Data breach: how to prevent it
Table of Contents
Data is valuable. It is the lifeblood of modern e-business. It is so precious that it is protected by legislation. GDPR - standing for General Data Protection Regulation - is the EU’s solution to the need to give citizens more power over their personal data.
But anything that is valuable is always under threat from criminals. Stealing data can be less obvious than stealing cash from your safe or goods from your shop, but it can be much more costly to your business. Remember, your business has your clients' and customers' banking information, and other essential personal details.
That information is vital for you - but in the wrong hands, it could expose your business contacts to impersonation online, fraud and theft.
Under GDPR, you and your business are 100% responsible for the security of your data. Large fines are inevitable if you misuse it - or if you cause it to be revealed - or even if it is taken from your system without your knowledge.
This is what makes a data breach such a threat to your business.
What exactly is a data breach?
A data breach exposes confidential, sensitive, or protected information to an unauthorized person. The files in a data breach are viewed and shared without the permission of the person referred to in the data itself. Although a data breach can be the result of an innocent mistake, real damage is possible if a person with unauthorized access steals Personally Identifiable Information (PII) or corporate intellectual data from your business for financial gain or to cause malicious damage.
Cybersecurity is the latest buzzword - but the criminal activity of data theft remains unchanged.
Remember, you do not own the data you collect. Under GDPR it belongs to the individuals it refers to.
As the owner of a business that collects data, you are always considered responsible for a data breach, however it happens. You must ensure that it does not - and that can demand vigilance and preparation. Remember, your data is valuable and you should consider that it is always under attack and that a breach may already have happened - because, worryingly, the average breach takes more than five months to detect.
How does a data breach happen?
It is always easy to think that any such exploit as a data breach is the work of an outside hacker who uses the internet and sophisticated keyboard skills to enter your network via the internet. Some data breaches do occur in this way, but there are several other weak spots that can be exploited by those with criminal intent.
These include:
- Accidental Insider breaches: An employee using a co-worker's computer might easily find that they are reading files without having the proper authorization permissions. The access would be unintentional and no information may be shared. There may be no damage resulting - but because it was viewed by an unauthorized person, the data must be considered breached. This could be a matter for internal discipline or training.
- Malicious Insider breaches: This is when someone purposely accesses shared data with the intent of causing harm to an individual or company. The malicious insider may have legitimate authorization to use the data, but the intent is to use the information in nefarious ways. They could copy it and use it for their own purposes, or sell it on to those with an interest in its misuse.
- Lost or Stolen Device breaches: An unencrypted and unlocked laptop or external hard drive that contains sensitive information can go missing. The loss is not the value of the device but the data that it contains.
- Stolen Credentials breaches: Many data breaches are caused by stolen or weak credentials. Your username and password give them an open door into your network. Because most people reuse passwords, cybercriminals have become adept at gaining entrance to email, websites, bank accounts and other types of PII or financial information.
- Mobile Device breaches: When employees are bringing their own devices (BYOD) into the workplace or using them to work from home, it's easy for unsecure devices to download malware-laden apps that give hackers access to data stored on the network.
Beware also of social engineering hacks. These are where criminals use social skills to manipulate others. They may use their skills to gain entry to your premises and access to your systems, or impersonate authority figures over the phone and manipulate others to divulge information such as passwords. Malicious actors working in this way tend to follow a basic pattern, as targeting an organization for a breach takes planning. They research their victims to learn where the vulnerabilities are, such as missing or failed updates and employee susceptibility to phishing campaigns. Once they know their target's weak points, they will develop tactics to export them. This can include getting insiders to mistakenly download malware or use their own keyboard skills to go after the network directly. Once inside, malicious actors have the freedom to search for the data they want.
Common wisdom suggests all organizations can and will face a data attack at some point. Whether or not that attack results in a breach depends on taking the right precautions before the attack happens. The goal is to keep the inevitable attempts from turning into a preventable data breach.
So, what can you do?
There is no single solution to the threat of a data breach. However, there are ways to protect yourself and your business by making data security a business priority, and by taking the following steps.
Support data security from the Top Down
Data security can start with an IT Security Director who understands the challenges and the changing threats - but it does not stop there. As part of their job, your security director needs to be responsible for educating every member of the team. They have a responsibility to ensure your data security. To meet that responsibility they will need to educate every member of your team and make them understand that it is their responsibility too. This may involve training in procedures to follow at the junior level, to arranging seminars and protocols for other managers to follow. Ensuring that all members of management and all employees at every level fully understand the potential cybersecurity risks innate to your organization is key in preventing risks.
Cybercrime is constantly developing and cybersecurity must develop with it. The ongoing development of policies and procedures to prevent data breaches is essential and constantly educating employees - both new and old - on these policies and procedures is critical. Regular updates for management and employees on updated cybersecurity policies and procedures is essential in mitigating risk.
In addition to regular updates, your organization should inform employees on new scams and potential risks as they arise. New phishing scams and websites that have been identified as dangerous should always be flagged up.
Ensure data is actually protected
Naturally, you will have usernames and passwords to protect access to your systems by outsiders. It is vital to update these on a regular basis - and to make sure people never jot them down on a post-it note next to their device.
But you will need to go deeper than that. Ensure that your network is partitioned, that users can only access parts of it where they actually need to be and ensure that they know that any attempt to go where they should not will be picked up by your security team.
