It all starts with Data Discovery

The noise around GDPR is increasing as organisations including Microsoft and Google set out their plans for complying with legislation.  Our aim is to filter that noise down to a considered conversation that focuses on what’s important to your business and how you can take the appropriate steps to deliver a positive GDPR outcome.  The following extract from our whitepaper illustrates how starting with what you know is the first step in the process.

Starting with What You Know

Most organisations have distinct functional areas with distinct processes and tools for holding data on individuals.  A simple table such as the one below provides an overview of the most common business functions, and the types of data they hold.

Once this initial dataset is understood, it becomes important to identify what is personal data and what is not.  This is further broken down into data that could be used to identify an individual, and information that would be classified as sensitive.

With GDPR, these definitions of data have been broadened to reflect the ways in which many organisations now retrieve and store information.

This broadening may result in additional compliance obligations for organisations.  The below provides an illustration of how this change will play out.



A Process of Data Discovery

Of course, starting with what you know only works if you know what data you have.  What GDPR forces business leaders to consider is where every single piece of personal data is across their IT estate – including the Cloud.  Taken in this context, the question of the data that an organisation holds on individuals becomes a complex one to answer, and one that is going to require time, resource and budget.

A thorough approach to data discovery, properly implemented, will lead you to data that you did not know about – offering not only a great start to GDPR compliance but also the opportunity to uncover and resolve data that is ‘hiding’ throughout your network, including company sensitive information, personally identifiable data and duplicated information.

To find out more about our approach to GDPR and how we can help your business use the legislation as an opportunity for business growth through great data management – download our whitepaper here: or get in touch at


Our Tips for the Hot Topics at Infosec 2017

Infosec Europe 2017 – Our Tip for the Hot Topics

In the run up to Infosec 2017, the key to making your visit successful is preparation.  Keynotes fill up fast and with over 18,000 attendees and 195 sessions you could spend half your time trekking across Olympia if you don’t carefully plot your course.

Part of our preparation at Exonar has been considering the topics that we think will be the most talked-about so when some of our team are not manning our stand in the Cyber Innovation Zone, we’ll be making sure we get to the best sessions first.


We’re looking forward to hearing a range of viewpoints on what the way forward is since the initial furore has died down (and in anticipation that there won’t be another attack before the event).  We expect interesting discussions around public / private sector partnership in ways that combine the moral and the commercial.


There will no doubt be increased focus on the inherent risk present in the increasing number of connected devices – especially given the recent launch of Google Home.  Research from Statista suggests there will be 31 billion connected devices by 2020 which makes the potential impact of a wide-ranging DDOS one that is impossible to ignore.

General Data Protection Regulation (GDPR)

We see GDPR as having the potential to deliver enormous benefits to organisations when it comes to data security.  The process of data discovery and management that’s required to comply with the regulation gives organisations the opportunity to find the data that’s an asset, and remove any data that poses an unwanted risk.  Download our whitepaper to find out more.

Legal Responsibilities

Who takes the blame when there’s a breach?  Organisations providing technical services and solutions need to be clear about their liabilities, and we expect consumers in particular to start demanding greater clarity.  GDPR goes some way to help define boundaries and obligations but we also expect to see an upsurge in claim handling companies who sniff an opportunity.


Alongside businesses ready to go to court on behalf of victims of data breaches, we expect to see cyber-security insurance products and services become a market of its own.  We’ll be listening out for the views from the anti-virus vendors on what they think could happen next.

Planning to visit Infosec and want to find out more about how a data-first approach could help your business become GDPR compliant?  Come and see us on Stand S07 in the Cyber Security Zone.  Or if you’d like to get to know us a little better first, drop us a line at



