Data breaches are the bank heists of the Digital Age. Yet, they inflict much more widespread damage, dread, and chaos. Their impact is felt both immediately and in the long term. Companies targeted by data breaches can lose as much as 3% of their market value as a result. In some cases, data breaches are only identified weeks, sometimes months or years, later, which gives cybercriminals unfettered access over a long stretch of time.
Each year, the Identity Theft Resource Center compiles a year-to-date tally of “confirmed” data breaches affecting US companies and consumers. This report largely solidifies what we already know: data breaches are rampant. The YTD total for breaches in 2018 (up to September, 30) was 932, for a total of 47.2 million known records reportedly compromised.
The distinction of “known” exposed records is important. In 429 of the 932 total reported breaches (46%, for those doing the math at home), the number of exposed records was unknown. This means that the full extent of nearly half of 2018’s data breaches isn’t yet understood. And, it may never be.
The report also details the types of organizations most targeted by data-related attacks. Businesses and banking/credit/financial institutions accounted for the majority, at 58%, which paints a grim picture for major corporations and banks. These types of institutions are high-value targets because of the types of financial and customer records that they hold.
“Mega Breaches” and the Start of 2019
The ITRC distinguishes breaches based on the degree of severity. The “mega” status is applied to incidents where millions of records are stolen. In 2018, seven of the 932 breaches qualified for this ugly title. That’s less than 1%, yet these seven cases resulted in two-thirds of the total number of records exposed.
These are the cases of data theft that make national headlines and cause consumers and businesses alike to increase the sense of urgency for better data security. Unfortunately, 2019 has already been home to a couple of potential mega breaches, most notably Citrix, as well as renewed concerns about the security of traditional file-sharing platforms, like Box.
Citrix loses up to 10TB of data to Iranian hackers
Citrix, a software company primarily focused on networking and cloud computing solutions, was notified by the FBI of a major breach in their system. Members of Iridium, an Iranian hacking core, are the suspected culprits. They took advantage of weak passwords to gain initial access to the organization. From there, they managed to steal between six to ten terabytes of data.
Citrix’s CSIO, Stan Black, claims there is no indication that the security of any of the company’s many products or services was compromised as a result of the attack. However, the attackers may have been inside the system for over a decade, according to the president of US security firm Resecurity.
Again, the challenge of these data breaches is fully understanding the extent of the damage, which can take a significant amount of time to truly realize. Citrix’s networking and cloud products could have sensitive information on its client companies. With access to this data, this malicious group could theoretically be able to circumvent the networks and security measures of these other companies, extending the impact of this data breach well beyond just Citrix.
It’s possible that this latest breach is also linked to a December attack, where Citrix’s ShareFile service was the target. The company was ultimately forced to reset user passwords to prevent this unauthorized access.
At the time, Citrix claimed that there was no sign that these suspicious account activities on their FileShare platform were an indication of the company’s own systems being infiltrated. Now, the story may have changed.
Companies using Box inadvertently leak their own sensitive, corporate data
Box is a company-focused, cloud content management and file sharing solution. One of the ways that Box users can share data and documents is with a unique URL to a subdomain. As long as you have the link, you can access the information. While this is very convenient, as is the case with many file sharing methods, it is very far from secure and highly susceptible to brute force attacks.
This presented a substantial security vulnerability that affected a large number of Box users. Thousands of sensitive documents were left out in the open because of unsecure file sharing configurations. If it wasn’t for Adversis, a company focused on testing cybersecurity vulnerabilities, this feature would have continued to leave information exposed and accessible to anyone on the dark web with the know-how to find it. Adversis was able to identify the weak point and responsibly report the issue to Box, limiting any potential damage.
Adversis uncovered thousands of documents, which totaled terabytes worth of data, that were simply left unsecured under these publicly accessible URLs. According to their website, some of the documents left exposed included:
- Passport photos
- Social security numbers and bank accounts
- Designs and prototypes of still-developing technologies and products
- Lists of employees and their personal information
- Financial data, including invoices
- Customer lists and archives of conversations and meetings with these individuals
- Network diagrams, IT data and VPN configurations
This is not unlike the frequent exposures of Amazon Web Services S3 “buckets.” Adversis actually found it easier to find these subdomains created by corporate Box users.
There was so much information left open for exposure that the data security assessment company realized it was impossible to notify each company individually. Instead, they had to contact Box directly. The file-sharing company has since had to review this feature and its obvious vulnerability, as well as how they approach user education.
Issues With File Sharing Platforms
Both of these cases deal partly with file sharing services. The Box case is certainly more focused on the matter, but, as mentioned, Citrix’s FileShare service was also compromised. In each case, the problem links to one of the key disadvantages of using a file sharing service for sensitive, enterprise data.
