Preventing a Twitch or Sony Level Hack
Nothing is 100%, but there is a lot you can do to prevent and/or reduce the impact of a data leak.
Although many companies spend a lot time ensuring their customer data is secured, and rightly so, there is little attention paid to corporate security. Corporate security refers to internal corporate data that keeps the company moving along.
Let me outline some of examples of corporate data:
Emails, like all emails like password resets, casual conversations, and on
Slack DMs and Teams Conversations
Salary and compensation information (including executive compensation)
Cap TableFinancial Information such as
Fees for consultants
Customer financials (like Twitch user earnings for example)
What’s the riskiest item here for your company? In other words, if the WORLD knew a piece of information above, what would be the most impactful?
Does your company have a loose policy on how it speaks about customers and clients? Or even each other? Then email and slack could be your biggest concern.
Would a leak in vendor and client fees hurt your competitive advantage or negotiating capabilities for future deals?Share Last Week As A vCISO
Data Loss Protection Controls for a Twitch Hack
I’m going to list (almost) every possible control one can do to help prevent or lower the risk of such an attack. Nothing is foolproof and there is no silver bullet. If you’ve been reading this for awhile, you’ll know that defense in depth is everything.
There Is No Spoon - No Data, No Problem
If the data is not there, then it can’t ever leak can it?
Do you have every single email and slack message ever sent? Are there conversations that could impact your company negatively?
Guidelines and Controls
Have a policy and provide training around good communication principles. Ask everyone to assume everything typed can be leaked, screenshot, or forwarded.
Consider lowering your retention policies on email and slack. You will need to find the fine line of convenience vs security
You’d be surprised what’s in slack sometimes. I once found an open channel by an old employee with tons of API keys in chat.
Data Leak Prevention - Built In Tools
Your existing SaaS tools have a lot of built-in controls to prevent data from leaving your organization. You’d be surprised how easy it is to share information externally.
Here are some examples of scenarios I’ve run into in the past:
Users sharing documents and folders with the world or personal user accounts (intentional or not)
Users using 3rd party email clients, especially startups, that retain all company email (An email hack/leak can happen from anywhere!)
Users forwarding emails to their personal emails
Users sharing calendars with the world (Imagine how much information is in an EA’s calendar)
Admin tools provide employees access to tons of client information and permissions allowing people to view data or make deletions
Here is a list of possible controls and guidelines:
Prevent users or groups from sharing information externally (drive, calendar, etc)
Prevent users from forwarding company emails to their personal email
Disable IMAP and POP
Disable “Less secure apps” in Google Workspaces
Enable logging of sharing actions
Conduct an access review of users quarterly (make this a group effort to prevent too much load on one group)
Limit access to sensitive data to only users that require it for their role. Create roles appropriate to the employee role.Share
Does CS really need all those permissions?
Data Leak Prevention - Advanced Protection Tools & Methods
Sometimes to truly track your company data, you might want to employ additional controls.
That could involve:
Using DLP controls built into your software
Obtaining DLP specific software designed to track data from all corporate sources
Limiting access to some or all corporate data from company authorized and managed devices only
As you can see the rabbit is pretty deep. Yes, there is lot of data out there, but managing the risk of that data being exposed involves a few factors:
The type of data you are holding
Culture of your company
Stage of your company (are you trying just to survive or are you #1 and not trying to get knocked off that pedestal?)
Balance between convenience and security
Past incidents and precedent
Hopefully this helps paint a more holistic picture next time you wonder, could this happen to me?