Pay special attention to your wi-fi and ensure that only authorised people are allowed on it, and explain the danger of wif-fi to employees. We are all are constantly on mobile devices these days and will connect to the closest Wi-Fi available, but there have been many Wi-Fi capture exploits with fake Wi-Fi locations set up to pull sensitive information from these “Hot Spots.”
Ensure the security of your network by investing in a personal or corporate VPN. That way, all of the data that is being utilized is appropriately encrypted at the source.
You will also need to protect your data from outsiders. A robust firewall is vital and you will need a Virtual Private Network, or VPN, to ensure that there is no risk of your communications with business contacts or staff working from home being intercepted.
You will, of course, need software to protect your computer systems and data. Viruses are well understood these days and can easily be dealt with by protection software, but hackers can use trojans - hidden software concealed inside apparently innocent communications - to infiltrate your system and to report back to their sender with your stolen data.
Ensure physical security
There is little point investing a state-of-the-art IT security system with a VPN and firewall if a bad actor can simply walk into your offices and ‘borrow a computer to check their mail’ or similar exploit. Your data is valuable and the same level of physical security to prevent unauthorised access is required as it would if you had cash on the premises.
Make security part of your corporate culture
Good security starts with good personnel, which is why the hiring process is important. Individuals with experience and understanding of the current risk landscape can be invaluable to an organization at all levels.
You need to make it part of your corporate culture, from the initial onboarding course onwards, and with regular refresher courses.
Just as important is an exit strategy for employees that are leaving. This includes changing passwords and ensuring that computers and personal devices no longer have sensitive information available on them. Educate employees on the appropriate usage of technology. This includes when, where and how to log into accounts, how to check their connection to ensure it is reliable and secure, and when not to use devices.
Be data lean
One way to reduce data theft is to reduce the amount of data you have circulating in your business.
Reducing the numbers of employees that have access to at-risk information to those that have a strict need to do so is a wise move - it can ease compliance with GDPR as well as reducing the risk of data breaches. Only grant data access on an as-needed basis and revoke this access as soon as the information is no longer required.
You need to instruct staff about the proper ways to purge data. Too often, employees think that they are getting rid of all sensitive data when they remove files that are located on their desktop, without realizing that the operating system will make clones of the files that can be accessed by those with the necessary knowledge. By teaching employees’ proper data disposal techniques, you can reduce the risk of having that data get into the wrong hands.
When the time comes to dispose of obsolete IT equipment, consider physical destruction of hard drives as the only practical solution for complete data removal.
Be careful with BYOD
BYOD, or Bring Your Own Device, allows employees to bring their own technology - computers, tablets and cell phones - to work. Many businesses have adopted this approach. It reduces costs for the business, allows employees to use equipment they like and are familiar with, reduces training time and increases productivity.
However, the risk here is that, while the device may be used for both work and fun, sensitive data is still readily available and not protected by the same routines used when it is a business-owned device.
By implementing strong BYOD policies that force employees to use their equipment professionally, you can reduce the dangers of a data breach
Update Software
Software companies are constantly updating their products. They may introduce new features and improvements, but the main reason for not leaving well enough alone is security.
They may do their best to make their products secure in their development labs but, in the real world, users will always find new vulnerabilities in software whether or not they want to exploit it. Patches and updates allow for organizations to ensure that these vulnerabilities do not affect their business functions. Make sure you install them.
Prepare for the Worst
Establishing a disaster management plan allows your business to be prepared if the worst were to happen.
While all of your preparations can help you to reduce the risk of data breaches, the possibility can never be entirely removed. Being prepared allows your team to have a full understanding of what they need to do to contain the problems to prevent the breach from growing, avoid reputational damage and the loss of sensitive information which would cause unnecessary customer backlash. By auditing your team on their practices, you are able to see where there are potential problems that could lead to future breaches.
Report breaches immediately
If anyone in your team even vaguely believes that there was a potential data breach, they need to communicate with your organization’s security management team and notify the appropriate authorities immediately.
The sooner that your team is able to respond to an incident, the greater the chance that you have in being able to manage the potential damage to your organization and your clients and your reputation - reporting unusual or suspicious activity is the difference between a minor breach and an escalation to a major one.
Paying for it all
All organizations and companies that work with data should accept that there will be costs involved in protecting that data. Appointing a data protection officer or security director will not be cheap - but it may be vital once your business has grown large enough.
New procedures will be required and new software that is capable of creating a secure working environment and flagging up unauthorised use of data will be key.
You may need to set up a VPN to avoid unencrypted data being sent over the internet.
You may also need to invest in hardware. New laptops, new mobile devices and new in-office systems which are physically secure may all be needed.
Above all, security will be an absolute priority. If data is hacked or otherwise stolen, you are responsible, no matter how sophisticated the attack. You can’t afford to delay, even if money is currently short. At Rangewell, as experts in business funding, we know the fastest ways to secure the funding you need.
We work to provide the most effective way to secure the funding you need - whether that is with a government-funded loan or with any other kind of lending.
Our expertise can work for you. We can help streamline applications - ensuring that your business can receive the funding it needs in the shortest possible time. We can work with you to find a short-term solution and help you secure all types of business funding.
Call us now – our experts are ready to help you with your finance problems both during the coronavirus crisis and with the changes that will come after it. Find out more about finance for soft assets or apply today.