Internal Threats

Breach that keeps on happening

How to prevent the data breach that keeps on happening

By Dr Steve Jeffery, pre-sales engineer

The potential for revealing personally identifiable information (PII) in the ‘To’ or ‘CC’ fields of an email is a risk well understood. Yet despite this, it remains the source of far too many data breaches.

• In January 2020, Capita accidentally leaked the email addresses of all those attached to a support incident ticket on their call handling system.
• In October 2019, West Berkshire Council sent an email containing a survey about leisure centres to 1,107 recipients who could all see each other's email addresses.
• In April 2019, the UK Home Office accidentally disclosed details of hundreds of EU citizens requesting settled status to one another
• A UK Freedom of Information request in 2018, showed at least 147 self-reported data breaches to the ICO were down to this error.

Accidental in nature, it’s easy to see why these types of breaches occur. When we want to send an email to a number of people – be that a newsletter, an event invitation, or an update on a technical support ticket – we might simply copy and paste the email addresses into the ‘To’ or ‘CC’ fields and press ‘Send’ without giving it a second thought. This approach means that all recipients of the email are visible to each other, which isn’t a problem if you are addressing a group known to one another, but in the case of a mailing list to customers, it is a privacy breach that could result in a fine.

It is no surprise that human error is the cause of so many breaches. Conditioned to using email, we have become inured to the potential danger that exists every time we press ‘Send’. Focussing on the task at hand, we don’t always give the time required to consider the privacy ramifications of our actions. We know that ‘BCC’, or blind carbon copy, is the field to use to ensure email addresses remain private, yet accidents still happen. What can an organization do to mitigate this risk?

Reducing the risk of an email data breach

To offset the inevitable risk associated with email communications, organizations need a clear cybersecurity strategy encompassing people, processes, and technology. Email policies need to be established, the workforce trained, and policy rules enforced with software. The software acts as the final safety net against the inadvertent actions of employees.

The Clearswift Secure Email Gateway can support employees to make better decisions, without increasing the administration burden on the IT support team.

In the gateway, simply create an email policy rule that automatically holds emails where the number of recipients in the “To” or “CC” fields exceeds a minimum number set. When an email exceeds that threshold, an alert is sent to the employee. If the action was deliberate, the employee can release the email without the need to raise an IT support ticket. The decision to release the email message is audited and recorded in the gateway. If, however, a mistake occurred, the employee can delete the email and create a new version compatible with the organization’s privacy policies.

Additional information

Watch the video: How to configure the Secure Email Gateway to look for BCC mistakes

Follow our step-by-step guide: How to configure Clearswift’s Secure Email Gateway to proactively warn senders of the potential overuse of the To and CC fields in emails


情報セキュリティのオールマイティ ソリューション

現代のサイバー セキュリティが抱える数々の問題点。フィッシング詐欺を目的とした個人情報の漏えいや、マルウェア ペイロードを埋め込んだ悪質なドキュメント、組織のネットワーク内外に蔓延する「終わりなき脅威」に立ち向かうことのできる高度な検査能力、そして優れたリダクション (情報の秘匿化) とサニタイゼーション (情報の除去) 機能を備えた情報セキュリティ ソリューションが、問題解決の鍵を握ります。

Cyber Training

Cyber Security Training for Staff: Getting It Right

It’s only been in recent years that businesses have come to realize the true ramifications of a data breach; it’s not just about the fines, reputational damage impacts both customer and suppliers, and there is a myriad of other costs which are incurred as well as disruption across the organization. Today, the average cyber-attack costs over $1 million, so organizations are sitting up and taking note of the need to protect sensitive information, rather than just thinking about it.

Paramount to the protection of critical data is having a workforce that is cyber threat aware and trained to mitigate data breach risks. While many organizations see this as educating employees on the workings of cybercriminals, they often skip over a vital first step – internal data protection processes.

This, in turn, begs the question; what should organizations be doing (from Board level down) to help improve their cybersecurity posture from within?

The Rules of Engagement

As a starting point, employers need to work to create an environment that supports the honest reporting of cyber threats and incidents. A ‘shoot the messenger’ approach will not help the cause!  Adopting a supportive breach-reporting environment is crucial in order to rely upon staff to follow internal breach notification processes, so any incident can be actioned and resolved quickly. 

