What is Data Leakage?
Data leakage is when data in an organization’s possession is made accessible to third parties without authorization. Data leakage via digital means - email, cloud storage, etc. - is more common but not the only way that data can be leaked. The loss or theft of physical devices containing sensitive data (such as mobile devices or USB media) can also result in data leakage.
The terms data leakage and data breach are often used interchangeably, including by government agencies like the Cybersecurity and Infrastructure Security Agency (CISA). However, data leakage more commonly refers to cases where an internal actor causes the data to be publicly available (intentionally or otherwise), while data breaches involve an external attacker gaining access to an organization’s systems and the data that they contain.
What are the Types of Data Leakage?
Data leakage can be classified in a couple of different ways. One of these is the intent behind the leakage. Some data leaks occur accidentally, such as publicly-exposed cloud repositories with poor security settings. Others are intentional, such as data being leaked by a disgruntled employee or taken by a departing employee to a new job.
Data leaks can also be classified by the types of information that are exposed. Companies have a great deal of information that would be of value to cybercriminals, competitors, and other external parties, such as:
Companies commonly collect sensitive data from their customers, such as payment card information, addresses, and social security numbers (SSNs). This information is useful for criminals performing fraudulent activity or competitors looking for customer leads.
In addition to customers, companies also hold a great deal of information about their employees. Financial data, performance metrics, and similar data could be used for fraud, blackmail, phishing, or other threats.
A company’s intellectual property - including trade secrets, source code, etc. - is key to its competitive advantage. A leak of product design information could allow a competitor to create a knockoff version of a company’s product and undercut them on prices.
Marketing and Analytics
Information about a company’s current and future marketing campaigns can be invaluable to a competitor. This data could allow them to design campaigns specifically to defeat the competition.
Different types of data appeal to different potential threats. Many advanced persistent threats (APTs) target specific types of information, including intellectual property, financial data, etc. However, while these focus areas vary from one group to another, any sensitive data in an organization’s possession is of value to someone.
Preventing Data Leakage
Deploying data loss prevention (DLP) solutions is an important part of the process for protecting against data leakage, but it is not enough. To manage the risk of data leaks, follow these best practices.
Perform a Data Audit
It’s difficult to protect data that you don’t know exists. An essential first step in protecting against data leaks is to perform a full data audit. During this audit, identify all of the data in your organization’s possession and assess its value to the company.
While performing this data audit, it is also wise to perform data classification. Label data based on its value, sensitive, and applicable regulatory requirements. For example, payment card data should be considered high value, sensitive data that must be protected in accordance with the Payment Card Industry Data Security Standard (PCI DSS).
Identify and Proactively Mitigate IT Risks
Data leaks and breaches can originate from inside or outside an organization. Minimizing the potential for these incidents requires an organization to manage its cybersecurity risk.
To do so, an organization should perform a full risk assessment for the data in its possession. The National Institute of Standards and Technology (NIST) has published a risk assessment process, or an organization can use another standard or an internal procedure for this process. After identifying and prioritizing risks, the company should take action to mitigate, transfer, or accept these risks to its sensitive data.
Protect Data According to Value
An organization can take a number of different steps to minimize the probability and likelihood of leakage of its sensitive data. Examples of security controls that organizations should have in place include:
- Encryption: Encryption protects data against unauthorized access by making it unreadable without the appropriate decryption key. Use of full-disk encryption tools like Bitlocker can help to ensure that lost or stolen devices do not leak sensitive information.
- Identity Access Management (IAM): IAM solutions assign access and permissions to different users and applications. Organizations can use IAM systems to limit access to sensitive data, decreasing the probability of a data leak.
- Least Privilege: The principle of least privilege states that a user should only have the access and permissions needed to do their job. Implementing least privilege decreases the chance that an unauthorized user can access data and leak or breach it.
- Data Custody Chain: Certain types of data may require special handling, such as evidence in a forensic investigation. For these types of data, maintaining a chain of custody helps to provide visibility into who has access to and control over this data.
- Device Management Software: Device management software can be used to remotely monitor, lock, and wipe mobile devices. This helps to ensure that these devices do not leak sensitive data if lost or stolen.
These are only some of the security controls that an organization can put into place to protect data leaks. Data protection regulations (like PCI DSS) outline the requirements for protecting the data under their jurisdiction.
Educate Employees and Staff
66% of data breaches involve an insider, whether intentionally or unintentionally. Minimizing the probability of data leaks requires training employees and staff.
Employee data protection training should cover a range of different topics. These include how to secure endpoints and mobile devices, how to properly classify and protect sensitive data, and common causes of data leaks, such as phishing attacks or improperly configured cloud storage.
Perform Regular Threat Assessments
An organization’s cyber risk is constantly evolving, which means that a company needs to perform regular threat assessments to minimize the risk of data leaks. Performing vulnerability scanning on a regular basis and undergoing periodic penetration tests can help to close the security gaps that lead to data leaks.
Prepare for Data Breaches
Despite an organization’s best efforts, data leaks can still occur. When this happens, having a process in place for detecting, responding to, and recovering from data breaches is essential to minimizing the harm to the organization. The National Cybersecurity Center of Excellence (NCCOE) lays out a process that companies can use as a guideline for data breach management. Based on this outline, companies should develop processes that meet business needs and fulfill regulatory obligations (such as breach reporting).