Opinion: How NGOs can better protect sensitive data

Last month, the International Committee of the Red Cross confirmed that servers hosting the personal information of more than 500,000 people receiving services from the Red Cross and Red Crescent movement were compromised in a sophisticated cyber security attack. As a result of this breach, ICRC was forced to take the data hosting systems in question offline, severely limiting the humanitarian services they offer to the over half a million people affected.

While organizations such as ICRC are very familiar with the risks that come from working in physical war zones, when it comes to dealing with online cyberattacks, the territory is less well known. But it is clear that NGOs need a safe and trusted digital humanitarian space in which their operational information, and most importantly the data collected from the people they serve, is secure.

This latest attack demonstrates that cybercriminals will not hesitate to violate that safe digital humanitarian space.

While there are few details of the Red Cross data breach yet, this kind of incident shows how crucial it is to assume that determined cybercriminals have the skills and ability to gain network access.

There are plenty of very clever cybercriminals who spend a large amount of time crafting highly sophisticated attacks, but more often than not, many of the biggest cyberattacks are due to compromised user accounts, ransomware or malware, misconfigured systems and other basic vulnerabilities.

It just takes one unsuspecting employee to click on a fake link or open a malicious document to install malware and launch an attack. And with charities and NGOs working closely with other public and private sector partners, it could equally be someone in the supply chain that is the source of the initial attack.

Cybercriminals will always seek out the weakest point in the chain, exploiting it to gain a back door into systems and take the first step toward the big prize. In the case of ICRC, that was the hundreds of thousands of records of sensitive data about vulnerable people.

The aim of these cybercriminals remains to be seen: whether they attempt to profit from an important charity or even publish such sensitive data. However, this subject raises the issue of which information is sensitive.

ICRC said its “most pressing concern” was the “potential risks that come with this breach – including confidential information being shared publicly – for people that the Red Cross and Red Crescent network seeks to protect and assist, as well as their families.” The data originated from at least 60 Red Cross and Red Crescent national societies around the world.

It is clear that the affected ICRC information is highly sensitive, but institutions hold large amounts of data in widely dispersed locations, and almost all of that information could be used by cybercriminals for extortion or profit.

Many organizations spend a large amount of time and effort trying to determine which data is the most important so that it can be protected with higher security — possibly even using data encryption technologies.

There are two concerns about this. Firstly, it's really difficult both to locate and identify “important” data. Doing it manually is time-consuming and open to human error. Of course, you can use pattern matching and even artificial intelligence to find important things such as national insurance numbers, credit card data, or bank account details.

But organizations store much more data than that, including their proprietary and confidential information. And the importance of data changes over time, depending on the environment in which the business operates. As cybercriminals increasingly patch together pieces of personal data — stolen or readily available online — to build convincing phishing attacks, it can be argued that all data is sensitive.

The second concern is that, despite the increasing use of cloud services, organizations still rely on resources at the desktop or other mobile device — or what is called the “edge” in computing terms. When you have anything more than what we used to call a “dumb terminal,” the user can export data from the applications and services that they use. This information may well be strongly protected within its server environment, but once in transit or in use, it is no longer within that level of control.

To resolve these concerns there is a simple approach that removes all that hard work identifying the most important data and which strongly protects data no matter where it is stored. The approach is simply to encrypt all data, everywhere.

I'm not talking about enabling full disk encryption on all machines, as this technology is only aimed at preventing data theft when a laptop, USB device, or hard drive is stolen or removed from its normal machine. File-level encryption, on the other hand, is designed to keep files in an encrypted state all of the time — even when files are in use or on the move.

This approach may well have prevented ICRC attackers from stealing anything useful to them — they would just have stolen gigabytes of scrambled data. It’s a bit like beating ransomware criminals at their own game. But it also minimizes the likelihood of a cybercriminal being able to operate within the organization's network at all.

The most common means of illegal access into a computer network are through malware and from stolen, guessed, or purchased user account details. Simple tried and tested technologies exist both to keep the wrong people out and to stop unauthorized processes running.

For example, rather than relying on simple passwords, using multifactor authentication largely resolves the compromised user account problem, while application control or allow-listing technologies block any unauthorized process from running on the network.

This means that any rogue code will simply not get the chance to run and wreak havoc. These relatively simple measures go a long way to protecting your systems, even if the attack comes via an employee or partner in your supply chain.

If there's a simple approach to resolving a problem, that's the one I'd always go for. Mainstream thinking about malware prevention and data security has led us to increasingly complicated technologies, which try to learn what attacks look like and which information should be most strongly protected. Surely simplicity is better?