Without a supportive environment, when a data breach occurs due to an honest mistake, employees will be reluctant to blow the whistle on themselves, instead possibly hiding the issue whilst they attempt to rectify their mistake before anyone else notices, or worse still, do nothing at all. Add to this, those who unknowingly facilitate an attack (be it through clicking a link in a phishing email, malicious social media post or accessing their personal email and downloading a malware-ridden document), are also usually reluctant to raise the alarm in fear of punishment.

This is arguably one of the most common – and indeed, problematic – issues surrounding security incident and data breach mitigation. As any cybersecurity specialist can testify; the longer it takes to identify the root cause of the problem, the more damage that threat can do. Time is of the essence and if an employee is unwilling to come forward until the threat is discovered by someone else, significant damage may have already been done. Malware can spread through a network in a matter of minutes, and heavy fines can be imposed for data leaks, so every second counts.

As part of internal cyber training and awareness programs, organizations must reassure employees that they will not face consequences for reporting accidental link clicks or data loss. While the workforce must be held to operate to a standard of behavior, organizations need to make sure that there is a priority on encouraging employees to come forward quickly if they think there is an issue, allowing the IT security department to address the breach as quickly as possible.

Training Programs Must Continuously Evolve

Whilst training the workforce will ensure a higher standard of security posture, keep in mind that, over time, defenses will degrade.  This will be as a result of changes in business processes, evolving cyber-attacks, and in part due to human nature. Workers will often download unsecured applications or find workarounds to policies, therefore negating the effectiveness of layered network security.

As part of an ongoing cybersecurity training program, organizations must remember that anything from changes in data storage practices, to new protocols on data sharing, or new technologies being introduced into the workplace should be accompanied with additional security training for staff on how these changes may present new security risks, as well as what they can do to mitigate them.

For all these reasons, it is essential that organizations recognize that effective cybersecurity training is a continuous process and security practices should be supported by technologies that can act as a safety net. Technology is effectively a last line of defense which enforces policies and processes and ultimately helps to keep the organization, its information and its people safe.

Leverage Technology as a ‘Safety Net’

Staggeringly, although 43% of businesses experienced a cybersecurity breach in the last 12 months, only 27% have trained their workforce in adapting to this new age threat. Clearly, the need for a cyber-threat educated workforce is greater than ever, although businesses must remember that this is only one facet of a strong cyber defense.

A truly strong cyber defense policy should discern which of an employee’s tasks or activities are most likely to result in a data breach and incorporate tiered security to address it. If the main business collaboration channel for sharing sensitive information is through email, an email security solution should be deployed that incorporate functionality to automate and enforce best practice security and data protection processes.  

In conjunction with standard malware scanning, advanced security products will provide Data Loss Prevention (DLP) functionality and encryption to enable the secure sharing of information, without hindering communication flow. Features such as Adaptive Redaction can be used to protect against threats such as ransomware from embedded malware in attachments, as well as unwanted data acquisition (essential in a world with GDPR and shared responsibility) and sensitive data loss. Combined with a secure web gateway, damaging links (URLs) in emails and documents can be neutralized, while the same adaptive DLP functionality can be used to protect information being uploaded to, or downloaded from, cloud collaboration applications.

Employees may be one of the greatest threats to an organization, but if trained correctly, the workforce can also be its greatest defense: a cohort of threat-aware defenders against both cyber-attacks, and data breaches from within.  

Additional Information

Download the Adaptive Redaction datasheet

View our Web Security solutions

Read about our SECURE Web Gateway

Learn more about our SECURE Email Gateway

Adaptive Data Loss Prevention

‘Discovering’ Critical Data Stored On The Endpoint

‘Discovering’ Critical Data Stored On The Endpoint

Ever wondered exactly how much data you have stored on your laptop?  It doesn’t take long to amass a gazillion files, some are ones you have authored, some have been sent by email, some are from the Intranet, some are from file shares, some are from the cloud, some are… well, they can (and do) come from everywhere.

You may also have multiple versions of the same file; from work in progress through to the final version… and you never deleted the old versions.  In fact, this is the problem. These days, no-one likes to throw anything away “just in case”.  Whether it’s a personal laptop or a company laptop, there will be a mass of data stored on your machine, much of which may contain sensitive information that needs to be appropriately protected in order to comply with regulatory compliance standards.

