Lessons from the Sage data leak

UK software giant Sage this week admitted that a user with internal login credentials had gained access to customer data on the company’s network. Although public details remain vague for now, Sage has contacted its customers and made a disclosure to the Information Commissioner’s Office that acts as a watchdog on data protection and privacy matters.

“We believe there has been some unauthorised access using an internal login to the data of a small number of our UK customers so we are working closely with the authorities to investigate the situation,” the Newcastle, England-headquartered firm said in a statement.

“Our customers are always our first priority so we are communicating directly with those who may be affected and giving guidance on measures they can take to protect their security. Please note this issue does not affect any customers in other countries.”

As a key supplier to UK small and medium-sized businesses Sage has a huge impact on the way accounting and business management is handled across a vast number of firms. I spoke to Stuart Clarke, chief technology officer of cybersecurity at Nuix, about the lessons to be learned.

Despite the “distinct lack of facts” currently in the public domain, Clarke says the case “looks to be an insider threat” and praised the fact that Sage appears to have publicised the incident quickly.

Insider threats are, of course, nothing new. Before the World Wide Web, the notion that insider threats were the most serious challenges to information security was generally acknowledged to be true. With the advent of the web, media attention moved on to juicy new topics such as phishing, state-sponsored attacks, denial-of-service takedowns, hacktivism and so on. But the insider threat regained stature in dramatic fashion with the Edward Snowden PRISM disclosures.

“Insiders are trusted individuals that have access to the ‘crown jewels’,” Clarke says. “The lesson here is to get your house in order and realise that while, traditionally, security has been about perimeter defences, it also has to be about protecting from the inside.”

Regular auditing, encryption and data segmentation should all be part of a holistic approach to security, Clarke says, so that in the event of a breach at least companies know the likely impact and size of the issue. “Nobody is immune to a breach but it’s important that in the event I do get breached that I know the scale of the threat.”

However, Clarke also warns against attempts to take a ‘control everything’ approach, saying that so-called ROT (residual, obsolete and trivial) data can be a distraction.

“You can do a huge amount of logging and monitoring but if you don’t know what you’re logging, you’re generating a huge amount of noise,” he adds.

Clarke also calls for better understanding of insider threats. Research on the nature of insiders who create problems is thin on the ground – although there are some academic studies – beyond the sense that they often feel overlooked or underappreciated by their employers. At a minimum, security experts should watch out for changes in behaviour patterns such as the employee who suddenly breaks from established routine in their working hours, for example.

“It’s hard to profile but there are certainly trigger points,” Clarke says. “We’ve traditionally tried to solve these problems with technology but its more about behaviour anomaly. But there’s a lot more we can do in understanding to be done in this area and [part of the challenge is] finding out how people are feeling and realising that individuals need to feel valued.”

Anybody who thinks they might be affected by the Sage breach should change passwords and credentials and then continue to do so in future on a regular basis, Clarke says, while monitoring their business accounts especially carefully. As for Sage, potential penalties could be based on the seriousness of the breach and how many people have been affected but there has been more evidence against the notion that breaches will have a catastrophic effect on the company that has been affected. After a dip, the firm’s share price is today trading at close to its valuation before the incident was reported.



« Slalom terms help Europe swerve cloud contract obstacles


A vibrant startup ecosystem benefits Chile's fintechs »
Martin Veitch

Martin Veitch is Contributing Editor for IDG Connect

  • twt
  • twt
  • Mail


Do you think your smartphone is making you a workaholic?