What We’ve Been Reading And Writing This Month

Data Protection

                                       What We’ve been Reading and Writing This Month

Data Exposure, Protection Law and Passwords
At the End – Know Anyone We Can Recruit?
Brexit: Implications for Data Protection Law
Dan Tench, Partner at Olswang LLP, here reflects on the implications of the recent Brexit vote in the UK on data protection law. For months, data protection lawyers have been warning…
WhatsApp Privacy Fears as Deleted Chats Are Recovered
WhatsApp chats can still be retrieved even if users think they’ve completely deleted or cleared them, according to new research. Security researcher, Jonathan Zdziarski, claimed that even…
Wolverhampton Council Blunder Exposes Data
Wolverhampton council is the latest local authority to have its knuckles wrapped by the Information Commissioner’s Office (ICO) after a data handling blunder led to it exposing the…
The Data Protection Dustbin: Safely Disposing of Personal Data
A recent article by Kevin Townsend picks up on a report by Blancco Technology Group suggesting that ‘78% of second-hand hard drives purchased from eBay and Craigslist now contain…
Defensible Disposal: You Can't Keep All Your Data Forever
Guest post written by Deidre Paknad Deidre Paknad is founder of the Compliance, Governance and Oversight Counsel and Director of Information Lifecycle Governance Solutions at IBM. Deidre…
Yes, the passwords to many of your systems ARE stored in...
The interview- the cause of the Sony hack in 2014? At organisations ranging from small governmental bodies to large Fortune 500 companies we’ve found dozens through to tens of thousands of…
Start a meetup, you might be surprised what happens - Exonar
Exonar ended up in Newbury, Berkshire, for carefully considered, statistically sound, scientific reasons. Company legend has it that the early employees sat round a dining table, used…
Think you've got what it takes? Exonar are hiring - Professional Services Lead wanted. 
Think you’ve got what it takes? Exonar are hiring – Professional Services Lead wanted.
Professional Services Lead Reporting to: Julie Evans, Chief Operating Officer Job Purpose With support from the leadership team accountable for client outcomes post sale, through programme…
Have a flair for development? Exonar are hiring - Junior Dev Ops Engineer wanted.
Have a flair for development? Exonar are hiring – Junior Dev Ops Engineer wanted.
Exonar is looking for talented individuals to join our dynamic team. JUNIOR DEV OPS ENGINEER POSITION Why Exonar? Exonar recognises that the key to information security in an organisation…

Yes, the passwords to many of your systems ARE stored in documents on your network

At organisations ranging from small governmental bodies to large Fortune 500 companies we’ve found dozens through to tens of thousands of passwords stored openly on each network. Why does it happen and what can you do about it?

Back in the chilly winter days of November 2014, news broke that a group calling themselves the Guardians of Peace had obtained and leaked stacks of sensitive information originating from Sony Pictures. There were accusations of North Korean involvement resulting from the planned release of “The Interview” and much tutting from experienced security types at the apparently naive security posture of this prestigious corporation.

If you imagine your own organisation’s most sensitive information, Sony Pictures’ version of that information was in there. It was, in other words, the mother lode. Salary information, enough sensitive, personally identifying information to take over a lot of people’s identity, insulting emails regarding minimally talented spoiled film stars, confidential company performance data and even passwords to Sony’s systems and accounts.

1-ar2jnfmxpsw5hhvkkgrufw“Passwords?” I hear you ask. After all, every company needs to keep its employees / financial / corporate secrets somewhere. Hopefully it isn’t stored all over the place, accessible to everyone, is it? Well, more on that later. But Passwords? Who in their right mind sticks passwords in emails, documents and spreadsheets on file shares on a network?

Everyone, it turns out, stores passwords in emails, documents and spreadsheets. Well, everyone in the statistically relevant sense at least. I’m sure there are companies out there where this problem doesn’t exist, but we haven’t found one yet.

So who might these companies be that we can look up to? Many companies now have single sign on systems or tools for privileged access management, but that doesn’t quite cut it. That one system over there with the command line and the old software that no-one dares turn off, that doesn’t support single sign on, does it? Of course, there are companies (like Exonar) whose employees are provided with a platform that gives access to platform agnostic tools, such as Lastpass or 1Password. Maybe in some theoretical company every single employee uses said password management tool every single time they are asked for a password.

Back in the real world then… In big companies, given enough employees with enough time pressure to get stuff done, some people will write, send, re-use and type out passwords in spreadsheets, text messages and emails. They do this because it is easier than the alternative, which is to create and securely store, complex unique passwords for each account they need. They unwittingly store those passwords when their Blackberry, with the text message containing a password, this is backed up to their machine and is in turn backed up to the network. They are stored carelessly when those passwords for some staff for that new external trial system are stored in a spreadsheet. The author meant to delete it after the trial, really he did. They are stored, because often, the user doesn’t know any better, isn’t provided a better alternative and no-one knows he’s doing it.