Files contain information, and many (or most) of the files you work on from your company will be considered company assets. Some files will be public, some will be private, some will be confidential, some will be for customers and some for business partners or suppliers.  The reality is, certain types of information poses a risk should it fall into the wrong hands. Even ‘old’ information has a value and if nothing else, could cause embarrassment, reputational damage or worse if it was exposed unauthorized. The solution is to understand what data you have stored, where it is stored and then put a plan in place to deal with it.

Clearswift’s Endpoint Data Loss Prevention (DLP) solution leverages the same Deep Content Inspection Engine (DCI) which is used in its core SECURE Gateway products. The DCI can be used to scan saved files (referred to as data at rest (DAR)) on various endpoints, to identify potential data breach risks or non-compliance with company policy.  For example, there may be spreadsheets containing PCI or PII data, or documents containing confidential company Intellectual Property that needs to be stored in a specific location or secured in a certain way.  Once critical information is ‘discovered’, there are options as to what can be done next.

In the first instance, organizations tend to run the data at rest scan to understand what is often referred to as an ‘unstructured data’ issue that exists within the organization.  It is possible to use all the usual tokens, such as Credit Card, Passport and Social Security Numbers and expressions, such as regular expressions, user-defined expressions and Boolean operations which are used in the Clearswift Gateway products, enabling identification and classification of multiple different types of files in one pass.

The most common action that is applied once critical information is discovered, is to set the system to move files containing critical information to a more secure location. For example, to a file server share with restricted access, leaving behind a ‘breadcrumb’ (a file with the same name) behind to inform the user of the action taken and where the file has been moved to. The policy can be very granular so as not to move files which are currently being worked on – which would effectively be a hindrance to business operation.

Searching for unstructured data doesn’t just apply to local drives on laptops. It can also be carried out on network and cloud file shares. For an organization to really get to grips with an unstructured data risk, it needs to leave no stone unturned in its quest to discover critical data at rest.

Due to the nature of critical information, there is some which is ‘standard’ over time, such as a credit card number, while other items, for example, project code names, evolve. Unlike backup, where once the file has been backed up, it need not be backed up again, DAR scanning can happen to the same files over and over again, as different things might be looked for.  Optimizations in the solution ensure that DAR scanning can be effectively done in the background so as not to impact the users’ productivity, and even when the laptop is disconnected from the network, the results are fed back the next time the device connects.

The Clearswift DAR scan functionality is fully integrated with its data-in-use (DIU) DLP functionality, ensuring that search criteria can be common, whether the data is stored on the disk or in use, for example, being copied to removable media. The integrated solution creates consistency, which is one of the key criteria when looking for an effective DLP solution.

The critical information on your computer, even if it is several years old, can create a business risk.  By undertaking regularly DAR scanning and moving it to a more secure location, the risk is minimized, keeping the business and the user safe.

By Dr. Guy Bunker

Additional Resources:

Clearswift Endpoint Data Loss Prevention

Clearswift Endpoint Data Loss Prevention

There are multiple places within your IT infrastructure where critical information is stored. These include email Inboxes, file servers, collaboration servers (some of which might be ‘in the cloud’) and endpoint devices.  All Clearswift solutions are designed to protect critical information from falling into unauthorized hands across all these different locations and channels.  Clearswift’s Endpoint Data Loss Prevention (DLP) solution is specifically designed to address the loss of critical information at the endpoint.

There are three key components of Clearswift Endpoint DLP.  The first is the ability to regulate what devices can be connected to a company network.  The second is the ability to control the copying of data (or files) to removable media, e.g. a personal device or USB stick and encrypt it if necessary. The third is to gain visibility of what critical information is stored on a company’s various endpoints that could create an issue should it fall into unauthorized hands and move it to a more secure location. 

Device Control

Clearswift has embedded its Deep Content Inspection (DCI) into a leading endpoint protection solution, enabling organizations to enhance security and data protection processes. Removable media, including personal devices and USB sticks, has become a key risk to organizations as it is so easy to transport large quantities of information onto a very small form. Furthermore, some devices can carry malware risks with them. Clearswift Endpoint DLP has enhanced device control functionality enabling an organization to define exactly what devices are allowed to be used and/or connected to the company network. The granularity can be used to regain control, so devices can be limited by device type, device manufacturer or all the way through to specific devices. Within the defense industry, this is becoming common practice with a very restricted number of devices allowed to be used within the department or organization.

