Why all organizations must better protect sensitive data Why all organizations must better protect sensitive data

By October 17, 2019Blog

About two weeks ago, National Cybersecurity Awareness Month (NCSAM) kicked off with a new message stressing personal responsibility for users keeping themselves safe online: “Own IT. Secure IT. Protect IT.” NCSAM asked users to consider best practices for both securing their own devices and protecting sensitive data.

But personal responsibility in cybersecurity extends beyond individuals—it
reaches right into the workplace, affecting nearly every company, business, or
organization that handles user, customer, and employee data. Without an
organization’s help, individuals can still be left defenseless to several
attacks.

The user who creates and stores long passphrases in a password manager is still vulnerable to a data breach that releases their sensitive details, like their email address, physical address, and full name. The online customer who only connects to secure Wi-Fi networks is still vulnerable to a corporate hack of that retailer from threat actors seeking credit card numbers. The employee who uses multi-factor authentication on their sensitive online accounts is still vulnerable to a company-wide ransomware attack.

The truth is that companies, businesses, and organizations have an obligation to protect the sensitive data that belongs to their employees, users, and customers.

For some organizations, that obligation is a matter of real,
physical safety.

For National Domestic Violence Awareness Month, Malwarebytes announced a recommitment to protecting users from stalkerware— the nefarious threat often leveraged by domestic abusers to surveil their partners. In continuing our work in this field, today we are looking at how the NCSAM principles can be translated into practical, actionable recommendations for organizations that handle and protect the data of already at-risk individuals—domestic abuse survivors.

Though these recommendations focus on domestic abuse agencies, they touch on many of the same problems experienced by small- and mid-sized organizations. They deal with lost devices, data retention and deletion, device security, and location tracking. So even if you’re not working for a domestic abuse agency, we highly recommend you read on. Your customers will thank you for helping to protect their sensitive data and their privacy.

Threats and recommendations

Threat actors today have changed their tactics. No longer do they just phish from a list of swiped personal email addresses. No longer do they rely solely on random employee missteps of opening an email attachment or clicking a link.

Instead, threat actors target organizations and zero in on their vulnerabilities in endpoint and network security. They phish, yes, but they spear phish—convincingly spoofing third-party vendors or banks or even the CEO. They attack major organizations and companies, looking to steal the sensitive data that they know is stored within, or cripple an organization’s infrastructure in hopes of getting a ransom payout.

As the threat landscape has evolved, so, too, must the organizations
at risk.

Below are several threats facing domestic abuse agencies and other businesses today. We hope some of the following recommendations, which have also been shared by the National Network to End Domestic Violence (NNEDV), can help organizations everywhere stay safe.

Advocates using personal devices for their jobs

Despite the important work performed by domestic abuse shelters and agencies around the world, those same shelters and agencies often suffer from narrow funding, which can directly limit the types of technology available to their employees.

When Malwarebytes Labs recently visited the Morgan Hill Community
Center to discuss stalkerware with local domestic violence advocates, about one
fifth of the audience showed us that they relied on their personal mobile
devices to support domestic abuse survivors.

The risks of relying solely on personal devices for this
type of work are myriad.

The loss of a personal device, either through forgetfulness
or from theft, could reveal sensitive information, including the contact
information, text messages, emails, and voicemails of survivors, along with the
GPS location data and contact information of advocates, as well as the contact
information for an advocate’s family, friends, and coworkers.

NNEDV, which has published multiple guides for tech safety
for both survivors and advocates, explained why the use of personal devices
creates unseen vulnerabilities.

“If advocates’ friends and family members have access to an advocate’s phone, they could see survivor information in the contacts, email, or text messages,” the organization wrote in its “Cell Phone Best Practices” guide. “In addition, if the advocate’s phone was part of a family plan, the account holder (which may not be the advocate) could have access to phone records and other details that could include survivor information, breaching confidentiality.”

Agencies have several options to limit these risks.

First, agencies should provide advocates with mobile devices
to do their jobs. Understandably, not every agency can afford to give every
employee the latest smart device, so, instead, agencies should only offer what advocates
need to be successful in their roles.

If employees are frequently in contact with survivors,
receiving both text messages and phone calls, they at least need a mobile
device. If employees are meeting survivors in the field or traveling between
shelters, they would benefit from a phone that has GPS features and a mobile app
for directions and maps. Further, if an employee has no direct contact with
survivors, maybe they don’t need an agency-provided phone at all.

Also, agency-provided devices should require passcodes to unlock.

Passcodes, as we explained before, are the first line of defense to prevent unwanted parties from accessing a device. For the type of work performed by domestic abuse advocates, this security step is vital. An unsecured device could reveal which domestic abuse survivors are reaching out, their contact info including their phone number and email address, and their plans for safety.

Each agency-provided device should have a unique passcode, and
the passcodes should be known to the agency’s IT and technology staff, stored on
a separate device (like a desktop or laptop) and kept safe in a password
manager.  

If agencies cannot provide phones, they can still implement
policies on how personal devices are secured. For instance, passcodes should
also be required on personal devices used for agency work. The passcode should
be at least six digits long, and it should be required for every device unlock.

Lost devices

With both personal devices and agency-provided devices, the
loss or theft of a mobile device could reveal potentially countless survivors’ sensitive
details. Agencies should consider not only the security risks of a lost device,
but also the potential breach of confidentiality and privacy for survivors.

To mitigate the damage of a lost or stolen device, agencies should install remote wiping capabilities on the devices they own and provide. These tools, like Find My iPhone on iPhones, Find My Mobile on Samsung devices, and Find My Device on Google Pixel devices, allow a device’s owner to remotely locate a device, lock it, and wipe all its stored data if lost or stolen.

