Protecting company data in the event of a breach


By Daniel Lai, archTIS CEO

The Reserve Bank of New Zealand became the latest major organisation to suffer a serious and malicious cybersecurity attack in January this year when it’s third-party file sharing system was hacked.

In its latest update on the event, RBNZ said the nature and extent of the breach was still being investigated, and that some commercially and personally sensitive information may have been illegally downloaded. Investigations into the attack were continuing, though the breach was said to be contained.

RBNZ isn’t alone in its recent cybersecurity suffering. Just last year, the Australian Government was forced to respond to a breach which resulted in the details of thousands of MyGov accounts put up for sale on the dark web.

Regis Healthcare, Melbourne TAFE and the Department of Home Affairs also faced major security breaches to their data systems in 2020. Unfortunately, in today’s cybersecurity landscape, it may only be a matter of time before your organisation falls victim to an attack too.

Research by Accenture in its 2020 Cyber Threatscape Report found that the COVID-19 pandemic had resulted in businesses being increasingly exposed to opportunistic cyber threats, including phishing campaigns, discontinuity of information security operations and long-term financial constraints.

The report warned that the ongoing economic fallout as a result of the pandemic could create serious financial challenges for companies’ information security operations.  Meanwhile working from home policies further exposed companies to cyberattacks, as employees relied on less-secure home Wi-Fi routers and VPN connections to do their jobs rather than company infrastructure.

How can data be protected in the event of a breach?

While New Zealand’s central bank hasn’t yet provided many details about the breach, it’s likely that the hacked third-party file sharing system was cloud-based.

Most breaches of this type are generally caused by a compromised user account, via malware, phishing or by over-sharing, where an anonymous URL is shared without requiring the individual user to authenticate.

In most security software and with many security policies, the login process is not robust enough to guarantee that a logged in user is who they say they are, in many cases risking large amounts of data.

A strong security capability should be based on ‘Zero Trust’ and not automatically trust any user—but instead verify anyone trying to connect to any systems, applications, or individual data files before granting access.

Incorporating a ‘trustless’ policy may include attribute-based access control, a security model that evaluates attributes rather than roles to determine access, such as security clearance, time of day, location and device to determine who is able to access, edit and download files.

This gives organisations granular, dynamic control over the access of information by making intelligent decisions in real-time on whether the user should be given access to the requested information based on all of these parameters.

Benefits of real time, attribute-based access and sharing control

Using a solution leveraging attribute-based policies to control access to sensitive data has many benefits, including user specific encryption, which means that each user opens their own encrypted copy of the original document. Most importantly it allows contextualised access to the individual and is dynamic against a range of different risks scenarios. Like who they are, their role, where are they accessing the information from, on what device?

It also offers time limited access, which allows access to users for a short period of time and denying access after that window is closed and secure reader mode, when users only require read access.

Personalised watermarks incorporating attributes such as name, date and time can be added in order to track chain of custody of printed materials and deter photographing.

An attribute-based policy also reduces attack surface, preventing copies of a document from being left in unnecessary locations if a file is added to a chat message, sent in an email or edited using a cloud-based program.

A ‘trustless’ security model is the future of Trust in a digital economy

Today, organisations should assume they will be compromised by a bad actor, disgruntled employee, or malicious software. Zero Trust should not just be employed for system and application access, it must also extend to individual file access.

Only by using intelligent, real-time data security controls that leverage attribute-based policies, can you prevent a compromised user account from resulting in data loss.

Daniel Lai is the chief executive of archTIS, a global technology provider of innovative solutions for secure collaboration of sensitive information.