooked is because the risks associated with unstructured data generally
            are not taken into consideration.  The risks are for:

               •  Privacy or Industry Regulatory Compliance
               •  Intellectual Property Protection



            Privacy or Industry Regulatory Compliance

            When employees create files that contain sensitive information, copies of those files naturally proliferate.
            There will be multiple versions of the files and sharing of those versions between employees via e-mail
            and network file shares. It’s rare that employees will go back and delete these files later and anything
            sent via e-mail may be archived in .pst files; file shares will be backed up to various media. This not only
            creates a larger attack surface, but will add significant complexity should an organization face litigation
            and discovery requests from data subjects. Organizations that are subject to the General Data Protection
            Regulation  (GDPR)  or  the  California  Consumer  Privacy  Act  (CCPA)  will  struggle  to  satisfy  data
            destruction demands and the “right to be forgotten”.  If an organization handles cardholder data, it’s
            crucial to keep credit card numbers within Payment Card Industry (PCI) controls  – something rarely
            applied to unstructured data due to cost and complexity.

            The Norwegian Supervisory Authority (Datatilsynet) is an example of non-compliance to GDPR and fee
            assessments “due to insufficient technical and organizational measures to ensure information security”.
            In July 2020, the authority found that the Municipality of Rælingen was in violation of articles 32 and 35.
            The company did not conduct a DPIA and prior to the start of the processing it had not taken adequate
            technical  and  organizational  measures  in  accordance  with  Article  32  of  the  GDPR,  resulting  in  an
            increased  risk  of  unauthorized  access  to  the  personal  data  of  the  pupils.    Also,  and  still  under
            investigation, in the UK, British Airways is potentially facing a fine of £183.39M from an incident that
            compromised approximately 500,000 customer’s personal data. There are several examples, but not
            having technical measures in place is very common across violators.



            Intellectual Property Protection

            When thinking about how unstructured data is expanding your threat surface, think about who is the
            threat. Unstructured data in files is an attractive and easy target for internal threat actors with limited
            protection.  Let’s face it, when a data theft story breaks out, it is typically not because a cyber-criminal
            stole a bunch of Word files from a folder on someone’s laptop. Instead, it is the insider saving information
            on a USB drive or taking a screenshot of sensitive information in a spreadsheet. This is costly to the






            Cyber Defense eMagazine – September 2020 Edition                                                                                                                                                                                                         62
            Copyright © 2020, Cyber Defense Magazine.  All rights reserved worldwide.
   57   58   59   60   61   62   63   64   65   66   67