Content Transfer Control & Encryption

So, while Clearswift Endpoint DLP enables devices to be restricted, so too can the files that are allowed to be copied to them. This is where the Clearswift DCI engine comes in play.  The DCI can ensure that no company files are copied to devices which would break company policy. By using the same DCI engine on the endpoint as is used in the other Clearswift solutions, it ensures consistency across the information it finds and acts upon.

Even when the content is approved to be copied or transferred, there is still one more step which is carried out. Encryption. Encrypting the removable media ensures that if the device is lost or stolen, then the data can’t be accessed and the organization remains compliant. When GDPR came into enforcement in May 2018, several organizations locked out all USB key access to the company network. While this is practical from a compliance perspective, it is not helpful day-to-day, where information frequently does need to be transferred via USB. With its triple layer of protection: device control, content control and encryption, Clearswift Endpoint DLP is there to keep you and your organization safe.

Discovering critical information ‘at rest’

The final piece that Clearswift Endpoint DLP enables is the ability to understand what information is on the device which could be a future issue. This could be made up of tens or hundreds of thousands of files stretching back over time. Some of these files may contain sensitive information and so need additional protection. Furthermore, Clearswift Endpoint DLP is not just for laptops.  It can be deployed to trawl through on-premise file servers or cloud-based file storage to check the content (data-at-rest) stored there, and move files with critical information to more secure locations if necessary.  It will leave behind a ‘breadcrumb’, to say the file was there – but has now moved, so as to reduce the IT support call “Help, my files have disappeared”.  This 'data discovery' piece provides information security managers with visibility of information security risks within their organization, so action can be taken to prevent data breaches occuring.

In today’s world of digital collaboration, the need to understand where information is located as well as enhancing data protection processes is more critical than ever. Clearswift Endpoint DLP has been designed to reduce the challenges of today’s IT environment and improve working practices to protect critical information wherever it is stored and however it is used.

Read more about the Clearswift Endpoint DLP and how it can benefit your organization here.

Insider Threat

GDPR and the Insider Threat: How new regulations are changing our data handling habits

The General Data Protection Regulation (GDPR) has been covered extensively over the past year and has come to sit at the forefront of employees’ mind. Having been implemented on 25th May 2018, the stories are dying down and it is now ingrained in day-to-day operational processes.

Two months down the line, however, has GDPR made an impact on the way organizations think about data?

Our latest Clearswift Insider Threat Index (CITI) research, which surveyed 400 senior IT decision makers in organizations of more than 1,000 employees across the United Kingdom, Germany, and the United States, suggests that it has made more employees aware of handling data sensitively, with the insider threat going down to 38%, a 4% decrease, in the UK. The trend continues when looking at the extended enterprise, with our research revealing this has gone down by 8% since 2017, now sitting at 65%.

In addition to the UK insider threat falling, Germany also presents the same trend, with employees being held responsible for 75% of cyber incidents, down from 80% last year. However, in the United States, a country outside of the direct GDPR jurisdiction, the insider threat is still on the rise with 80% of cyber incidents occurring due to the extended enterprise.

These findings suggest that EU countries are more aware of the insider threat, and organizations have taken action to ensure their employees are becoming better data citizens post-GDPR. While the threat is going down, it remains to be a high figure and the top cybersecurity threat to businesses. Therefore, organizations must continue with efforts to secure data and ensure that this trend continues year-on-year.

Continued education

Employees in every department hold some form of sensitive data and GDPR has been instrumental in getting this message across. However, now the regulation has died down from the headlines, it’s important that the message does not go by the wayside and old habits start to creep back in. Regular training seminars and tailored data security workshops will help keep employees up to date about how to safeguard the data they handle and motivate them to continue to care about the ramifications of a breach.

Follow the data protection plan

All the hard work to build an information security plan in preparation for GDPR should not go to waste. Compliance is ongoing, and processes will need to change with the business. Ensure employees are continuing to follow the plan and know how to report any incidents that occur. While the plan may change as the company learns from the different security challenges, it is important to ensure that any amends are communicated to staff and all are following protocol, whether that is reporting an insider incident or how they should be handling data on a daily basis.

