Companies and businesses, regardless of size, are at risk of a data breach. In addition, a data breach can be costly, with the potential of irrevocable damage.
Data breaches can result in:
Operational Downtime: Disruption of business activities in the aftermath - controlling the breach, performing a comprehensive investigation, and possibly shutting down so that investigators can obtain all the necessary answers.
Financial Losses: compensating impacted consumers, implementing incident response activities, breach investigation, investing in new security measures, legal expenses, and non-compliance fines.
Loss of Sensitive Data: personal information that may be used to identify an individual, such as a name, email address, IP address, pictures, genetic data, biometric data, and credit card number.
Reputational Damage: clients are taking their business elsewhere, a decline in consumer trust, and the inability of a company to attract new customers, future investments, and new staff.
What Causes a Data Breach?
As technology has evolved, so have cybercriminals' powers. As a result, the probability of a data breach occurring within your firm has also grown dramatically.
To ensure that your company can effectively defend itself, it is essential to identify and understand the most typical causes of data breaches.
The five most common causes of data breaches are:
Unpatched Software
Human error
Inadequate Antivirus, Ransomware, and Malware solutions
Malicious insider activity
The actual theft or loss of corporate equipment
Once you thoroughly understand these frequent causes of data breaches, you will be better positioned to recognize them and address them.
Keep Patching - Never Skip a Beat
All software has inherent security vulnerabilities. Software and systems are manmade and can be man broken! Vendors and suppliers are under continuous pressure to release updates and patches to contain vulnerabilities as they are discovered.
Ignore or postpone patches at your peril. If you don't patch these security flaws, you're giving hackers full access to your company's confidential data.
Hackers and cybercriminals have access to the same vulnerability data. Head to this site and type any product you know in the search bar.
The People Factor
At least 80% of all data breaches result from human error. Even with the best security measures in place, it boils down to people.
Let’s talk about some of the human errors:
Passwords
Using weak passwords
Not applying a password policy
Tolerating non-expiring passwords
Sharing passwords
Not changing default administrator passwords
Falling for Scams
Phishing scams
Social Engineering
Inadvertently sharing information
Sending sensitive information to incorrect recipients
Accepting the use of 3rd party ‘free’ email applications on company devices
Not having a Remote work and BYOD policy (bring your own device)
Employees working remotely may be using a company laptop, but the network equipment is their own
Offer to secure their home networks for them
Employees often prefer to use their own devices
Many, if not all, of these errors, can be avoided.
Here are a few steps you can take to reduce the risk of human error:
Consider running simulated campaigns so staff can get to know what a scam looks like
Continuously advise staff of changes in the threat landscape that may impact them
Encourage an “If in Doubt - Shout” culture
Limit Access
Adopt least privilege policies
Ensure staff have the minimum access required to do their jobs
Immediately revoke access for terminated employees
You may not be able to block 3rd party emails completely
Advise the staff of the implications if they do get found sending illegal emails
There are myriad more things you can do to protect your staff. Remember, find the balance between security and productivity. Don’t choke your team; they will find other ways to get their jobs done if you do.
Fit-For-Purpose Antivirus and Malware Solutions
Not all antivirus solutions are equal. The expression you get what you pay for is so apt. Free solutions don’t cut it.
It is a fallacy that Linux and MAC are not vulnerable. In the last year, news has shown the spread of MAC Malware. Linux, by its open-source nature, means that the code can be changed. Ensure that if your staff does wish to use Linux, they use a distro (release) chosen off a company-approved list.
Just as with applications, antivirus solutions also need patching and updating. Consider making it an offense to ignore updates. If the company will not pay for an antivirus, at least ensure the staff uses a solution endorsed by your IT Department or Service Provider.
Insidious Internal Behaviour
One could argue this is no different from human error- but it is! The human error implies a mistake. Malicious insiders deliberately abuse your company systems, without permission, for their gain.
Detecting malicious insider behavior is incredibly difficult. In many cases, the misuse is only discovered during the forensic audit after a breach - talk about closing the stable door after the horse has bolted!
But there are a few things that you can do to keep this to a minimum:
Classify your data
Open or public data
Private or personal information
Secret
Top secret information
Secure your data folders in line with the classification
The more sensitive the data is, the more difficult it must be to access
Apply stricter permissions to more sensitive data
You can build an approval process for access to the most sensitive information
Theft or Loss of Company Devices
We don’t live in an honest world anymore - shame to say! Laptops, tablets, and smartphones are attractive items to thieves. Not to forget USB keys, external hard drives, CDs & DVDs. Even servers can be stolen.
While this is the last item on this list, it is by no means the lowest risk. How severe the breach is due to theft depends on what is on the device.
Reducing the risk of device theft is closely related to where you store data and the policy for making copies. Remember, an attachment in an email is another copy.
Because theft is usually opportunistic, it is tough to predict.
Some things to do regarding theft or loss:
Implement remote wiping for a device at more risk
Staff who travel a lot
Remote workers
Educate staff about the risk of local copies
Don’t Get Breached
There are undoubtedly many more threats out there. This article has covered the most likely data breaches. Contact us here if you would be interested in an obligation-free quote.