Despite being around since the 1980s, security, or data, breaches have become increasingly more common at an alarming rate.
“We are seeing a shift with the increase in data breaches in 2021 compared to 2020, primarily because of the growing number of phishing attacks, ransomware attacks and supply chain attacks,” said Eva Velasquez, president and CEO of the Identity Theft Resource Center. “While it is discouraging to see the number of compromises up, it is encouraging that we could see the fewest number of people impacted in seven years. Criminals continue to exploit organizations of all sizes through single points-of-attack, making good cyber-hygiene practices more important than ever.”
In fact, 1001 data breaches occurred in the United States in 2020. Furthermore, in the course of the same year, over 155.8 million individuals were exposed to sensitive data due to inadequate information security. If that weren’t concerning enough, every 11 seconds, a business would be hacked by ransomware.
Even if you’ve been fortunate enough not to have experienced a security breach, it should be on everyone’s mind. After all, a security breach isn’t just frustrating. It can be a costly experience that can occur without much warning.
If there is good news, it’s that we can stop these breaches both on an individual and business level.
What is a Data Breach?
Data breaches involve the unauthorized access of confidential or sensitive information. An example of a breach is an illegal entry into a computer system or network. Once in the network, criminals can steal sensitive information from customers or users, such as financial and personal data.
The U.S. Department of Justice defines a breach as “the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, access for an unauthorized purpose, or other unauthorized access, to data, whether physical or electronic.”
Data breaches are commonly caused by cyber attacks such as:
- Ransomware
- Malware
- Phishing
- Denial of Service
How Do Data Breaches Happen?
Most people assume that hackers are entirely responsible for data breaches. However, that’s not always the case. Sometimes a breach has occurred because there was a flaw in a company’s infrastructure. Other times, it happens when you make an honest mistake, like clicking an email link.
Knowing how breaches happen is the first line of defense to protect yourself. With that in mind, here are some of the most common ways that security breaches take place.
- Criminals from outside your organization who are malicious. The reference is talking about hackers who use a variety of attacks to gather information from networks or individuals like malware, phishing, or brute force attacks.
- Human error. More than one in five incidents was caused by an employee’s mistake, according to Verizon. For example, common errors involved sending sensitive information to the wrong recipient, attaching the wrong file, or granting access to an unauthorized individual. Another example is misconfiguration, typically occurring when databases containing sensitive information are left open without password protection.
- Insiders who pose a threat. Persons who access or share data with the intention of causing harm to individuals or companies. In some cases, this person is authorized to use the data, but their intent is malicious.
- Lost or stolen devices. A laptop or external hard drive that is not encrypted and unlocked containing sensitive is either lost or stolen.
The High Cost of Security Breaches
At some point, we’ve all received an unwelcome notification. An unknown device has signed into your Hulu account. Your credit card company has been compromised, but you might be alright. In these cases, the solution could be nothing more than changing your password.
Unfortunately, it’s not always that painless. When not addressed promptly, breaches can have expensive and long-lasting consequences.
- Identify theft. If you have personal information stolen, like your Social Security number or credit card information, unauthorized purchases can tarnish your credit score. More problematic would be fraud committed in your name, resulting in legal issues.
- Hacked businesses. Companies, including Equifax, Target, and Yahoo, have experienced data breaches. As a result, that has harmed their bottom line and reputation as people have forgotten about these breaches. What’s more, the average total cost of a data breach soared from $3.86 million to $4.24 million, the highest amount in 17-year history, according to IBM.
- Government organizations that have been targeted. Foreign parties may gain access to highly confidential data if their data is compromised. A government and its citizens can suffer severe consequences if details about military operations and political deals are leaked.
While this is merely skimming the surface, the fact of the matter is that security breaches are frequent, costly, and will only get worse. For example, it’s being predicted that by 2025 that cybercrime will cost the world $10.5 trillion annually. As such, it’s more important than ever to take a stand and be proactive before you become a victim.
How to Prevent Security Breaches
Asset inventory.
“A visibility of what hardware and software assets you have in your network and physical infrastructure will help you gain a greater understanding of your organization’s security posture,” note the team over at Cipher. “An asset inventory can also be used to build categories and ratings around the threats and vulnerabilities your assets may meet.” By categorizing and rating vulnerabilities, you can prioritize remediation efforts more effectively.
“Data breaches put a major focus on endpoint protection,” they add. Moreover, despite what you may believe, a single antivirus program is not enough to protect your data. Solely relying on antivirus can expose your desktops and laptops. And, since these devices can serve as gateways for malware, this should be a priority if you want to thwart security breaches.
“A comprehensive endpoint solution will use encryption to prevent data loss and leakage, enforce unified data protection policies across all your servers, networks, and endpoints,” they note. As a result, this reduces the risk of a data breach.
Scale down.
Keep sensitive personal identifying information only when you have a legitimate business need, advises the FTC. Ideally, you should not even collect this type of information in the first place. But, what if you do have a valid need for this information? “Keep it only as long as it’s necessary,” states the FTC.
What’s more, you should keep the following pointers in mind as well.
- You should only use Social Security numbers for required and legal purposes, like reporting employee taxes. In addition, social security numbers should not be used unnecessarily, such as employee or customer identification numbers or because you have always done so.
- When developing a mobile app for your company, ensure that the app can only access data and functionality that it needs. Unless it’s integral to your product or service, stay away from collecting and retaining personal information. After all, it’s your responsibility to protect any data you collect and retain.
- Your business should not keep customer credit card information unless it is necessary. For example, avoid retaining account numbers and expiration dates unless they are essential to your business. This information may be used fraudulently or to commit identity theft if it is kept longer than required.
- Reduce data access by following the “principles of least privilege.” The principles of least privilege mean employees should only be given access to resources essential for their duties.
“If you must keep information for business reasons or to comply with the law, develop a written records retention policy to identify what information must be kept, how to secure it, how long to keep it, and how to dispose of it securely when you no longer need it,” suggests the FTC.
Improve security.
While this has been discussed ad nauseam, it’s at the cornerstone of protecting yourself from security breaches. But, which security tactics should you focus on? Well, here are some of our top suggestions.
To begin with, control access to sensitive data. After all, there is no reason to give everyone on your team access to your network without restriction. For example, create separate user accounts if your network has personal data stored in places that others cannot access. Or limit access to those areas or what can be accessed. Also, a simple locked file cabinet should suffice in keeping nonessential team members from viewing paper files, external drives, and disks.
Additionally, in a previous Due article, Deji Atoyebi states that you can shore up your cybersecurity through;
Data encryption.
“Encryption experts believe it’s no longer possible to build a fortress around a business’s data,” he writes. “Instead, encryption — scrambling data, so it’s unreadable to everyone but the intended recipient — is the best safeguard against someone determined to get in.”
Hardware security.
Utilize security features on desktops, laptops, mobile devices, and printers. A wide range of secure services is available, including USB security keys, servers with locks, and hardware that is encrypted. And, never leave laptops unattended.
Strong and complex passwords.
Do not use any personal information, such as your birthdate. Also, avoid reversing common words or simple sequences of letters or numbers. Passwords should include a combination of symbols, lower- and uppercase letters, and at least eight characters.
A high-quality firewall.
“Firewalls are mandatory,” notes Deji. “They guard your network by controlling the internet traffic flow that comes in and out of your company.” In addition, most firewalls filter out threats so effectively that they block dangerous websites entirely.
Antivirus protection.
Antivirus and anti-malware protection is necessary for online security. You can use these packages to scan your system for malware, as well as scan your email attachments for viruses.
Regular program updates.
Keeping your programs up to date will make your system more secure. By updating your software regularly, you will prevent hackers from exploiting any gaps in your system. It is common for programmers to address or fix issues that have arisen since the last update, so take advantage of the free security, he advises.
Regular backups.
Most external hard drives can be configured to make copies of data daily, weekly, or monthly. A cloud backup is also a good idea. By doing so, you will be able to easily retrieve your data in case your computer system is lost, stolen, or damaged.
Conduct employee security awareness training.
“Would you believe that most data breaches aren’t the result of some dedicated hacker brute-forcing their way past your best defenses?” asks Nate Nead is the CEO of DEV.co and SEO.co in Forbes. “Instead, about 88% of breaches are attributable to human error — errors that employees can often make.” After all, it only takes one successful phishing email or social engineering ploy to gain complete access to your network.
It is therefore essential to train your employees in data security best practices. Best practice training will include:
- Educating employees on best practices. A straightforward set of best practices can have a significant impact on preventing data breaches. For example, employees need to be taught to use strong passwords and never give them out to anyone.
- Setting up protocols and hierarchies. In the same vein, security protocols and hierarchies should also be established. Again, you can get started by asking questions like, “What steps do your employees need to take?” and “Who’s responsible for whom?”
- Making employees aware of common threats. Furthermore, employees should be educated about common cyber threats that can lead to breaches.
Make sure that third-party vendors comply.
It’s not uncommon for companies to do business with a wide range of third parties. Therefore, that means getting to know these people is more important than ever before.
For example, what if a contractor or a delivery person who has a sketch past enters your property. If you weren’t aware of this and have a lax security policy, they could access sensitive data and blackmail. That may sound obscure, but it’s always better to be safe than sorry.
While this also might not make your IT department happy, taking extra safety precautions is paramount. Additionally, make sure third parties comply with privacy laws. And, don’t be afraid to ask them for background checks as well.
Don’t overlook physical data.
“We get so focused on online and cloud-based data protection that we neglect physical property like paperwork, hard drives, laptops, flash drives, and disks,” writes former Due CTO Chalmers Brown. “Make sure that these physical items are stored securely and not carelessly left out for anyone to grab, like in your garage or passenger seat of your car.”
“Like not storing personal data that you no longer need, you should also dispose of information you no longer need securely,” he adds. “For example, if you’re a local pharmacy, you would want to shred customers’ outdated prescriptions.”
Develop a cyber breach response plan.
Imagine going to work tomorrow morning and finding out there has been a breach of data. How would you react? If you don’t have a cyber breach response plan in place, you may run around like the proverbial chicken with its head chopped. And, as one would imagine, that’s only going to make matters worse.
If you’ve been comprised, either individually or as a business owner, you need to act as quickly as possible. The longer you wait, the more damage can be done. When it comes to businesses, each state has its own set of rules on responding, like how long you must notify customers. Usually, this is within a week. But, by having this plan prepared ahead of time, you can speed this process up.
What your cyber breach response plan should contain.
- Upon request from your state’s consumer protection agency, report the breach to law enforcement.
- Your state’s regulations will determine how you should contact customers about a breach. Best practice regarding a breach may include sending an email or letter or calling them in person. You may also need to have a PR campaign ready to win them back.
- You should post a notice on your website and social channels about the data breach. Don’t forget also to include how customers can contact your business.
- Identify the location and time of the breach, as well as what data was lost, and conduct an investigation. Moreover, hiring a security consultant can assist business owners in performing this investigation.
- In addition to fixing possible security issues, maintain records and evidence of the attack. Law enforcement agencies may require them to conduct a proper examination.
- To protect your customers from fraud and identity theft, hire a credit monitoring company.
While data breaches aren’t 100% preventable, being proactive about cybersecurity can at least give you a fighting chance. And, what’s the alternative?
Having your sensitive data stolen results in paying the financial and PR cost that are associated with breaches. Taking precautions with your accounts and employees will benefit everyone.