There’s a lot in life that people know they should be doing, but don’t.
There’s no mad science behind knowing what to eat or not. Vegetables are better for you than burgers.
Move more and you’ll get fitter.
Huh? “Cataloguing” doesn’t even look like a real word.
What’s the point of a data catalogue?
With a raft of high profile data breaches occurring all around the world – and in particular in Australia right now with the Optus and Medibank breaches – perhaps the new norm is ransom demands without the need for ransomware.
Here’s how ransomware typically works
- Good person clicks on a bad email that installs bad software
- The bad software encrypts the good person’s data, meaning the data can only be accessed if you know a secret key (which only the bad guy knows, maybe)
- Bad people tell good person that the secret key will cost them $500
- Good person realises that their backup isn’t working so they pay the $500
- In most cases the bad person hands over the secret key, data is unlocked and good person stops clicking on bad emails
- Bad people typically hand over the secret key because if the culture was to NOT hand over the secret key, then nobody would pay it
- If the data is valuable enough (i.e. contains Personally Identifiable Information) then an additional threat to release the data online could follow
Here’s how data theft works
- Bad person has enough technical knowledge to steal data and announces the theft online
- In the case of Optus it was a backdoor left open
- Snippets of the stolen data are showcased online, taunting the victim that the data theft is not a hoax and a ransom demand is made
- The victim now has to decide what to do:
- pay the ransom and HOPE the bad guy deletes the information (which potentially happened with Optus, it’s unclear)
- don’t pay the ransom, try and build some sort of protection in for your clients, sack the CEO and wait for someone else’s breach to reach the headlines
Neither scenario is better than another.
Neither scenario is repairable once it has occurred.
What you can do to lower the chances of it occurring
Well there’s loads. Start off with the basics…
- Educate your staff and build a secure culture.
- Want Cyber Security Awareness training? We do that.
- Password hygiene
- Stop re-using passwords. Don’t know how to do that? See point 1.
- Build a Data Catalogue
Building a Data Catalogue in 4 simple steps
- What is the sensitive data we hold?
- How do we know if it’s sensitive?
- Do we need to be collecting this data?
- Where is the data?
- Does it need to be where it is?
- How long do we need to keep it for?
- Are we keeping it because the law says we must? Or are we keeping it for our own convenience?
- Can we remove duplication?
- Does it need to exist in more than one place at any given time?
- Who has access to the data?
- Can we restrict access to only those who need it AND for only the timeframe they need it for?
- Get rid of data you don’t need.
Following these simple steps will result in your data only holding the data it needs, for as long as it needs, in a highly restricted and secure location.