PSNI Data Breach: Two Crucial Vulnerabilities, One Big Mess

The breaking news of the PSNI data breach has exposed two major vulnerabilities security experts have been warning about for quite a while – data handling and insider threats.

The news broke that the Police Service of Northern Ireland (PSNI) has accidentally leaked the surname, initials, the rank or grade, the work location and departments of all PSNI staff, including the organised crime unit, intelligence officers stationed at ports and airports, officers in the surveillance unit and officers based at the MI5’s headquarters.

The data was allegedly posted in public as a result of human error and was taken offline after about two hours of being available, but that is enough time, for it to have fallen into the wrong hands. This very generous gift to cybercriminals, organised crime, various terrorists and other malicious actors wishing to take advantage of this data underscores two critical vulnerabilities of the modern digital age, namely secure data handling and insider threats, as the human factor is still the weakest link in cybersecurity.

In spite of developed European legislation regarding data handling, such as the General Data Protection Regulation (GDPR) and the NIS2 Directive, which aim at establishing guidelines, standards and procedures regarding secure data handling and storage, defining responsibilities and establishing enforcement and administrative fines for breaches, it would appear many institutions, governmental bodies, organisations, businesses and other private entities still do not pay adequate attention to the provisions of the legislation.

The first of the main issues when handling data today, and everyone handles at least some form of data, is classifying it by orders of importance, vulnerability and effect. Knowing which data that contains personally identifiable information is being handled or stored, the loss of which could severely affect third parties, is one of the key pillars of data security.

The other is addressing the “human error” factor. According to a Verizon study, some 85 percent of breaches involve a human element. Unless a data leak is intentional, either by whistleblowers or by malicious actors, which need to be addressed through security protocols, the unintentional or accidental leaks are most often the result of insufficiently defined procedures of data handling or lack of staff training, therefore relatively easily avoidable. Why such procedures and adequate training were not in place, should be the first question asked by management if an unintentional leak occurs.

ESET Ireland recommends 5 steps to decrease the risk of insider threats:

1. Implement access controls: Implementing access controls such as role-based access control (RBAC) can help limit access to sensitive data and systems to only those employees who need it to perform the duties of their jobs. By granting access only to those employees who require it for their job duties, a company can significantly decrease its exposure to insider threats. It’s also essential to regularly review these access privileges so that access levels remain appropriate and aligned with employees’ roles.

2. Monitor employee activity: Implementing monitoring tools to track employee activity on company devices or their network can help identify suspicious behaviour that may be indicative of an insider threat. Monitoring can also help detect any unusual data transfers or abnormal patterns of access to sensitive systems and data. However, make sure to ensure compliance with local regulations and establish clear guidelines regarding monitoring to address potential concerns about privacy.

3. Conduct background checks: Conducting background checks on all employees, contractors and vendors before granting them access to sensitive and confidential data can help identify any potential risks. These checks can also be used to verify an individual’s employment history and criminal record.

4. Organise security awareness training: Providing regular security awareness training to employees is instrumental in helping increase their understanding of cybersecurity risks and how to mitigate them. This can help reduce the likelihood of accidental insider threats, such as falling prey to phishing.

5. Data Loss Prevention: Implementing a DLP system can help prevent data loss or theft by monitoring, detecting and blocking any unauthorized transfer or sharing of sensitive data. This can help reduce insider threats but also protect confidential data.

Guest post submitted by ESET Ireland.