Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

5 Tips to Minimize the Costly Effects of Data Exfiltration

The more sensitive data an organization collects, the more at risk it is to a cyberattack. Here's how to limit the damage.

Megan Silverman, Vice President of Cyber Solutions, Integreon

July 9, 2024

4 Min Read
A small aircraft pilot siphons gas from a tank; North Slope, Alaska
Source: Design Pics Inc via Alamy Stock Photo

COMMENTARY

No matter the status of your organization, it may become the victim of a cyberbreach. Cases in point: In February, the US Cybersecurity and Infrastructure Security Agency (CISA) was hacked via the exploitation of vulnerabilities in Ivanti products the agency uses. The International Monetary Fund (IMF) was also attacked that month, which resulted in the compromise of at least 11 IMF email accounts. In March, multinational technology giant Fujitsu confirmed it was the victim of a cyberattack, where hackers used malware to exfiltrate personal and customer information.

Data compromises increased in 2023 by a whopping 78% over 2022, according to the "2023 Annual Data Breach Report" from the Identity Theft Resource Center (ITRC). In 2023, there were 3,025 publicly reported data compromises that impacted 353,027,892 individuals, the ITRC found. Of these compromises, 78% were cyberattacks, which impacted 343,338,964 victims.

Additionally, the "2024 Thales Data Threat Report" found a 27% increase in ransomware attacks last year, with 8% of companies paying the ransom — generally to decrypt their systems or for the "promise" that their customers' sensitive data wouldn't be released.

In short, data exfiltration is not a question of if it will happen but rather what to do to mitigate the fallout when it occurs. The best way to get in front of the issue is to review and reduce your data collection before an incident can occur.

Is Data an Asset or a Liability? Yes

Data exfiltration is the theft of personal or sensitive commercial data for the purpose of extortion, increasing the cost and complexity of incidents, as well as bringing greater potential for reputational damage. Data exfiltration cases are increasing each year, from 40% of incidents in 2019 to 80% in 2022 and "significantly higher" in 2023, according to Allianz Commercial. Furthermore, the use of artificial intelligence (AI) tools is putting companies at an ever-increasing risk of data exfiltration through insider-driven data exposure, loss, and leaks.

As threat actors become more sophisticated, they tend to focus more on the exfiltration of specific sensitive information to demand ransom payments and perpetuate identity fraud and other social engineering attacks.

When it comes to data collection, the mindset of "more is better" is wrong. The more data you keep, the more likely it is to include sensitive data — which is what threat actors are looking for, because they can monetize it.

How to Declutter Your Data Collection

As the number of incidents and rate of data exfiltration rise, it is more critical than ever to reduce the risk of a cyberattack. This means the time is right to assess your data to better understand where sensitive data is stored and delete anything that you do not need. Here are five tips for getting started:

  1. Classify and track your data. Data mapping is the process of creating a visual representation of your data. It helps you understand the landscape of your organization's information, including where it resides and where sensitive data is stored. Depending on the size of your organization, you can choose to conduct data mapping manually or use a context-based AI scanning tool for an initial assessment of where sensitive data is stored and how much is duplicated.

  2. Encourage data sanitization. Help employees throughout your organization to rethink their data storage practices. For example, if an employee is storing customer data because they want to reuse the work product or formatting, advise them to create a generic template instead and delete any copies with customer information.

  3. Have IT and infosec teams meet regularly with each department. Require appropriate individuals from IT and infosec to meet with each department to take stock of its data, where that data is stored, and what sensitive data the department retains. Educate the department on proper storage techniques for sensitive data, such as implementing password protection and encryption. To comply with data compliance standards, it is also crucial to determine whether sensitive data should be collected or stored in the first place.

  4. Implement automatic deletion of unused customer data. Tell customers in advance that you won't store their data for more than 60 days when idle and that they will need to reshare their data after the 60-day timeline.

  5. Practice active deletion, too. Do not continue to store old organizational data just because that is what your organization has always done. With the ever-increasing cyber incident liability risk and changing threat environment, sticking to status quo policies is no longer the way to go. Much more risk is associated with data retention than ever before, so practice deletion.

Possessing sensitive digital material exposes your organization to potentially severe legal and business consequences. Remember, storing data has real and substantial financial, legal, and physical costs and consequences. Stop storing data for longer than you need to, especially sensitive data that exposes you to heightened risk in a cyberattack. Implement processes for everyone to keep unused or old data to a minimum. That way, you can minimize the physical and financial cost of storing data and benefit your organization's bottom line.

About the Author

Megan Silverman

Vice President of Cyber Solutions, Integreon

Megan Silverman is Vice President, Cyber Solutions at Integreon and works with clients to deliver customized approaches to handle data mining and notification list development for large-scale complex breaches. Megan has deep expertise in litigation, privacy, and cyber incident response. She is a certified privacy professional, earned her JD from the University of Chicago, and earned her Environmental Law LLM at Lewis & Clark Law School. Megan is a member of the New York bar.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights