Cybercriminals steal data because it can be valuable and to back up threats of public exposure and reputational damage. However, your data can be protected from theft with good IT security and risk management.
Cybercriminals constantly adapt their techniques to steal data and maximise their profits. Our team helps you to protect your organization against data theft, and connects you with expert partners who provide the right services to help manage an attack and reduce its impact.
The 4 stages of data theft
Initial access
The cybercriminal gains access to your IT system by exploiting a security vulnerability, phishing successfully for login credentials, or purchasing access on the dark web. As discussed in Insider-caused data breaches [CAN WE HYPERLINK?], an employee with authorised access may give access maliciously or inadvertently.
Reconnaissance
Once in your system the cybercriminals usually search for valuable data within your networks, and may make use of other vulnerabilities to enable them to get past internal security and move freely around your system undetected.
Staging
The cybercriminal prepares the data they want to steal, often using tools to compress or encrypt the data. Staging is often detected as part of the investigation.
Exfiltration
The cybercriminal makes use of legitimate software tools such as MEGASync or Google Drive to move the staged data from your network to theirs. They sometimes set up a site with a countdown timer as part of their cyber extortion demand, which would result in the data being released on to the dark web if their ransom is not paid. If cybercriminals do not receive a response, they may reach out to employees and clients directly.
How to protect against data theft
Improve your email security
Phishing is one of the main ways that cybercriminals steal passwords or get employees to download malicious software inadvertently on to your IT network.
Reduce exposure to phishing emails
Implement measures that could change the way suspicious emails are handled (SPF, DKIM, DMARC are email security standards that can help to mitigate spam and phishing attacks). Consider blocking email from new domains, which may have been set up by cybercriminals for phishing.
Patch on-premise email servers to deprive cybercriminals of any low-hanging fruit.
Intelligent email evaluation
Automatically detonate and evaluate inbound attachments and links in a sandbox environment to determine if malicious prior to user delivery.
Encrypt your data at rest and in transit
Damage from data theft can be reduced if your data is encrypted.
Limit access to tools used by criminals
Cybercriminals will use tools, such as MEGASync, to steal data or use remote monitoring and management (RMM) tools to maintain a hidden presence on your networks. To help prevent this from happening, ‘whitelist’ the software tools your team uses and block others to deprive access to cybercriminals.
Employee training
Train your employees to recognise phishing emails and teach them about the risks of clicking on links or opening attachments.
Patch critical system vulnerabilities
Keeping your systems and software up-to-date is critical in preventing unauthorised access and malware infections.
Manage access
Put in place appropriate measures for general user and system access across your organization and for privileged access for critical assets (servers, end-points, applications, databases, etc.) and enforce multi-factor authentication (MFA).
Manage your assets
Your asset management inventory system should include an asset discovery tool that continuously maps devices on your internal network, an up-to-date asset database and configuration management database.
Implement EDR
When effectively deployed and monitored, end-point detection and response (EDR) tools are one of the best defences against ransomware and other malware attacks.
EDR solutions monitor servers, laptops, desktops and managed mobile devices for signs of malicious or unusual user behaviour/activity. These tools also enable rapid response by trained security experts. It is important that your EDR solutions are in enforcement mode rather than audit mode.
Configuration assessment or penetration testing
Many organizations benefit from external help to identify weaknesses in firewalls or switches that can lead to lateral movement through your systems, and gain a better understanding of how cybercriminals can leverage this access.
How to respond to a data theft incident
We encourage policyholders who experience an actual or suspected incident to notify us.
CTA to Notify a Claim or Incident
Preserve evidence
Preserve firewall logs, which roll over quickly. If you have centralised logs, protect them and keep a copy and ensure that they are not deleted.
Change passwords
Resetting user passwords may not prevent a cybercriminal from using stolen credentials. Some privileged accounts may need to have their passwords changed twice.
Dark web monitoring limitations
While some organizations immediately want to engage in dark web monitoring following an incident, the results are often inconclusive. Attributing data found on the dark web to a single incident is hard, because users frequently use business email addresses for multiple sites.
The four stages of data theft are: 1) Initial Access, 2) Reconnaissance, 3) Staging, and 4) Exfiltration
Think you've been a victim of data theft? Let us know. Our specialists can examine to see if you've been compromised or if perhaps insider activity is in play.
