By Vincent Weafer, VP, McAfee Labs, Intel Corporation
Last month’s McAfee Labs September Threat Report included some fresh data loss prevention research commissioned from Ponemon Institute. Survey respondents in IT management roles reported on how data appears to be getting out of their organization; whether such breaches are accidental or intentional; whether the malicious parties are internals or externals; whether the exfiltration was digital or physical; what security solutions and practices are implemented across their organizations; and what the best practices appear most capable of reducing an organization’s exposure.
Unfortunately, the manufacturing sector was among the least prepared in terms of the extent of data loss prevention measured implemented and the maturity of the related processes and policies. As many 25% of sector respondents acknowledge that their loss prevention measures are only partially deployed, if at all, and only 8% respondents reported using all commonly used data loss prevention approaches.
When asked to rank the key events leading to an increase in data loss incidents, respondents ranked the options as follows:
- New project deployments (e.g. marketing campaigns, promotional pricing)
- Internal reorganization
- New product launches
- Peak seasons of demand
- Corporate announcements
- Mergers or divestitures
- Employee use of social media
- Financial disclosures (e.g. quarterly earnings reports)
- Unknown causes.
Manufacturing respondents were below average for all causes except peak demand and unknown causes, suggesting a lack of awareness.
These findings don’t so much represent sector IT managers putting a low priority on data loss prevention, so much as a lack of experience with the frequency and types of cyber-attacks threatening organizations today. Manufacturers reported an average of 17 cyber incidents per day, compared to the industry average of 20 and 22 for the heavily targeted financial services and government sectors.
Historically, industries such as financial services and retailers held significant amounts of payment card information. They have sustained the greatest number of attacks over the years, and, accordingly, they have been forced to confront the challenge of data exfiltration and implement the most extensive data loss prevention measures, policies, and practices.
However, cybercriminals are shifting their crosshairs from debit and credit card numbers that can be canceled before they can be sold and used, to personally identifiable information, protected health information, and intellectual property that are unique and cannot be replaced.
As a result, the business intelligence, operational reports, production schedules, intellectual property, and other business confidential information held by the manufacturing sector are increasingly attractive data targets.
Manufacturers are in a unique position to learn from the experiences of more seasoned sectors, such as financial services and retail, before they become successfully targeted in the way cybercriminals have recently targeted healthcare, another apparently less prepared sector, according to the survey.
In fact, manufacturing can draw a number of lessons from its vertical peers.
Get visibility and awareness. The biggest challenge we found across all industries is that most organizations do not even realize that they are leaking data. Between 50% and 80% of data breaches are discovered outside of the organizations, typically when the data is used or sold. According to the 2016 Verizon Data Breach Investigation Report, internal discovery of breaches has been on a downward trend for 10 years.
Look to your own. It should not be a surprise that cyberattacks are mostly about the money, or that between 60% and 80% of them are conducted by externals. However, that still means that 20% to 40% of breaches are the result of intentional or accidental actions by internals. Physical media, such as USB keys and laptops, are the most common method of internal data loss, but fewer than 40% of organizations surveyed are watching these devices closely enough to catch them.
Fully utilize the right tools. Organizations with data loss prevention (DLP) systems should be well positioned to block data theft, but many of them do not appear to be using the tools to best advantage. Since false negatives, or data loss that does not trigger an incident alert, are one of the challenges with DLP, we found that configuring the system to watch more actions and generate a higher number of incidents is an important part of reducing the likelihood of a breach.
Determine what to watch. Data loss is increasingly happening with unstructured data, such as office documents. Relying solely on regular expressions, which are a common method of finding things like credit card or social security numbers, leaves too much information unmonitored. Similarly, you need to watch all parts of the organization, networks, endpoints, clouds, and physical systems.
Catch yourselves. Organizations often implement active user notifications such as pop-up notifications that ask the user if he really wants to move a sensitive file to a removable drive, attach it to an email, or send it to a file-sharing website. Compared to other sectors, manufacturing was less likely to be using such notifications.
Involve and educate everyone. Finally, it is important to get all of your people involved, not just the security team. Regular security awareness training with current issues will keep data loss fresh in people’s minds. Teaching them how to recognize the value in the data they are processing makes it real for their particular job. Only 75% of manufacturing sector respondents acknowledge the implementation of such policies, compared with nearly 90% of respondents in the financial services, retail, and healthcare verticals.
To close the loop, involve your executives and other business leaders by sharing the DLP outputs. Doing so will make them aware which of their business processes or directives may be putting the company at risk.
Adversaries are watching and adapting, so data loss prevention must be an ongoing activity, one that is refined and validated frequently.
For more information on this research, download the McAfee Labs September 2016 Threat Report.
Vincent Weafer is Vice President of Intel Security’s McAfee Labs, managing more than 350 researchers across 30 countries. He’s also responsible for managing millions of sensors across the globe, all dedicated to protecting our customers from the latest cyber threats. Vincent’s team is dedicated to advancing the research and intelligence gathering capabilities required to provide the latest protection solutions in malware, host and network intrusion, email, vulnerability, regulatory compliance, and web security.