Virtual data rooms and stores: cyber threats facing your organisation and employees

Every CISO and DPO understands that data plays a pivotal role in driving business success and innovation. As a result, data caches make for attractive targets for cybercriminals – this is no different for virtual data rooms and confidential data sharing practices.

With the increasing need for seamless information sharing and collaboration in many industries, Virtual Data Rooms (VDRs) and persistent data sharing platforms have emerged as valuable tools for organisations to increase speed and efficiency of operations.

These secure online repositories enable the safe exchange of sensitive information during mergers, acquisitions, fundraising, and critical day-to-day business processes. However, with great convenience comes great responsibility.

In this article, we will delve into the cyber security risks and threats associated with VDRs and cross-network data sharing, providing valuable insights to CISOs, DPOs, and cyber security decision makers on whether the solution is right for you. Furthermore, by understanding these potential dangers, you can better safeguard your organisation and employees from cyber attacks and data breaches.

How do Virtual Data Rooms and Stores secure your data?

A virtual data room (commonly abbreviated as VDR and sometimes referred to as a “deal room” in the context of mergers and acquisitions) is a secure online repository used for document storage and distribution. It is commonly employed during transaction deals, but the concept has been adopted by many organisations that need to share sensitive data across networks and professions.

VDRs replace “physical” data rooms and offer a more secure way to track information across a variety of services. They do not require a physical presence, they lower costs and data can easily be accessed by authorised personnel, no matter where they are based. For example, a GP surgery referring a patient to a diabetic clinic, will use a virtual data sharing system to transfer their patient’s profile, medical record, and clinical summary to the clinic. At all stages of the data journey, it is encrypted and therefore cannot be intercepted.

Data encryption is a crucial aspect of VDR security, ensuring that information remains unreadable and unusable by unauthorised parties. Robust encryption algorithms, such as AES-256, are commonly employed to secure data at rest and in transit.

One of the top indicators of a VDR/Data Store provider’s security is the type of certification it boasts. In this case, ISO 27081 is considered the primary label for secure cloud storage systems. ISO is the largest developer of international standards, and therefore, ISO certification is the most widely recognised certification. To be ISO compliant means to follow the guidelines set forth to protect Personally Identifiable Information (PII) in storage clouds.

Vulnerabilities: understanding weak links in the cyber chain

As virtual data rooms become increasingly popular, so do the cyber threats they bring. Cybercriminals are continually devising new strategies to exploit vulnerabilities in these platforms, targeting both the VDR providers and their users.

Phishing scams

One common avenue for cyber attacks is through phishing scams, wherein attackers send seemingly legitimate emails to trick users into revealing sensitive login credentials. If a threat actor can trick an untrained and unaware employee into revealing login credentials, an entire VDR could become compromised.

This is a consistently major worry for DPOs as, according to Verizon’s 2022 DBIR (Data Breach Investigations Report), 82% of data breaches involve a human element, including phishing and the use of stolen credentials. As VDRs handle sensitive financial data and proprietary information, they are attractive targets for cyber criminals seeking to gain unauthorised access.

But despite the very real threat that phishing poses to businesses today, only 1 in 5 organisations deliver phishing awareness training to their employees once a year. This lack of employee awareness is a large contributing factor to social engineering remaining the most likely threat type to cause a data breach. In fact, IBM reveals that one in five companies that suffer a malicious data breach is infiltrated due to lost or stolen credentials, while 17% are breached via a direct phishing attack.

Insider threats

Moreover, VDRs are susceptible to insider threats, wherein current or former employees misuse their access to sensitive data for malicious purposes.

Verizon's Data Breach Report 2022 reveals that insiders have caused 20% of global data breaches. The report also indicates that there have been 275 incidents caused by the intentional misuse of insider privilege in 2022, of which 216 resulted in confirmed data disclosures and ramifications for the organisation. The main motive for internal data breaches is financial (78%), however holding a grudge (9%), conducting espionage (8%), and mere convenience (6%) are also reasons for insider breaches.

Let’s look at a real-life example: the infamous General Electric insider threat case. Here, two individuals, one former employee and one current employee of General Electric (GE), downloaded thousands of files containing trade secrets and turbine/power plant calibration data from GE's servers and sent them to private email addresses or uploaded them to the cloud. They also tricked an authorised administrator to grant access to data they did not have access to. With the stolen intellectual property, they founded a competitor to GE! After several years of investigation, the insiders were convicted and sentenced to prison in 2020.