Invest in data protection technologies

Whilst the risk of employees handling data has reduced, human error is still inevitable and the insider threat still remains high. To protect your organization from the insider threat, Clearswift’s Adaptive Data Loss Prevention (A-DLP) solution has the ability to inspect all content coming in and going out of the organization – whether through email or the web – to prevent any sensitive information being shared or exposed unauthorized. The document sanitization and adaptive redaction features ensure that GDPR compliance is upheld by scanning all emails and documents flowing in and out of the business, detecting and removing only the critical information which could cause a data breach. With this technology, businesses can ensure that critical information isn’t being sent inadvertently – or maliciously – by staff, and that unwanted inbound data acquisition is prevented.

Additional Information

Clearswift Insider Threat Index 2018

Adaptive Data Loss Prevention (A-DLP)


Cloud Storage, File Sharing Apps and GDPR: This Could Get Ugly Fast!

Cloud storage services and file sharing apps such as Dropbox, Box, Microsoft OneDrive and Google Drive are so widely adopted by employees—knowingly or unknowingly by their IT departments—that most don’t think twice about using them to share corporate information. A study by SkyHigh Networks found that the average enterprise uses 76 distinct file sharing cloud services and 18.1% of files uploaded contain sensitive data. While this was an issue before May 25th, 2018, that date now rings terror into the hearts of CIOs and IT departments as the date GDPR became enforceable. Although some of the services will be endorsed by the organization, many won’t and while the Shadow IT game of “hide-and-seek” continues to amuse IT teams, the implementation of GDPR ups the stakes as fines of 20 million EUR or 4% of global turnover (whichever the greater) are more than significant to all businesses.

Difficulty Mitigating GDPR Compliance

Repercussions of the European Union’s General Data Protection Regulation (GDPR) are far-reaching. One of the outcomes will require businesses to take the use of cloud storage and applications much more seriously. Not only will businesses need to know which—and how—cloud storage and file sharing apps are being used by their employees, they also must ensure that either the cloud services in use are compliant and integrated into their GDPR processes (i.e., right to erasure / forgotten) or the flows of data to them are inspected and scrubbed of personal information.

Compliance isn’t simply for companies and individuals in the EU; GDPR applies to any company anywhere in the world that processes personal data related to EU citizens.

Shadow IT: Out of Sight, Out of Mind

The majority of executives and IT managers say they are unaware of how many unauthorized cloud or shadow cloud apps and services are being used, even though Gartner has estimated that by 2020 more than 30% of successful cyber-attacks will happen through Shadow IT. Out-of-sight-out-of-mind thinking masks reality, as they simply don’t know which file sharing apps being used. Furthermore, since data is stored offsite by a cloud service provider they believe that they have nothing to worry about. But the opposite is the case, the business retains primary responsibility. Interestingly the GDPR concept of shared responsibility should mean that the cloud service provider should be more concerned with the data they store, but as yet they are not. Organizations must work with their employees and cloud service providers to ensure compliance with GDPR.

How many applications do you have on your mobile phone? How many of those are endorsed by the company? How many have access to data such as contacts or saved documents? Now multiply that by the number of employees you have, and you start to see the magnitude of the issue. Even within a small company, there could be 1000s of applications which are ‘hidden’ from IT (and compliance), but which create risk.

While some cloud and app vendors, including Google, have embraced GDPR, many others have not, and in this case ignoring those who haven’t because you do not ‘know’ about them is not a defense. Ignorance is not bliss.

Addressing the Cloud Storage and File Sharing Ugliness

All is not bleak when it comes to cloud storage and file sharing apps co-existing in a GDPR compliant environment. We have a three-step approach to GDPR compliance:

1)      Discover: Find out just how big the issue it. For Shadow IT, this is about discovering how widespread its use is.

2)      Secure: Secure the information from inappropriate sharing with unauthorized users.

3)      Govern: Compliance is an ongoing commitment to protect critical information.