How bad is this problem? In our experience, pretty bad. Since the Sony breach, we’ve incorporated password searches into our standard information discovery scans. Across the scale of companies we work with we’ve found dozens of passwords through to tens of thousands of passwords stored on shared storage.

It’s hard to argue that this is anything other than a real and serious vulnerability. Hopefully, we’re now past the point where organisations assume their border security controls can flawlessly prevent unauthorised access to the network. The sensible alternative is to design security as though the attacker is already in the network. So, in this model, with some random credentials, there is every likelihood that the attacker can grab these passwords and gain access to customer / critical / sensitive systems.

I always try to imagine the headlines that could be written if a vulnerability is exploited as it helps frame the consequences. To me, “All of Acme’s corporate and security systems taken offline, customer data exposed” seems like a pretty bad morning for all involved.

So what to do about this problem? By breaking the issue down to the three step process of “Discover, Act, Understand” we can start to control the situation and eliminate the risk. There is no reason to restrict this process to just passwords. I mentioned at the top of this article that hopefully your sensitive employee / financial / corporate information is well controlled, but to be honest that is probably even less likely than there being no passwords saved anywhere insecure.


“I just don’t know what we’ve got” says pretty much every CISO / CIO we work with. Visibility of sensitive information is a real barrier to meaningful information security and governance, regardless of what information needs securing or governing.

It’s hard to create change without quantifying the problem. Finding out how big the problem is gives an organisation the imperative to do something now or justification to put the problem off until another day.

The discovery process can be as simple as creating a “data amnesty” for users, where they volunteer sensitive information that is being stored insecurely.

It can take the form of using some manual sampling of files or using the inbuilt, simple search in your operating system.

It could also take the form of getting whoever is managing the network storage to look for files or directories containing the word “password” or one of the common abbreviations.

Robust data is going to be advantageous here. It will help prioritise where to take action and provide sufficient information to quantify the risk.

We’ve developed the Exonar platform specifically for this purpose — to show you where your sensitive data is, what it is and who can access it.

We’re always happy to help out with these initial scans, whether they are to discover where passwords exist within the content of all of your documents or a broader remit. If quickly gathering information on where all your sensitive information is a priority, our consulting partners can make this process thorough, painless and effective.

Okay enough of the Exonar advert. However you decide to tackle the discovery process, the output should be a document that quantifies the issue, the risk it poses your organisation, contextualises the risk in terms of reputation, regulation and cost, and provides recommendations to resolve the problem.


Having quantified the problem through the discovery phase (assuming there is a problem), you’ll be thinking about how to change the behaviour that is causing the problem. A policy and some guidelines will be critical.

How should I store my passwords if I can’t put them in a spreadsheet? Does “Passwords should be securely stored” mean it’s okay to store them in a password protected spreadsheet? The more practical and usable the advice, the more likely you are to eliminate the behaviour that is creating the risk.


This is where the understand phase begins. Being able to pinpoint whether behaviour is changing and where modifications need to be made to guidelines, or extra help provided to particular areas of the business will likely be the difference between success and failure.

This process could be as lightweight as incentivising individuals to report on passwords found on the network, then tracking where these reports are turning up. Again though, robust data will help you affect change more rapidly. Having a tool (cough like Exonar’s cough) that can monitor where problem areas exist, will be a huge boon when it comes to comparing and contrasting the success of the initiative.

The Payback

“What’s the ROI?” Always feels like a tough question in the context of security or risk. After all, do we invest in that slightly squishy tarmac at children’s play areas because fewer broken limbs in the under-12’s boost the economy?

However, this is a rare case where reducing risk is also likely to have a positive impact on productivity and cost. As part of this process, you’ll quickly find what is technically known as U.O.C. (Useless Old Crap) in every corner of your storage, squirreled away, just in case. Well, be gone UOC, those piles of over-winter information nuts are costing money to store, increasing the surface area for attack and preventing your employees from finding the useful information they need to be productive. We find duplication, and lots of it (the range is 30% to 47% as of now) whenever we scan network storage.

So, don’t delay, go and ask Bob, Beatrice or whoever, where do they keep those passwords. If they choose to admit it, chances are they are writing them down, re-using them or fibbing. But Bob wouldn’t fib to you, would he?