File Sharing was Built for Convenience, Not Security
Popular file-sharing services, like Dropbox, Drive, and others, make it easy to share files, videos, images and other information. They provide a convenient alternative to attaching large files via email and being limited by file size constraints.
A lot of these services embody “convenience” and “speed” in their messaging and rhetoric. Even Box is guilty of this, by including wordage like, “provides more efficiency, speed, and simplicity for our employees.” They pepper in buzzwords like “automated workflows,” “seamless” and “more productive.”
File Sharing Services are the DIY Equivalent of Cloud-Based File Management
In Adversis’ breakdown of the issues regarding Box, they make a clear distinction that this is not a bug or direct vulnerability, but rather an issue with a bad feature. But, really what it boils down to is bad user education.
The same can be said of the Citrix data breach, in which the ultimate entry point was weak passwords. Once inside, hackers were able to uncover more security breadcrumbs that permitted them further and deeper access into the systems.
Arguably, preventing data breaches and limiting the number of potentially exposed records is equal parts security tools and user education. You can spend thousands wrapping your home in layers of security, but none of it matters if someone forgets to lock the door.
File sharing services often pride themselves on being user-friendly and easy to use, but this comes at a price. When users aren’t properly educated in using these tools as securely as possible, the risk of an unwanted intrusion rises.
Advantages Of Virtual Data Rooms
The alternative to standard file sharing platforms has become virtual data rooms (VDRs). These data storage and sharing tools are focused deeply on security, which makes them much more advantageous for organizations that are sharing sensitive files across the cloud. Each feature of these platforms holds this security focus at its core.
Virtual data rooms provide high-grade security layers, which means they are a much safer option over traditional file-sharing platforms. Dropbox, Drive and other services are simply not designed to protect data from external and unwanted forces. They may offer some security, but not enough to deter the sophisticated attacks orchestrated by today’s hackers.
VDRs utilize a number of security-focused features and protocols, such as:
- Military-level, 256-bit data encryption
- Multiple firewalls surrounding data centers
- Fence-view to restrict screenshot capabilities
- Digital watermarks
- Access restriction based on time, IP and other control parameters
Traditional file sharing platforms have limited functions when it comes to data and file organization. Most will allow basic organization through creating folders and subfolders. Yet, for companies with terabytes of data to store and share, more is needed. VDRs, on the other hand, do provide features for enhanced document organization.
Thus, while generic file share services may boast being fast and convenient, VDRs are able to make up some of this ground through their document organization capabilities. And, no security is sacrificed in the process.
Access Management and Control
In the corporate environment, managing access to data and information is very important. Not only does it help limit possible breaches (more access points means more windows and doors), but it also optimizes how your company uses its data resources and applications, which yields better overall efficiency.
With these access control parameters, each individual user, or group, can see only the data they’ve been given permission to access. This vastly limits the potential impact of a data breach. If, somehow, a hacker was able to gain entry through a user’s weak credentials or otherwise, they’d have very limited access to your corporate data.
Expert guidance and onsite implementation
The Box story provides an excellent example of how bad user education can lead to poor configuration and unsecured data. The best VDR service providers will coach your IT department, management and end-users on how to structure and use your data rooms in the most secure and efficient ways.
Every organization is different, which means their data storage and file sharing needs are also unique. With the right VDR solution, this expert advice will be custom-tailored to your business and its needs, which creates the absolute best results.
The Better Investment
As the world grows more and more accustomed to hearing about data breaches in the news, the need for responsible data management grows. A 2017 report revealed that 87% of consumers are willing to take their customer loyalty elsewhere, if they don’t trust a company’s data security. Thus, for businesses and banking, credit or financial institutions, data security is essential to survival and maintaining customer relations.
Cloud file sharing and data storage platforms have notably been a cause for concern, especially given the latest headlines related to IT and data security. However, these tools are necessary in the modern age, where workforces are scattered and the need for a centralized and accessible file room is increasingly vital.
The answer to solve both obstacles is virtual data rooms. They provide the security that corporations (and their customers) want, while also offering the virtual workspace that businesses need to allow their employees to collaborate and efficiently share information.
That said, traditional file-sharing services are notably cheaper compared to VDRs. However, when you consider the negative drawbacks that a data breach can produce, especially if the number of exposed records is high, that price is quickly justified. Your company can not only lose a chunk of their market share, but severe data breaches can leave corporate reputations in tatters. Sometimes, irreparably so.
The simple truth is that investing in this type of ultra-secure file sharing solution demonstrates a commitment to your customers and clients that you are invested in their security and the preservation of their sensitive information.