When it comes to Shadow IT, leveraging a GDPR-enabled secure web gateway (or a simple GDPR ICAP add-on to your existing web proxy), businesses can:

  • Perform a Shadow IT audit for cloud services. Quickly detect all cloud storage services in use throughout the business.
  • Create a map of all web-based data flows containing personal data.  This is both into and out of the organization. Shared responsibility means you need to secure and protect sensitive information which is shared with you.
  • Track and trace GDPR data moving to the cloud. Inspect data moving to cloud storage in real-time for GDPR data. This includes often-overlooked sub-file, hidden and metadata information.
  • Automate GDPR policy enforcement. Analyze personal data to determine the appropriate GDPR policy based on data context, type, channel and sharing relationship.
  • Apply adaptive security. Institute required GDPR security measures (block, encrypt or redact) applied based on policy. Redaction removes only the GDPR personal data detected, allowing the rest of the content to go without delay, quarantines, and disruptions. This, in turn, eliminates false positives. 
  • Enable GDPR governance. Achieve transparent visibility into GDPR reports, policy violations and breach analysis to ensure compliance.

The CIO and IT department need to grab control of Shadow IT, before a compliance incident occurs. Discovering which services are used is the first step towards that control. IT should be seen as an enabler to cloud services, with recommendations of which services to use and how they can be used. They also need to stop the use of those services which put businesses at risk.

In all, when addressed with the right security processes and technologies in advance, cloud storage and file sharing applications can be controlled and become GDPR compliant, helping you to avoid an ugly mess and potentially huge fines.

Additional links:

Adaptive Security for Cloud

A guide to critical data protection in 2018

Insider Threat

3 ways to protect your organization against the insider threat

Unless you’ve been living under a rock, you probably know that cyber-attacks are on the rise and hitting businesses hard. Over the past few years, swathes of high-profile attacks have dominated media headlines with eye-watering data-breach and lost revenue figures.

With global corporations, including Yahoo, Equifax and the NHS suffering devastating attacks, defending your organization might seem like a monumental task, especially if multimillion-dollar companies are struggling to defend against the sea of online threats. However, understanding where the threats are coming from and how incidents occur will give you the ability to protect your organization against them. 

Our latest research reveals that the extended enterprise (employees, customers, suppliers, and ex-employees) is responsible for 74% of cyber incidents. The research, which surveyed 600 business decision makers and 1,200 employees across the UK, US, Germany, and Australia, found that an organization’s employees alone – whether through malicious or accidental actions – made up 42% of incidents, providing organizations with a clear starting point in addressing their cyber security. 

Know thy enemy

Sun Tzu’s frequently quoted sentiment is as applicable to cyber security as it is to the art of war. Understanding the threat means being able to defeat it, and when it comes to defending your organization in the digital age, internal threats pose the biggest problem. In 2015, unknown parties, such as hackers and criminal cells carried out 33% of attacks on organizations – a figure that is now down to just 26%. The internal threat, however, is on the rise.

65% of these incidents are accidental or inadvertent rather than deliberate and make up the majority of internal threats. As most businesses believe their critical data predominantly lies in non-technical departments, such as finance (55%), HR (45%) and legal or compliance (43%), addressing employee use and education around data handling is the first of many steps to addressing the insider threat:  

  • Know where your data is and educate your employees

    Every department in a business holds personally identifiable data to a greater or lesser extent, whether it’s the payroll records handled by finance officers or the target audience data used by marketing executives. Employees in these departments must recognize the potential security dangers associated with the data they use. Regular training seminars and tailored data security workshops might seem like overkill but will help educate employees about how to safeguard the data they handle and motivate them to care about the ramifications of a breach. With GDPR fast approaching, these will become a necessity that organizations avoid at their peril.
  • Build remote working into the data protection plan

    A significant contributor to the insider threat lies in the blurring lines between personal and work-based technologies. Flexible working coupled with mobile work technologies such as laptops and smart phones means that critical data is being taken outside of the bounds of the workplace and, therefore, must be secured both remotely and locally. Remote working security training should be incorporated into the data security workshops and seminars as the two invariably overlap. What’s more, a remote working policy should be developed within the overall data handling policy.
  • Invest in data protection and breach prevention technologies

    Whilst the risk factor around employee handling of data can be reduced, human error is inevitable. To avoid this and comprehensively secure your organization, investment in Data Loss Prevention (DLP) tools, content inspection software and document sanitization and redaction are the biggest priorities in preventing data loss and can also be used to demonstrate compliance with GDPR legislation. With these technologies, businesses can ensure that critical information isn’t being sent inadvertently or maliciously by staff. What’s more, redaction and content inspection only remove the information that breaks policy, offering a flexible approach to efficient business operations.

