Saturday, March 6, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

The Prevention of Exfiltration: A Digital-Era Priority

Guarding Against a Dynamic Threat Matrix

by Cath Goulding
May 17, 2019
in Data Privacy, Featured
young hacker, data security concept

Data security is as crucial now as ever, as the threats are growing increasingly sophisticated. Nominet’s Cath Goulding discusses the risk of data exfiltration, along with steps you can take to protect your organization and your digital supply chain.

Data exfiltration: It sounds like one of those needlessly complex, technically convoluted geek-only phrases that make non-IT folks groan. It’s very much like data exportation and data extrusion, except that those terms sound even worse. So let’s call it what it is: theft.

Whatever term we use, the practice describes cyber criminals maliciously accessing servers and other computers in different ways specifically to steal data to which they have no right. It seldom happens randomly: This is usually a planned operation in pursuit of a pre-selected target. The thieves know what data they want, where that data resides and how to extract it. In any case, it’s theft. It’s a crime. It’s bad.

Actually, it’s worse. Thanks to a host of compliance mandates, the victims of data exfiltration (and its sibling, threat infiltration) may be held liable for the theft — even when they don’t know the problem occurred. And that makes this issue even more sensitive and more unpleasant.

To develop effective responses, first consider the context. Most importantly, remember that cybersecurity is not a static discipline. Risks can outpace legitimate innovation, which means even the best strategies must be constantly refined and sometimes replaced. More specifically, data exfiltration doesn’t follow a single channel or route — indeed, hackers use increasingly sophisticated measures to identify weak spots.

For those on the right side of the law, there’s sometimes a delicate balancing act. For example, in our field, blocking a suspicious domain is bad for business. However, a site launched with criminal intent can cause real harm with blinding speed. Distinguishing between the two is not always an easy call.

Some domains are clearly designed to deceive consumers by featuring misspelled versions of familiar brands or highlighting terms like “safenet.” However, a domain resembling a phishing operation may actually have a legitimate backer using the site to train employees or trap like-minded criminals. Some video game offerings send out scary signals and messages — but it’s just a game.

As for data theft, one area that’s ripe for attack is the digital supply chain. Most modern businesses build on sprawling networks of third parties, and at least some of these entities may lack top-tier security. This isn’t someone else’s problem; the companies they supply to are directly in the firing line. Everyone up to and including board-level executives need to be hyper-aware of these dangerous frontiers.

So what’s the best defense here? Sadly, there’s no panacea — a single strategy that combats all of these disparate dangers is ideal, but unrealistic. What’s needed instead is a series of sensible measures that are adapted with speed and guided by intelligence to guard against a dynamic threat matrix.

Consider the supply chain; if your company is working with a broad network of third parties, then it’s not only fair, but vital to insist that every one of them has the same security polices and processes as your own. That simple dictum covers all aspects of the operation, from technology to training, and it needs to be ingrained (with regular testing) rather than obligatory. Working with each supplier individually from onboarding to termination to ensure that top-quality protection is truly baked in drastically reduces exposure.

If this sounds onerous (and it might be), consider the big-name brands that have been the targets of attacks: British Airways and Ticketmaster U.K. recently, and Equifax and Target previously. All of them suffered from data exfiltration achieved through vulnerabilities in the third-party supply chain. That’s not a good list to be on.

On the flip side, corporations with thousands of employees entering the infrastructure through millions of new touchpoints is a security nightmare — and many enterprises are largely unprepared for this new and massive influx.

In sum, just as data exfiltration is not merely a problem, but a true business threat, security is not so much a process as a true business asset. Organizations that allocate time and resources accordingly will always come out ahead.


Tags: cyber crime
Previous Post

Hanzo Launches New Legal Hold Solution for Slack: Offering Precise Control and a Lean Approach to Slack Data Management

Next Post

Dun & Bradstreet Partners with encompass to Enable Due Diligence in Uncertain Times

Cath Goulding

Cath Goulding, CISSP, is Chief Information Security Officer at Nominet, which manages a critical component of all digital infrastructure operations in the country, enabling the DNS and associated cybersecurity services. With more than two decades of industry experience in both the private and public sectors, she began her career with the government in 1997 and for over 15 years held senior positions in a variety of functions spanning research, intelligence operations and information security. Among other departments, she spent time at Government Communications Headquarters (GCHQ), the critical intelligence and security organization responsible for providing signals intelligence (SIGINT) and information assurance to the U.K. government and armed forces. At Nominet, Cath is responsible for implementation and maintenance of ISO27001 certification. Throughout her career, she has emphasized education and collaboration. She has long championed awareness as the first and best line of defense, and her staff training program at Nominet, focused on addressing areas such as social engineering, phishing and related security issues, has been cited as the model for other enterprises. She frequently speaks at IT security conferences and has been formally recognized as Security Champion of the Year in the U.K. She has a B.S. in Mathematics and an M.S. in Human Computer Interaction.

Related Posts

green and red location markers on map

FinCEN’s Registry Will Be a Game-Changer. It Will Also Place an Added Burden on Corporations.

March 5, 2021
illustration of man under giant gavel

BitPay’s $507K OFAC Sanctions Violations Settlement

March 4, 2021
The facade of the SEC in Washington, D.C.

Prepare Now to Comply with SEC’s Updated MD&A and Related Financial Disclosure Requirements

March 3, 2021
Illustration representing a facial recognition technology scan of a face.

Facial Recognition Technology in the Workplace: Employers Use It, Workers Hate It, Regulation Is Coming for It

March 3, 2021
Next Post
due diligence written on chalkboard next to businessman

Dun & Bradstreet Partners with encompass to Enable Due Diligence in Uncertain Times

OneTrust offers download to demonstrate privacy management leadership
Access realtime data
Top 10 Risk and Compliance Trends

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence ESG fcpa enforcement actions financial crime GDPR GRC HIPAA information security KYC/know your customer machine learning monitoring ransomware regtech reputation risk risk assessment Sanctions SEC social media risk technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights