While the terms “data security” and “data breach” have been around for a long time, they’ve acquired a lot of traction in the last few years with the rise of data privacy regulations like the General Data Privacy Regulation (GDPR), and the California Consumer Protection Act (CCPA). By definition, a data breach is an intentional or unintentional release of secure or confidential information. It may occur because of a cyberattack where bad actors intentionally trick employees into giving up sensitive information, or because of several other factors–including negligence or malignant betrayal. According to research by IBM, the average total cost to an organization due to a data breach is $3.86 million.
Organizations like Yahoo, LinkedIn, Adobe, Zoom, Equifax, Capital One, and Marriott have all fallen prey to data breaches. The repercussions of a data breach can be severe, impacting not only the financial well-being of a company, but also its reputation. Oftentimes, organizations may also be subject to lawsuits and other regulatory proceedings.
The How and Why of Data Breaches
Cybercrime is an extremely profitable industry for attackers. Hackers seek personally identifiable information (PII) as a way to steal and sell identities over the dark web, steal money, and hold data hostage for a ransom. Hackers target vulnerabilities in company networks, and since the average time taken to spot a data breach is over five months, there is sufficient time for malicious actors to abuse stolen data.
Data breaches are most commonly carried out in the following four ways:
- Compromised systems: Outdated software creates an easy backdoor for attackers to sneak malware onto the system and steal data.
- Weak login credentials: Weak and insecure user passwords are easy for hackers to guess, especially if a password contains whole words or phrases.
- Targeted malware attacks: Credential stuffing (automated, brute-force password guessing) is on the rise. And phishing, where hackers try to fool targets into giving away information, is a common tactic. Read more here.
- Third-party access: Malicious actors can exploit the vulnerabilities of smaller, less secure vendors.
Best Practices for Stopping Data Breaches
- Conduct security awareness training: Employees are often the weakest link in a company’s security system. Since employees often open suspicious links from unknown email addresses, frequent security awareness training is strongly recommended. Training can be an elaborate presentation that educates employees about the importance of data security every few months, followed up with random testing (like sending out emails with suspicious links to test employees on their ability to recognize phishing attempts).
- Restrict access to sensitive and confidential data: Limit physical and electronic access of computer systems and data based on specific job requirements. Ensure clear and well-defined policies are in place for employees to request access to specific hardware or software required to be productive at work.
- Secure personal devices: Having a dedicated guest-access network for all guests, contractors, and even employees’ personal devices, will minimize the risk of exposing sensitive data.
- Secure login credentials: Ensure employees have individual credentials to access the system and enforce a strong password policy. Remind employees to frequently change their passwords. Using multi-factor authentication is also a best practice.
- Monitor portable media: Portable storage devices present an excellent opportunity for attackers to steal data. Stolen or lost flash drives, smartphones, and other devices that sync with computers can mean lost data–or be used by bad actors to introduce malware to a network or system.
- Classify data: It is critical for companies to know what data they hold and to classify it according to its level of importance. Laws like CCPA and GDPR penalize companies that retain or collect information that they should not. (Read more about these two landmark data privacy laws here.) Identifying and understanding which data is sensitive, how it is stored, retrieved and backed up, and if it can be downloaded in encrypted form to personal devices is important.
- Safeguard computers: In addition to implementing a strong password policy, enforcing time-out features that require employees to login after a set amount of inactivity is vital. Training employees to not leave their computers or personal devices unattended, and limiting the websites they can visit, can add additional layer of security.
- Watch for inside threats: It is important to ensure the data of an organization is stored in a safe physical location with restricted access. Limit access to employees who require it, and conduct thorough background checks to ensure that important data is in safe hands. Strict confidentiality agreements can also provide legal recourse in the case of a data breach–but shouldn’t be depended on as a security feature.
- Use encryption: Data should always be encrypted, especially when stored in the cloud. Collaborate with cloud storage providers that are experienced and transparent about their security policies.
- Properly dispose of data: When data was physically stored on paper in secure locations, there were strict procedures and rules for its disposal. But at the end of the day, shredding usually did the job. With digital data, additional measures must be taken to ensure proper disposal. Simply deleting files does not permanently erase data. Specific software must be used to thoroughly destroy data. Deletion of data is a must-know for companies, especially now that consumers have a right to delete under laws like CCPA.
Make Room in Your Budget for Cybersecurity
Data is the new currency for organizations–it allows businesses to predict consumer and market behavior and make profitable strategic decisions. But even a small data breach can result in losses amounting to millions of dollars, along with potential loss of customer trust. So it’s advisable to have maximum information security systems in place to protect your organization from falling prey to such situations. Read about what happens to companies that don’t implement adequate cybersecurity measures here.