• Mikaila Menezes

5 Potential Data Breaches: How They Happen

Companies and businesses, regardless of size, are at risk of a data breach. In addition, a data breach can be costly, with the potential of irrevocable damage.


Data breaches can result in:


  • Operational Downtime: Disruption of business activities in the aftermath - controlling the breach, performing a comprehensive investigation, and possibly shutting down so that investigators can obtain all the necessary answers.

  • Financial Losses: compensating impacted consumers, implementing incident response activities, breach investigation, investing in new security measures, legal expenses, and non-compliance fines.

  • Loss of Sensitive Data: personal information that may be used to identify an individual, such as a name, email address, IP address, pictures, genetic data, biometric data, and credit card number.

  • Reputational Damage: clients are taking their business elsewhere, a decline in consumer trust, and the inability of a company to attract new customers, future investments, and new staff.



What Causes a Data Breach?


As technology has evolved, so have cybercriminals' powers. As a result, the probability of a data breach occurring within your firm has also grown dramatically.


To ensure that your company can effectively defend itself, it is essential to identify and understand the most typical causes of data breaches.


The five most common causes of data breaches are:


  • Unpatched Software

  • Human error

  • Inadequate Antivirus, Ransomware, and Malware solutions

  • Malicious insider activity

  • The actual theft or loss of corporate equipment


Once you thoroughly understand these frequent causes of data breaches, you will be better positioned to recognize them and address them.


Keep Patching - Never Skip a Beat


All software has inherent security vulnerabilities. Software and systems are manmade and can be man broken! Vendors and suppliers are under continuous pressure to release updates and patches to contain vulnerabilities as they are discovered.


Ignore or postpone patches at your peril. If you don't patch these security flaws, you're giving hackers full access to your company's confidential data.


Hackers and cybercriminals have access to the same vulnerability data. Head to this site and type any product you know in the search bar.


The People Factor


At least 80% of all data breaches result from human error. Even with the best security measures in place, it boils down to people.


Let’s talk about some of the human errors:


  • Passwords

  • Using weak passwords

  • Not applying a password policy

  • Tolerating non-expiring passwords

  • Sharing passwords

  • Not changing default administrator passwords

  • Falling for Scams

  • Phishing scams

  • Social Engineering

  • Inadvertently sharing information

  • Sending sensitive information to incorrect recipients

  • Accepting the use of 3rd party ‘free’ email applications on company devices

  • Not having a Remote work and BYOD policy (bring your own device)

  • Employees working remotely may be using a company laptop, but the network equipment is their own

  • Offer to secure their home networks for them

  • Employees often prefer to use their own devices


Many, if not all, of these errors, can be avoided.


Here are a few steps you can take to reduce the risk of human error:

  • Awareness and Training

  • Consider running simulated campaigns so staff can get to know what a scam looks like

  • Continuously advise staff of changes in the threat landscape that may impact them

  • Encourage an “If in Doubt - Shout” culture

  • Limit Access

  • Adopt least privilege policies

  • Ensure staff have the minimum access required to do their jobs

  • Immediately revoke access for terminated employees

  • You may not be able to block 3rd party emails completely

  • Advise the staff of the implications if they do get found sending illegal emails


There are myriad more things you can do to protect your staff. Remember, find the balance between security and productivity. Don’t choke your team; they will find other ways to get their jobs done if you do.


Fit-For-Purpose Antivirus and Malware Solutions


Not all antivirus solutions are equal. The expression you get what you pay for is so apt. Free solutions don’t cut it.


It is a fallacy that Linux and MAC are not vulnerable. In the last year, news has shown the spread of MAC Malware. Linux, by its open-source nature, means that the code can be changed. Ensure that if your staff does wish to use Linux, they use a distro (release) chosen off a company-approved list.


Just as with applications, antivirus solutions also need patching and updating. Consider making it an offense to ignore updates. If the company will not pay for an antivirus, at least ensure the staff uses a solution endorsed by your IT Department or Service Provider.


Insidious Internal Behaviour


One could argue this is no different from human error- but it is! The human error implies a mistake. Malicious insiders deliberately abuse your company systems, without permission, for their gain.


Detecting malicious insider behavior is incredibly difficult. In many cases, the misuse is only discovered during the forensic audit after a breach - talk about closing the stable door after the horse has bolted!


But there are a few things that you can do to keep this to a minimum:


  • Classify your data

  • Open or public data

  • Private or personal information

  • Secret

  • Top secret information

  • Secure your data folders in line with the classification

  • The more sensitive the data is, the more difficult it must be to access

  • Apply stricter permissions to more sensitive data

  • You can build an approval process for access to the most sensitive information


Theft or Loss of Company Devices


We don’t live in an honest world anymore - shame to say! Laptops, tablets, and smartphones are attractive items to thieves. Not to forget USB keys, external hard drives, CDs & DVDs. Even servers can be stolen.


While this is the last item on this list, it is by no means the lowest risk. How severe the breach is due to theft depends on what is on the device.


Reducing the risk of device theft is closely related to where you store data and the policy for making copies. Remember, an attachment in an email is another copy.


Because theft is usually opportunistic, it is tough to predict.


Some things to do regarding theft or loss:


  • Implement remote wiping for a device at more risk

  • Staff who travel a lot

  • Remote workers

  • Educate staff about the risk of local copies


Don’t Get Breached


There are undoubtedly many more threats out there. This article has covered the most likely data breaches. Contact us here if you would be interested in an obligation-free quote.