When we talk about data breaches, we often talk in terms of financial or reputational losses, and of external threat actors; secure your data to protect against a ransomware attack; secure your emails to protect confidential client communications.
But the recent data breach at the Police Service of Northern Ireland represents the true cost of a data breach, and that is the human cost of the people whose details were leaked online. Surnames, initials, the rank or grade, the work location and departments of all PSNI staff were inadvertently made public. Considering the sensitive nature of many of these individuals’ work, officers and their families have been left feeling incredibly vulnerable, with many evaluating whether it's safe to return to their same job assignments.
It has been widely reported that this was an unfortunate instance of human error — an unmalicious insider threat — of someone who was trying to be helpful and respond to a Freedom of Information request. I can’t imagine how that person is feeling.
But that is often all it takes, a keyboard error that inadvertently shares a confidential file with ‘Jo’ instead of ‘Joe’, or selecting the wrong document from a shared drive.
True Security Starts from the Inside Out
Legislative member Naomi Long has raised some very good questions in the wake of the breach: "Why was all this data held in one place? Why was it not encrypted? Why was a junior member of staff in a position to be able to access it? Given the sensitivity of such data, is that in itself not a concern?"
Many organisations over-index on securing the perimeter to mitigate against external threats, whilst neglecting to build a true security culture internally. I’m not just talking about putting employees through mandatory security awareness training every year. I’m talking about putting robust processes in place to protect all sensitive information, even from those inside of your organisation.
This is where data governance practices need to come into play. What data do you have, how sensitive is it, and who should have access to it? And how do you extend this governance into collaborative workflows such as emails, file sharing and cloud applications?
Granted, a full data discovery and classification project can take time but there’s no reason you can’t start protecting sensitive data you need to share for business now. Data-centric security tools such as Virtru allow you to easily apply protections, like access controls, to the data itself, which means those protections follow the data wherever it is shared for as long as it exists. It provides a level of control that in today’s climate is much needed to foster collaboration without jeopardising data security and most importantly, preventing it from inadvertently ending up where it shouldn’t be.
Protect Your Data at all Costs
Hindsight is a wonderful thing but if we get nothing else from recent events, don't underestimate the importance of a data-centric approach to security. With the continual evolution of external threats and the inevitability of human error, ensuring the most valuable asset your organisation holds is protected should be your biggest priority.
