August 12, 2022
Five All-Too-Common Ways in Which Private Data Gets Exposed
Data breaches are a worst-case scenario for most businesses. When they occur, companies are often subject to invasive investigations, heavy fines, and a huge loss of reputation in the public eye. Unfortunately, there are many ways in which a breach can occur. Here are five of the most common mistakes businesses make that often lead to breaches and what you need to know to ensure your company is safe.
1. Access Misconfigurations
An “access misconfiguration” refers to a situation in which a database or other resource that contains sensitive personal information doesn’t have sufficient controls over who can access the data. While this may feel like a fundamental first step in a basic security protocol, you may be surprised at how often these mistakes occur.
For example, in early 2021, Chinese social media startup Socialarks suffered a breach when an unauthorized party accessed information about its users from a database that lacked password protection and encryption. That database exposed 408 GB of data, including personally identifiable information, for more than 214 million users.
The easiest way to counteract this type of breach is to shift your company’s security process so that new databases are password-secured and encrypted by default. These efforts reduce both the likelihood and the severity of breaches.
2. Alternative Access Paths
Similar to access misconfigurations, alternative access paths expose information from databases—although unlike access misconfigurations, those databases have been secured. The problem is that security has become so complex, it leaves hidden alternative paths that bad actors can leverage.
Specifically, the access policies that dictate which files and databases employees can access can be an issue. These generally begin very simply, but then gradually become overly complicated with time. Sometimes such complex policies can cause a cascade of group and single-user access permissions, becoming harder and harder to manage. Other times, the inclusion of multiple tools in the process makes it so that revoking a user’s access to a resource won’t rescind the access due to a conflicting alternative access protocol.
Alternative access paths by themselves don’t often lead to breaches. But they can lead to leaks, because when there are numerous and conflicting access controls, employees are more likely to gain access to materials they weren’t meant to see. The best ways for companies to deal with this problem include:
- Using a single source of truth for all access control
- Developing processes for securely revoking access when it is no longer needed
- Ensuring group and individual access policies are regularly reviewed to eliminate overlap
3. Poor Access Event Review Procedures
If you’re managing a team of five, it would be time-consuming but possible to review all access logs to look for anomalies. However, when you scale this problem to the size of even a small company with a few dozen employees, the task can quickly grow beyond the scale that humans can deal with. When faced with an avalanche of access events, many companies give up and stop reviewing their access logs.
This is a huge problem, as reviewing the access logs can uncover issues in access control before a leak or breach occurs. To counter this problem, companies are increasingly using automated tools, including some powered by artificial intelligence, to help flag suspicious access before it becomes a problem.
4. Third-Party Mistakes
Today, many companies share information about their users with third parties that analyze or store the information. In addition to potentially running afoul of data privacy laws, especially when data is moved across national borders, third-party access to data tends to create new security risks. While it would be nice to live in a world where such data-sharing didn’t need to occur and thereby eliminate the security risk, such austerity is not always an option.
But what if you didn’t have to share that information at all? At least not in a way that it could be used against your company or its users. Pseudonymization is a technique used to mask a user’s identity and other personal information so that it’s difficult to trace the data back to the person who originated it, even if that information is intercepted or leaked.
Of course, pseudonymization is still theoretically reversible, which means it’s not the most secure method of concealing personal information, but still it’s a good tool in low-security situations. Anonymization is a related technique that fully separates the data from the originators. Unfortunately, anonymizing data tends to have a nasty side effect: It almost always destroys the relationships between data points. So, while it won’t reveal anything about your users if it’s leaked, it won’t be useful for most kinds of data analysis.
The best data anonymization tools solve this problem by using advanced algorithms to create fully synthetic anonymized data sets that cannot be traced back to any real users but maintain the relationships between data points. That makes these data sets both very secure and useful for analysis purposes.
5. Poor Employee Security Practices
While there are a variety of technical failures that can lead to breaches, human employees remain one of the leading causes of breaches and leaks. Ultimately, humans represent a substantial weakness in any security program. We often fall for tricks, and our ability to follow the rules consistently can sometimes be underwhelming. In the context of security, that means we make avoidable mistakes that hackers can exploit.
For example, an employee using the same password for their personal and work accounts can cause a leak from outside the organization to affect it. Likewise, employees are often tricked into phishing attacks that steal credentials and provide unauthorized access, or persuade users to download malware onto their system that can compromise a company’s entire network.
No matter how good your technological security tools get, it’s important to remember that a solid security program will ensure steps are taken to help employees make sound security decisions.
How Mage Helps Companies Prevent Data Breaches
The best data privacy tools can protect businesses from problems they haven’t yet identified. And with an end-to-end platform, companies can replace a hodgepodge of security programs and tools with a single resource that covers their needs, saving money and reducing the amount of time your employees spend on security operations.
At Mage, we’ve built a platform that can handle everything an organization needs for data security, including masking, anonymization, and dynamic access rules that can be set for region, role, and more. If you want to learn what Mage can do for your business, schedule a demo today.