Further, agencies should remember that lost devices have a
separate, equally vital risk. Not only is the data that is locally stored
vulnerable, but so is the data that is accessible through online accounts and
networks connected to that device. Whatever platforms an employee connects to
on their device, like their work email, their Slack groups, even their HR and
benefits portal, are also left vulnerable to an attack if a device is lost or
stolen.

To stem this risk, agencies should install a single sign-on
(SSO) solution for employees who access the variety of work platforms necessary
to do their jobs.

As we said before on this topic:

Single sign-on offers
two immediate benefits. One, your employees don’t need to remember a series of
passwords for every application, from the company’s travel request service to
its intranet homepage. Two, you can set up a SSO service to require a secondary
form of authentication—often a text message sent to a separate mobile device with a unique code—when
employees sign in.

By utilizing these two features, even if your employee has their
company device stolen, the thief won’t be able to log into any important online
accounts that store other sensitive company data.”

Agencies could consider using any of the most popular single
sign-on providers for small and medium businesses, including Okta and OneLogin.

Stored text conversations and call logs

Smart devices today store an enormous amount of information
by default, including text messages that are several years old, and call logs
that go just as far back.

The sensitivities of survivors’ text messages are obvious. These
are the conversations of often at-risk individuals who are seeking help in
developing a safety plan or receiving emotional support. These are private
conversations that should be protected.

Similarly, a device’s automatically stored call logs can
reveal sensitive, private information, even if the phone call itself is not
recorded.

Call log history that shows a middle-of-the-night phone call
to a suicide prevention hotline, a weekly call to an HIV emotional support
line, or a between-work-and-home phone call to the National Domestic Violence
Hotline all immediately reveal the potential content and topics of those
conversations, even without a transcript of what was said.

To provide security and privacy for domestic abuse survivors, agencies should delete stored text messages when they are no longer needed. Agencies could also consider using a secure, end-to-end encrypted messaging app, like Signal, which allows for chat messages to automatically disappear after a scheduled time. For this process to work, though, survivors would also have to download and use the same secure messaging app.

Like with stored text conversations, agencies should
regularly delete incoming and outgoing call logs. Further, agencies should not
save survivor contact info on the actual devices being used.  

We understand that some agencies work directly with law
enforcement, sometimes offering stored text messages and call logs as a means
to provide evidence of domestic abuse. If that is part of your agency’s support
services, let your survivors know this ahead of time.

Location tracking

Most domestic abuse advocates cannot do their work only from a desk. Often, advocates work outside, meeting survivors in safe locations, traveling between an organization’s multiple chapters, and potentially visiting conferences and training sessions.

For the advocates who rely on GPS services on mobile devices for directions, their digital location history can reveal potentially private information, including the locations both of survivors and currently nonpublic safe houses. One of the most popular GPS mapping apps today, Google Maps, has a feature called “Your Timeline,” which, if turned on, allows a user to view their own location history, including what locations they visited, what time they were there, and what route they took.

Though “Your Timeline” is only visible to users and not third
parties, the problem of a lost or stolen device remains—if someone else can
access an unsecured mobile device, then they could access that device’s
location history, too.

Domestic abuse agencies should turn off location history for
the devices they provide to advocates, and they should stress that advocates
who rely on personal devices do the same.

 For a full understanding of how to do this on Android and iPhone devices, you can read The Guardian’s piece here, which delves into how to turn off all location tracking.

Organizational cybersecurity threats

Protecting your organization is about more than being smart
with the devices your employees use and the data that lives there. It also
includes protecting your organization’s infrastructure from threat actors and
human error.

Domestic abuse agencies should protect themselves with an
anti-malware, anti-virus solution. With a proper solution, employee devices,
including both desktop/laptop machines and mobile phones, can be protected from
an infection or an attack before it even happens.

Takeaways

Domestic abuse agencies complete an extraordinary amount of
work in providing services, emotional support, and safety planning to
survivors. Today, much of that work leaves behind a digital trail, and it is up
to those same agencies to make sure that the data belonging to survivors is equally
protected.

Though the list of cybersecurity threats and recommendations can seem overwhelming, it can be split up into easy takeaways:

  • Advocates should, whenever possible, be provided
    with devices to do their jobs
  • All devices should be required to have a
    passcode to unlock
  • The threat of a lost device can be mitigated by
    installing remote wiping capabilities and using a single sign-on solution to
    protect connected online account information
  • Stored text messages and call logs should be
    regularly purged
  • Location tracking on advocates’ devices should
    be turned off
  • Agencies should install anti-malware protection
    on their machines

Many years ago, the intersection of National Cybersecurity
Awareness Month and National Domestic Violence Awareness Month had little
overlap. Today, the two are closely intertwined. For domestic abuse agencies,
the protection of data is analogous to the protection of domestic abuse
survivors.

Though NCSAM’s cybersecurity principles may stress personal responsibility, it is the duty of organizations everywhere to understand their own responsibility in today’s world. Secure those who rely on you. Protect them. They should not be left alone.

The post Why all organizations must better protect sensitive data appeared first on Malwarebytes Labs.

Refer Here for Original Post and Source https://blog.malwarebytes.com/business-2/2019/10/why-all-organizations-must-better-protect-sensitive-data/https://blog.malwarebytes.com/business-2/2019/10/why-all-organizations-must-better-protect-sensitive-data/

Robert Crossland

Author Robert Crossland

More posts by Robert Crossland