Data breaches are a common occurrence in organizations of every size and industry. Information Security practices and systems can help reduce the frequency and severity of data breaches
While the terms “Data Security” and “Data Breach” have been around for some time, they acquired increased visibility with the implementation of data privacy regulations like General Data Privacy Regulation (GDPR) and the California Customer Protection Act (CCPA).
By definition, a data breach is an intentional or unintentional release of secure or private/confidential information that occurs due to a cyber-attack allowing unauthorized individuals to gain unauthorized access to a computer system or network. While it is critical to be aware of the risks and have contingency plans in place to navigate a data breach, ensuring a robust layer of information security systems in an organization’s data management procedures is required to mitigate such mishaps.
According to a research studies, the average total cost to an organization due to a data breach is $3.86 million. Organizations like Yahoo, LinkedIn, Adobe, Zoom, Equifax, Capital One, Marriott International too fell prey to data breaches.
Repercussions of a data breach can be severe, affecting not only the financial well-being of companies, but also its reputation. Often organizations may also be subject to regulatory proceedings after experiencing a data breach.
While most common data breaches are due to malicious outside actors, it can sometimes be an accidental insider. Possible causes for a data breach are varied: simple and unintentional such as borrowing a co-worker’s device and accidentally browsing through their data, to malicious, intended hacking or misusing data, especially Personally Identifiable Information (PII).
The “why” and “how” of data breaches – first line of defense
Cybercrime is an extremely profitable industry for attackers. Hackers seek personally identifiable information to steal money, compromise identities, or sell over the dark web. Hackers target vulnerabilities of companies and tap into opportunities by directly going after the network. Since the average time taken to spot a data breach is over five months, there is sufficient time for malicious actors to abuse the data. Data management practices must be aware of the need to protect against internal and external intrusions and data misuse.
Data breaches can occur in several ways, but the most common are:
- Compromised system securities: Outdated software creates an easy access for attackers to sneak malware onto the system and steal data.
- Weak login credentials: Weak and insecure user passwords are easier for hackers to guess, especially if a password contains whole words or phrases.
- Targeted malware attacks: Phishing is a prevalent method used for malware attacks. Since phishing attempts can be made to look unsuspicious, it is an easy opportunity to steal confidential data with just one bad click.
- Third-Party access: Malicious actors can mask their attacks as third-party vendors into even the most secure of the systems.
Best practices to mitigate potential data breaches through Information Security
- Security awareness training: Employees are most often the weakest link in a company security system. Since employees often open suspicious links from an unknown email address, frequent training is strongly recommended. Security awareness training could be an elaborate presentation to educate the employees about the importance of data security every few months, in addition to random phishing attack tests by sending out emails with suspicious looking links.
- Restrict access to sensitive and confidential data: Limit physical and electronic access of computer systems and data based on specific job requirements. Ensure clear and well-defined policies are in place for employees to request access to specific hardware or software required to be productive at work. Non-disclosure agreements are a great starting point to make sure employees are requesting access to sensitive and confidential data.
- Institute data security over personal devices: Having a dedicated guest-access network is critical to ensure all guests, contractors and even employees who use personal devices are accessing a separate network will minimize risk of exposing sensitive data.
- Use individual login credentials: Ensure employees have individual credentials to access the system and enforce a strong password policy. Reminding employees to frequently change their passwords is also a good practice which minimizes risk of hacking.
- Monitor portable media: Portable storage devices present an excellent opportunity for attackers to steal data. It can be physical loss/theft of flash drive or releasing malware via flash drive. Smartphones and other electronic devices which sync with computers need close monitoring as well.
- Classify data appropriately: It is critical to be educated about existing data and classify it according to level of importance. Identifying and understanding which data is sensitive, how it is stored, retrieved and backed up, if it can be downloaded in encrypted form, especially to personal devices is important. Data Governance policies should include data classification requirements.
- Safeguard computers: In addition to the implementation of a strong password policy, enforcing time-out features that require employees to login after a stipulated time of inactivity is vital. Training employees to not leave their computers or personal devices unattended and limiting the websites they can visit can also add additional layer of security.
- Ensure data security from inside: It is very important to ensure the data of an organization is stored is a safe physical location with restricted access. While enabling accesses to certain employees who require it, it is advisable to have a thorough background checks to ensure that important data is in safe hands. Also, strict ‘confidentiality agreements’ with new employees can emphasize the seriousness of future data breach mishaps.
- Enforce third-party vendor compliance – including cloud providers: Moving sensitive data to a cloud provider with expertise of storing and retrieving data in an encrypted format, multiplying the layers of data security is a popular approach to secure enterprise data. It is recommended to collaborate with companies that are transparent about their security policies.
- Dispose data properly: When storing and maintaining important data was done by physically storing papers at secure locations, ensuring the safety of disposing them was done through strict data disposal procedures and rules. However, with data storage moving online, additional measures must be taken to ensure proper data disposal. Simply deleting files does not permanently erase the data in them. Hence it is crucial to use appropriate software to thoroughly wipe data.
Undoubtedly, with the increase in internet connectivity around the globe, data is the new currency for organizations enabling them predict consumer and market behavior for making profitable strategic decisions. However, even a small data breach can result in losses amounting to millions of dollars, along with potential loss of customer trust. Hence, it is advisable to have maximum information security systems in place to protect your organization from falling prey to such situations.
Although one-time costs to implement security measures could be considered high by some factors, one must understand the fact that negligence to potential data breaches could lead to a loss of a higher magnitude for the organization. Since more businesses are moving online and more employees encouraged to work remotely, having secure data management and robust information systems are an imperative.