Data security is as crucial now as ever, as the threats are growing increasingly sophisticated. Nominet’s Cath Goulding discusses the risk of data exfiltration, along with steps you can take to protect your organization and your digital supply chain.
Data exfiltration: It sounds like one of those needlessly complex, technically convoluted geek-only phrases that make non-IT folks groan. It’s very much like data exportation and data extrusion, except that those terms sound even worse. So let’s call it what it is: theft.
Whatever term we use, the practice describes cyber criminals maliciously accessing servers and other computers in different ways specifically to steal data to which they have no right. It seldom happens randomly: This is usually a planned operation in pursuit of a pre-selected target. The thieves know what data they want, where that data resides and how to extract it. In any case, it’s theft. It’s a crime. It’s bad.
Actually, it’s worse. Thanks to a host of compliance mandates, the victims of data exfiltration (and its sibling, threat infiltration) may be held liable for the theft — even when they don’t know the problem occurred. And that makes this issue even more sensitive and more unpleasant.
To develop effective responses, first consider the context. Most importantly, remember that cybersecurity is not a static discipline. Risks can outpace legitimate innovation, which means even the best strategies must be constantly refined and sometimes replaced. More specifically, data exfiltration doesn’t follow a single channel or route — indeed, hackers use increasingly sophisticated measures to identify weak spots.
For those on the right side of the law, there’s sometimes a delicate balancing act. For example, in our field, blocking a suspicious domain is bad for business. However, a site launched with criminal intent can cause real harm with blinding speed. Distinguishing between the two is not always an easy call.
Some domains are clearly designed to deceive consumers by featuring misspelled versions of familiar brands or highlighting terms like “safenet.” However, a domain resembling a phishing operation may actually have a legitimate backer using the site to train employees or trap like-minded criminals. Some video game offerings send out scary signals and messages — but it’s just a game.
As for data theft, one area that’s ripe for attack is the digital supply chain. Most modern businesses build on sprawling networks of third parties, and at least some of these entities may lack top-tier security. This isn’t someone else’s problem; the companies they supply to are directly in the firing line. Everyone up to and including board-level executives need to be hyper-aware of these dangerous frontiers.
So what’s the best defense here? Sadly, there’s no panacea — a single strategy that combats all of these disparate dangers is ideal, but unrealistic. What’s needed instead is a series of sensible measures that are adapted with speed and guided by intelligence to guard against a dynamic threat matrix.
Consider the supply chain; if your company is working with a broad network of third parties, then it’s not only fair, but vital to insist that every one of them has the same security polices and processes as your own. That simple dictum covers all aspects of the operation, from technology to training, and it needs to be ingrained (with regular testing) rather than obligatory. Working with each supplier individually from onboarding to termination to ensure that top-quality protection is truly baked in drastically reduces exposure.
If this sounds onerous (and it might be), consider the big-name brands that have been the targets of attacks: British Airways and Ticketmaster U.K. recently, and Equifax and Target previously. All of them suffered from data exfiltration achieved through vulnerabilities in the third-party supply chain. That’s not a good list to be on.
On the flip side, corporations with thousands of employees entering the infrastructure through millions of new touchpoints is a security nightmare — and many enterprises are largely unprepared for this new and massive influx.
In sum, just as data exfiltration is not merely a problem, but a true business threat, security is not so much a process as a true business asset. Organizations that allocate time and resources accordingly will always come out ahead.
Cath Goulding, CISSP, is Chief Information Security Officer at 
