Data security and the pandemic

Johannesburg, 13 Nov 2020
Lee Jenkins, CTO, ETS Group
Lee Jenkins, CTO, ETS Group

The theft of data and identities affects everybody, regardless of income bracket. Whether it’s the pervasive R99 debit order scam or a business’s entire database being held to ransom, nobody is safe. The types of data breached range from personal information about individuals, transaction details and even intellectual property. During the COVID-19 pandemic, attacks of this nature escalated, with hackers taking advantage of the fact that people are working remotely, possibly on less secure devices and networks.

The knock-on effects for businesses, over and above the fact that a breach highlights their poor governance practices and the associated legal ramifications, is the brand and reputational damage caused. For instance, Marriott Hotels was recently fined £18.4 million for a data breach, but the share price dropped 5%, which amounted to £1.5 billion, the reputational damage costing far more than the legal impact of the breach.

“The data protection legislation – such as GDPR and POPIA – that’s in place today means that these breaches can’t be swept under the carpet. The Marriott Hotels breach – the second for this group in as many years – exposed customers’ personal information and their travel details. Hackers gradually build up information to create a profile for the individual that may, eventually, enable them to access their banking and other accounts,” says Lee Jenkins, CTO of ETS Group.

He says common security vulnerabilities can be divided between external and internal threat vectors. External attacks often take the form of a security breach, where a hacker gains access and steals information. An example would be an individual’s social media account being hacked using password phishing or password stuffing. The latter method was suspected of being deployed in the Marriott Hotels hack. Once the hacker has the password for one account, they then move on through the user’s other accounts, until they gain access to the sensitive data that they seek.

He goes on to discuss the challenges around securing data and outlines three key measures to keep data protected and compliant with legislation.

Data has to be protected both at rest and in transit, says Jenkins. “Data at rest – such as a database or backup – needs to be managed differently to that in transit. The former is easier to secure: GDPR and POPIA say that data must be secured so that if it’s stolen, it’s useless to the hacker. The simplest thing to do is encrypt it.”

Securing data in transit, however, is more difficult, with the challenge of securing pockets of data as they move through the enterprise. “The options are to either encrypt the data or redact it, removing any personally identifiable information so that the data can’t be tied back to an individual,” he says.

“Encrypted data can defend against a man in the middle attack, but the data is still vulnerable once it’s decrypted – so, for instance, someone could stand behind the person who has it open on their screen and look over their shoulder.”

While encryption will protect the database at rest and in transit, regardless of the nature of the attack, it should be accompanied by measures that restrict access to data unless it goes through registered pathways and networks.

Next-generation security measures use heuristic processes to learn the normal movement of data so that it can identify what is not normal. It learns the devices used, typical working hours, what data is sent, the volumes of data that are sent and between which points it is usually sent. It learns about the network and the normal patterns of data. By learning what’s normal, it therefore learns what’s not normal. This enables it to heuristically work out if another IP address is accessing the data, for instance, which could potentially be a problem.

“The aim is to stop the egress of data. While this method can’t defend against someone using a memory stick to access small quantities of data, it will pick up someone trying to dump a large quantity of data.”

Jenkins describes the third tool in the arsenal against data breaches, saying: “A hardware security module is a physical security measure, a device that stores digital keys that require the user to go through several steps – or layers of security – before they can access the data.” He draws an analogy with the US president in virtually all action films requiring a second person to authorise pressing that all-powerful red button.

South Africa’s data privacy act, POPI, comes into force as of 1 July 2021, leaving businesses with less than a year to comply. And while POPI tells businesses what they have to do in order to be compliant, it doesn’t tell them how to do it. Jenkins believes that South African businesses are behind the curve on compliance with data privacy legislation and that the first business to suffer a significant data breach after June 2021 will be used to set the example to encourage compliance.

“The legislation requires that the business show that it intends to be compliant. If it can prove that it had the necessary procedures in place, it will work in the company’s favour should a breach occur.”

While Jenkins is a proponent of encryption as the main line of defence, he acknowledges that cost is often a major deterrent to encrypting stored data, which is why internal data is generally not encrypted. “The database is probably where you’re going to be attacked first, so it’s key to ensure that you protect customer data stored there. There’s no point encrypting data in transit if haven’t done it when stationary. This applies to the database, backups and any copies you’ve made of the database, for instance, for DevOps purposes.”

He also advises that business should implement policies and procedures around data protection, if they have not already done so. “Regular password changes and two-factor authentication are just basic common sense. The human factor is sadly always the weak point, where individuals use weak passwords or write more complex passwords on a sticky note attached to their screen. Encouraging people to use better passwords – and different passwords across different accounts – will help prevent hackers from password stuffing, for instance. Regularly educating the workforce about data security, so they become part of the solution, is a must.”