To counter insider risk, organisations must adopt robust access controls (consider ‘zero trust’) and regular auditing of user permissions within the VDR.

Compliance challenges

For organisations operating in highly regulated industries like healthcare, using Virtual Data Rooms introduces compliance challenges. The General Data Protection Regulation (GDPR) in the European Union, the Health Insurance Portability and Accountability Act (HIPAA) in the United States, and other data protection laws require organisations to implement stringent measures for data protection to ensure client/patient confidentiality.

Failure to comply with these regulations can result in severe financial penalties and reputational damage. A study by DLA Piper reveals that data protection supervisory authorities across Europe have issued a total of €1.64bn ($1.74bn/£1.43bn) in fines since 28 January 2022. A year-on-year increase in aggregate reported GDPR fines of 50%! This is more than double the aggregate value of fines issued in 2021. The increase demonstrates data protection supervisory authorities’ growing confidence and willingness to impose high fines for breaches of the GDPR, as well as the importance of taking data protection protocols and measures seriously – otherwise, the financial ramifications can be truly crippling for your organisation.

In 2017, Equifax, one of the largest credit reporting agencies in the world, suffered a massive data breach that exposed the personal information of 147 million consumers. The breach resulted from a failure to patch a known vulnerability in their online data storage platform, leaving sensitive data exposed to cybercriminals. The incident led to a settlement of $575 million with the Federal Trade Commission, $100 million in civil penalties, and significant reputational damage. This case underscores the importance of proactive security measures and patch management to maintain compliance with data protection regulations.

Top tips for data protection cyber security

To mitigate the risks associated with Virtual Data Rooms, organisations can implement the following best practices:

• Conduct thorough VDR and Data Stores provider assessments: Evaluate the security practices and certifications of potential VDR providers and data storage partners to ensure they meet your organisation's security requirements. If you find lax security behaviours and gaps in knowledge, it is your obligation to elevate your third-party partners to your cyber security level.
• Implement robust encryption: Encrypt sensitive data at rest and in transit using strong encryption algorithms to prevent unauthorised access and massive financial/reputational damage.
• Train employees on cyber security: Provide comprehensive training to employees on identifying and reporting potential cyber threats, such as phishing attempts. The quicker breaches are spotted the smaller the fallout will be. You cannot underestimate the ROI you will get from employee cyber security training.
• Enforce multi-factor authentication (MFA): Require users to authenticate using multiple methods, such as passwords and biometrics, to enhance access security. You may lose some speed and efficiency, but this is a necessary step in an era of credential stuffing and rampant social engineering attacks.
• Regularly audit user permissions: Review and update user access permissions within the VDR to prevent unauthorised access and potential insider threats. Employees come and go but they must be allowed to do so without taking any intellectual data, access controls or login credentials – you cannot afford to have authorised keys operating outside of your network.
• Monitor VDR activities: Implement real-time monitoring and analysis of VDR activities to detect and respond to suspicious behaviours promptly. Monitoring VDR activities also allows you to spot unsafe and malicious behaviours, sometimes even pinpointing weak cogs in the workforce, that you can then target with specific tailored training.

Conclusion

Virtual Data Rooms are invaluable tools for organisations, enabling secure and efficient collaboration during critical business processes. However, the cyber security risks and threats associated with VDRs cannot be ignored. Cybercriminals are continually evolving their tactics, targeting both VDR providers and their users to gain unauthorised access to sensitive data.

By understanding the potential vulnerabilities and implementing robust security measures, CISOs, DPOs, and cyber security decision makers can safeguard their organisations and employees from cyber attacks and data breaches. Remember, cyber security is not a one-time effort.

If you would like information about how The Security Company can help you to educate employees on data protection, data classification and reporting breaches or how we help support security leaders in pinpointing gaps in your security armour  ... please contact our Head of Business Development and Sales. 

The Security Company's vast library of customised and non-customised products and services are tailored for small, medium and large organisations and are available in a variety of languages. We also offer bespoke solutions for organisations that desire training and awareness materials built from the ground up.