How to Manage a Data Leak

With the advent of new data privacy regulations, data breaches are becoming more dangerous and expensive for organizations. Previously, the main costs of a data breach lay in the loss of customers and minimal fines for negligence. However, regulations like the EU’s General Data Protection Regulation (GDPR) raise the bar, allowing fines up to 4% of an organization’s global revenue or 20 million Euros, whichever is larger. In the United States, data protection and encryption requirements are mandated on a per-industry basis (PCI DSS, HIPAA, etc.) and now by state specific laws like the California Consumer Privacy Act (CCPA) of 2018. On average, a data breach cost organizations $3.62 million in 2017, and, with the new regulations, this will only grow.

Understanding the data breach landscape is a critical part of protecting your organization. While the majority of data breaches are caused by external threat actors, employees are at fault for a large percentage of them. Identifying the risks and equipping your organization with the tools to mitigate them can do a lot to protect your organization from a costly incident.

Many Breaches are Internal

In general, when people think of a data breach, they picture some hacker breaking through network defenses using malware or other means. Very few consider the fact that employees are a major threat to organizational data security. However, a survey by cybersecurity company Shred-it found that 47% of surveyed executives had experienced a corporate data breach caused by an employee.

According to the 2017 Ponemon Cost of Data Breach Study, between a fifth and a third of all data breaches are caused by human error. In healthcare, 53% of data breaches were caused by the actions of people within the organization. Significantly, the HIPAA regulation within the United States does not require reporting of breaches of encrypted data, so all of these breaches could have been prevented by appropriate data encryption practices.

Employees cause data breaches in a variety of different ways. A common cause of data breaches in recent years has been the misconfiguration of cloud data storage services like Amazon Web Services (AWS). In many cases, these services have two different levels of security: invitation-only and open to the world. Employees who are frustrated by their inability to share documents with colleagues and not understanding these security settings will choose the “Public” option. As a result, sensitive company data is visible to anyone who can guess the correct web address, causing leaks like when an unsecured cloud bucket leaked the Pentagon’s Internet surveillance archive. Ideally, organizations would keep sensitive data off of cloud platforms; however, the advantages of cloud computing make this infeasible unless the organization offers another viable alternative.

How GhostVolt Can Help

GhostVolt provides state-of-the-art collaboration tools with a focus on protecting your organization’s sensitive data. By providing a configurable and customizable solution for storing and managing your data on any server, GhostVolt provides you with complete control over your data.

The GhostVolt data storage solution is designed to ensure security without impacting usability. It accomplishes this by ensuring that data is encrypted at all times, allowing granular access control, and making administration as painless as possible.

Constant Encryption

Data encryption is crucial to preventing painful data breaches and ensuring regulatory compliance. If data is stolen while protected by a secure encryption algorithm, it’s impossible for an attacker to read it without access to the encryption key. This is why GhostVolt encrypts data using the AES-256 encryption algorithm both at rest and in transit. AES-256 is the algorithm approved by the US government for encryption of classified data and is considered the standard for data encryption.

Granular Access Control

Managing authorized and unauthorized access to data is an important part of preventing employee-caused data breaches. Unauthorized access to data can come in two forms: an authorized user accessing data that they should not and an unauthorized user accessing any data.

GhostVolt’s modular access controls protect against both cases. Each user can be individually authorized to view and edit files at a folder level, with the potential to modify or revoke permissions at the administrator level. As all files are encrypted at rest or in transit, an attempt to view files without authorization is pointless.

Access by unauthorized users most commonly occurs due to poor user password management. If a user’s password is lost, stolen, or guessed by an attacker, the attacker could gain access to the data that they are authorized to view. GhostVolt mitigates the impact of these events by allowing an administrator to force a reset of a user’s password or, optionally , rotate all encryption keys so the user’s old key is useless. Of course the ability to manually reset a lost password is always available.

Rotating passwords is a very powerful feature in GhostVolt. Imagine the scenario where a password is suspected of being breached - Rotating eliminates this risk by changing all encryption keys and forcing all users to reset their passwords.

GhostVolt also decreases the probability of a breach due to lost or unattended computers by allowing administrators to set a maximum time of inactivity before a user is logged out and must re-authenticate to view files.

Painless Administration

Technology designed to improve an organization’s cyber security is only effective if users and administrators use it and use it correctly. This is why GhostVolt makes administration as easy and painless as possible. Administrators can easily change and backup encryption keys and create a secure backup copy of their repository. With a business license, GhostVolt can scale with your organization, with the ability to clone repositories and even have multiple repositories residing on multiple servers .

Many organizations need to be able to demonstrate control over sensitive data for regulatory compliance. With GhostVolt Business, your organization can view the complete history of all files (including deleted ones) and the audit history of files, folders, and users. GhostVolt also includes a reporting module, allowing you to generate crisp reports on activity with ease.