White Paper Executive Summary
Most people associate cyber attacks with ransomware attacks that either impact confidentiality or availability of critical information and/or systems. Confidentiality attacks expose sensitive information to unauthorised parties through data theft. Availability attacks focus on making data unavailable temporarily or permanently. A Denial of Service attack on a website is an example of an Availability attack.
However, attacks on data integrity are either not fully understood or are seldom displayed on organisational risk radars. This could be solely due to the lower numbers of such attacks when compared to the more popular attacks that expose confidential information or that delete sensitive data.
The integrity attack is where either existing data is manipulated or changed without authorisation or where fake data is added, again without authorisation. This attack is also known as Data Poisoning or Data Tampering.
- – The threat of data poisoning is so great and the impact so severe that EU’s ENISA or European Union Agency for Cybersecurity identified data poisoning as one of the major threats in the data domain. ENISA goes on to say that trustworthy data is, in fact, a prerequisite for implementing safe autonomic and adaptive systems built on data.
- – PassBlue, a non-profit media organisation, takes it a step further and claims the following: “Adversarial data manipulation is the nuclear weapon of the 21st century.”
- – Finally, Microsoft has this to say about the need to protect the integrity of data when it comes to Machine Learning and AI: “The greatest security threat in machine learning today is data poisoning because of the lack of standard detections”.
Given the ongoing reliance on data for mission critical systems, from AI to making critical business decisions, it is safe to say that organisations need to:
l Include the threat of Data Poisoning (or Data Tampering) and its impacts on their risk radars and business impact analysis activities for the foreseeable future.
l Invest in Data Notarisation systems that can provide the ongoing and near-real time assurance of data integrity throughout the data flow and lifecycle.
Inaction could very likely be the end of most organisations.