Page 62 - Cyber Defense eMagazine for September 2020
P. 62
businesses and governments worldwide.” Therefore, it is believed that more than 90% of an
organization’s data is unstructured rather than data stored in traditional databases. We know it exists and
we know it is growing but we also know that most businesses typically don’t take measures to protect it.
Most feel it is a “hard to tackle” task to find unstructured data and get it under control and tamed, let alone
protected.
The reason why it is often overlooked is because the risks associated with unstructured data generally
are not taken into consideration. The risks are for:
• Privacy or Industry Regulatory Compliance
• Intellectual Property Protection
Privacy or Industry Regulatory Compliance
When employees create files that contain sensitive information, copies of those files naturally proliferate.
There will be multiple versions of the files and sharing of those versions between employees via e-mail
and network file shares. It’s rare that employees will go back and delete these files later and anything
sent via e-mail may be archived in .pst files; file shares will be backed up to various media. This not only
creates a larger attack surface, but will add significant complexity should an organization face litigation
and discovery requests from data subjects. Organizations that are subject to the General Data Protection
Regulation (GDPR) or the California Consumer Privacy Act (CCPA) will struggle to satisfy data
destruction demands and the “right to be forgotten”. If an organization handles cardholder data, it’s
crucial to keep credit card numbers within Payment Card Industry (PCI) controls – something rarely
applied to unstructured data due to cost and complexity.
The Norwegian Supervisory Authority (Datatilsynet) is an example of non-compliance to GDPR and fee
assessments “due to insufficient technical and organizational measures to ensure information security”.
In July 2020, the authority found that the Municipality of Rælingen was in violation of articles 32 and 35.
The company did not conduct a DPIA and prior to the start of the processing it had not taken adequate
technical and organizational measures in accordance with Article 32 of the GDPR, resulting in an
increased risk of unauthorized access to the personal data of the pupils. Also, and still under
investigation, in the UK, British Airways is potentially facing a fine of £183.39M from an incident that
compromised approximately 500,000 customer’s personal data. There are several examples, but not
having technical measures in place is very common across violators.
Intellectual Property Protection
When thinking about how unstructured data is expanding your threat surface, think about who is the
threat. Unstructured data in files is an attractive and easy target for internal threat actors with limited
protection. Let’s face it, when a data theft story breaks out, it is typically not because a cyber-criminal
stole a bunch of Word files from a folder on someone’s laptop. Instead, it is the insider saving information
on a USB drive or taking a screenshot of sensitive information in a spreadsheet. This is costly to the
Cyber Defense eMagazine – September 2020 Edition 62
Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.