Temporary files, the single use plastic of DATA
Here’s a corporate tale that I’m sure you’ll recognise… It’s not true of course (or is it?), but it is based on real true life events.
CEO calls the head of HR, “Can you email me the list of all staff and their package details? Thanks. Bye.”.
Head of HR to assistant, “Can you get the staff salary list from the HR system and send it to me in an email please?”.
Assistant logs onto the HR system, downloads the staff list, saves on a work in progress area of a shared drive and then sends to Head of HR via email.
Head of HR saves it, does some work on it, emails a portion of the file to the head of a business unit to check the results.
Head of HR makes further amends and then saves in a work in progress folder and sends via email to the CEO.
CEO then saves the email into a work in progress folder and does some work on the file.
There are now at least 3 saved copies of the file and 4 emails with a version of the file as an attachment. I.e. at least seven versions of a file that contains a staff list with their package details. If any of these staff who’ve saved the file, subsequently experience a phishing attack or the corporate systems are breached, there are potentially some easy pickings now available for people seeking to do harm to your company.
One of the greatest vulnerabilities in the modern day enterprise data architecture are files used for temporary purposes. These are commonly CSV and ZIP files. If you like, they are the single use plastic bottles of the data world! Files that are used for just a moment in time and typically distributed to other people. They are files that almost certainly contain data that would be of interest to anyone seeking to do harm to your organisation. After all it was data that was of interest to you, so why wouldn’t that be of interest to others?
A comma-separated values (CSV) file is typically used as a universal means of importing and exporting data between applications. The files can be easily read in Excel for further processing and as such they tend to get used by many applications as a simple and universal method of exporting data from the application. Many of the data protection breaches you hear about with large quantities of data being leaked are highly likely to be CSV files. Because they can be easily opened and processed inside Excel they are files that are commonly used, saved and distributed as attachments in emails. They are generally work in progress and the starting point for data that may subsequently be reported to management. But once the consumer of the data has drunk their fill, they are discarded. Some are deleted and safely recycled. Others are not, they are saved on shared drives, pen drives or local machines, or emailed to several recipients who in turn do similar things to them and open up the risk of a data breach in the future. Just like our story.
ZIP files are similar in that they are used for temporary purposes. I.e. they package up a collection of files that generally then get distributed to one or more people either via a file transfer, pen drive or more commonly email. Once the ZIP file has been produced and sent, the task is done, but often the ZIP file is not then removed, instead it is left in-situ and exposes the organisation to data breach risk if that file ever fell into the wrong hands.
Infoboss run data audits for our clients and one of the top things we look for are short term use files like CSV and ZIP. We almost always find them, always packed full of private and confidential, sensitive or personal data and more often than not buried deep in shared drives work in progress folders going back many years, forgotten and left to rot. But like single use plastic bottles, they don’t rot, they stay there until they’re found and let’s hope by someone who does not mean to cause your business harm.
If you’d like to discover more about infoboss’ data audit service and how we can put in place the means of automating the monitoring of your data estate for anomalies such as single use sensitive data files, then please get in touch.