Additional Information

Related Articles 

Microsoft deal is a start, but more needs to be done to protect the NHS from cyber threats

Microsoft deal is a start, but more needs to be done to protect the NHS from cyber threats

Following the recent WannaCry attack that affected so many organizations, both public and private, across the globe, many firms are now taking steps to protect themselves from potential threats in the future. One establishment in the UK that the WannaCry attack had ramifications for was the NHS. The incident meant multiple hospitals across England and Scotland had to cancel procedures after vital systems were brought down, with hackers demanding money to release the systems.

Needless to say, with such a high-profile public institution being breached, both media and public interest were piqued and questions asked about how this could have been prevented. Shockingly, it was revealed that many of the NHS networks were still running systems with Windows XP, an out of date operating system that is now highly vulnerable to attacks.

Running critical infrastructure on outdated software is incredibly risky, and needless to say the NHS (and others) paid the price for this. However, steps are now being taken to address this issue. It was recently announced that NHS Digital has signed an agreement with Microsoft to cover all NHS organizations with a centralized framework for the detection of malicious cyber activity, while also providing patches for all current Windows devices in the health service running on XP.

Successful and secure IT is all about investment. All too often maintenance falls by the wayside. Why would you spend money on something that isn’t broken? If the impact of WannaCry isn’t a good enough justification, then what is?

So, this announcement is a positive first step to ensuring the NHS is safe from cyber threats going forward. It goes without saying that ensuring IT systems are operating with the most up to date software is critical to keeping these devices safe and, through working with Microsoft, hopefully, this can be achieved.

However, NHS Digital needs to ensure that it does not consider this partnership as the solution to all its security issues. Simply updating endpoint systems is not enough. Other investments and partnerships are needed to protect the whole IT infrastructure and mitigate security risks going forward.

For example, the NHS should consider taking steps to ensure that breaches don’t occur from within the organization. Data becoming exposed from within firms is one of the primary reasons for cyber-security breaches – the more people who have access, the greater the risk. Research from Clearswift found that 88% of security professionals said they had experienced a security incident, and 73% of those attributed these to employees, ex-employees, contractors and partners. This is an alarming figure, and breaches coming from inside an organization are not going to be stopped solely by updating software to prevent external attacks.

So, what can the NHS do to make sure its systems are secure both inside and out?  Insider threats take many forms but ultimately revolve around the unauthorized movement of data. Therefore, the NHS must ensure that protection is centered on monitoring and preventing critical information from reaching unauthorized personnel. To do this, the health service should look to set up an information governance scheme which prevents data from being accessible and shareable by unauthorized staff. Policies need to be backed up by training and technology. For example, using an adaptive data loss prevention solution to redact critical information automatically to reduce the risk, while not obstructing communication flows, would help improve the security profile. Other adaptive security technology should also be deployed to remove ransomware threats, as well as mitigate other information borne risks. Some of these advanced solutions can be deployed without needing to ‘rip and replace’ what is already there. Clearswift has just launched our Data Protection+ initiative which enables organizations to augment their existing email and web solutions with our Adaptive Data Loss Prevention functionality – even if you don’t have a Clearswift SECURE Gateway.

Upgrading systems was a necessity for the NHS following the WannaCry breach and the deal with Microsoft is a start to preventing something similar from happening in the future. However, NHS Digital needs to understand that this isn’t a silver bullet and threats are far wider-ranging than just external hackers. Through ensuring that the systems and processes are in place to protect the NHS from threats, we can ensure that the health system continues to operate smoothly and citizen records are in safe hands, guaranteeing that this national institution is well guarded into the future.

Additional Information:

Related Articles:

Information Security

Information Security. Solved.

Solve for information security and you solve for the most pressing cyber security challenges. Documents that leak confidential data are harvested for phishing attacks and weaponized to deliver embedded malware payloads. Today’s documents require an enhanced level of inspection, redaction and sanitization before entering or leaving your network.