With End-to-End Encryption Against Data Leakage

With End-to-End Encryption Against Data Leakage

Author: Robert Freudenreich, CTO at Boxcryptor

With End-to-End Encryption Against Data Leakage - We speak of “data leakage” when data from a company is leaked to unauthorized persons or destinations outside the company. The term includes the loss of data both digitally and physically. Many companies are hesitant to store data in cloud storage, such as OneDrive, Dropbox, or Google Drive, because they suspect an increased risk of data leakage.

In fact, data stored in a cloud is physically more secure than data stored locally (e.g., in a NAS). Very few companies have the financial resources and time to provide security guards, cameras, and fire prevention measures for their own storage locations.

However, in terms of data protection, data is exposed to a higher risk. Especially in times of flexible and mobile workplaces, sustainable protection of corporate data is of utmost importance. In the following, we present the most common types of “data leakage” and answer the question of how to best protect sensitive business files.

Type 1: Accidental Data Loss

Sensitive data does not only fall into the wrong hands when it is stolen on purpose. In most cases, when data ends up in the hands of an unauthorized person, it is an unintentional mistake. For example, someone might send an email with sensitive content to the wrong email address, or accidentally add a confidential file as an attachment in an email.

The legal consequences of an accidental data leak do not differ from those of an intentional one – there is always the obligation to report the incident. This means that companies must treat such a data accident in the same way as a cyberattack or other attack on the integrity of company data.

Type 2: Disgruntled Employees

Another fact about data leaks is that much of the lost data is not lost digitally, or through physical loss of laptops, for example. Most data get into the wrong hands via printers, photocopiers, cameras, USB sticks, or rummaging through trash for discarded documents. Often, employees are involved. After all, there are always dissatisfied employees or those who allow themselves to be bought off.

Type 3: Digital Communication as a Weak Point

The exchange of information via e-mail, messenger, and the like is an everyday occurrence in both professional and private contexts. However, this exchange is increasingly becoming the point of attack for cybercriminals. A data leak can occur if, for example, the e-mail address of a business contact is faked (spoofing) in order to obtain data. But there are also other, creative ways to get employees to unintentionally give out sensitive information (social engineering).

Of course, there are also some preventive technical and organizational measures which you can implement in your company, to avoid data leaks.

Preventive Measures 1: Prepare Employees for an Emergency

In principle, it is always advisable to establish a corporate culture that is sensitive to data protection. This means that all members of the company must be included.

Two goals are important:

Employees have the motivation to be “safe”.
Employees have the competence to make the right decisions.

Unfortunately, this ideal scenario is difficult to achieve. The reason is that employee training usually addresses the analytical system in the brain, but phishing emails and ransomware target the systems of fear and boredom – and thereby often succeed. It is, therefore, necessary to rethink how employees are sensitized to IT security.

Linus Neumann made various suggestions at the 36th Chaos Communication Congress, which took place at the end of 2019. According to his experience, a learning knowledge can be achieved primarily by setting up phishing traps in one’s own company and targeting employees specifically with emails. All those who fall for the attack and, for example, reveal their password, can then be educated with a video.

Such measures are relatively successful, but, unfortunately, they do not have a long-term effect, which is why they must be repeated regularly. It is also important to vary the attack scenarios. Employees who successfully ignore phishing emails may still plug a USB stick into their computer they found in the car park.

The quality of communication with the IT department should also not be underestimated. If employees have fallen victim to phishing, the IT department must be notified, because a quick response can often prevent significant damage. It is, therefore, necessary that those responsible for IT security encourage and reward reports.

Preventive Measures 2: Set Up Technical Security Measures

On a technical level, there are also several preventive measures that can reduce the risk of data leak:

The principle of least possible access: Employees should only have access to the files they need for their work. User rights are assigned as sparingly as possible.
Different areas of the IT infrastructure are sealed off from each other: Production servers or office infrastructure should not run on the same network as the office computers. VLANs are a good option.
Particularly sensitive data should be stored separately from other data.
Encrypt confidential data for additional protection.
There are defined workflows for sensitive processes (bank transfers, data transfer, etc.).
Using password managers is mandatory. This way, self-created passwords that are easy to remember and are used several times can be avoided.
Security processes should not be mapped by email or in the browser.

PLATINUM

Innovators

Discovering Data Leaks

On average, hackers need two hours to move through the IT systems and cause damage in the case of an attack. When they work in groups, they can even start causing trouble in less than 30 minutes. Considering that companies, for example in Germany, need about 11 days to react to such an attack, it becomes clear how much more action is needed in this regard. Internationally, the average reaction time is 7 days, but that is still far too long.

Ideally, an attack on the network is detected within a very short time by automatic monitoring of the systems and interrupted as quickly as possible. A short reaction time is a big challenge for most company structures. But still, the rule is clear: react as quickly as possible.

Practice Makes Perfect: Have a Test Alarm

Similar to a fire protection plan or a fire alarm exercise, it is advisable to play through the reaction to a data leak. A standard process helps to optimize the coordination between the IT department, the legal department, and the data protection officer(s). A checklist should be an integral part of this strategy.

Larger companies should consider setting up an interdisciplinary Data Breach Incident Team. Such a team will be available at short notice and is specialized in reacting to data breaches. It also makes sense to call in an IT lawyer or specialist solicitor and coordinate with the PR department – depending on the severity of the data breach.

The contact details of these people and a checklist should be available on paper so that they can still be accessed even if the IT infrastructure is completely shut down. Some computers that are not connected to the company infrastructure could ensure the operational capability of this team in an emergency.

PLATINUM

Innovators

PLATINUM

Innovators

Encryption as a Preventive Security Measure

Data leakages cause great damage in companies. As digitalization progresses, the risk increases if companies do not consider IT security at every step. With preventive measures and an awareness of the relevance of IT security, you can reduce this risk enormously. If you should still be affected, stay calm and react quickly.

If you fear fines according to the GDPR: You do not necessarily have to when you do not deliberately handle sensitive data negligently. Even in the event of a data breach, you have little to fear if technical and organizational measures have been taken in advance, and you react quickly and cooperatively when the incident becomes known. Strong end-to-end encryption offers effective protection against unauthorized access to files. Even in the event of encrypted data being leaked from the company’s internal system, it is not possible to read the information it contains. If you need support in securing your data in the cloud and prevent becoming a victim of data leakage, check out www.boxcryptor.com/blog/post/data-breach-report-how-to/.