What You Need to Know About Avoiding Data Breaches

Avoiding Data Breaches

The ability to secure and protect data is crucial to the success of your organization. When business-critical or sensitive customer data is exposed, your organization can face serious consequences — financial and otherwise. But avoiding data breaches — or at least drastically reducing the likelihood of them happening — is possible if you take the proper steps.

Approximately 16 billion records were exposed in data breaches in the first half of 2020, as online criminals ramped up phishing and social engineering scams amid the Covid-19 pandemic. And, the companies that have fallen victim to data breaches aren’t confined to any specific size or vertical.

Did You Know? The three most common causes of data breaches in 2020 are phishing scams, VPN crashes, and attacks on cloud-based services.

What’s the secret to avoiding data breaches? The key is to understand them and recognize where you’re vulnerable. An ounce of prevention is worth a pound of cure.

What is a Data Breach?

A data breach occurs when sensitive, protected, or confidential data is viewed, copied, transmitted, stolen, or used by someone who isn’t authorized to access that data. Information compromised in data breaches can include customers’ personal or financial data, business-critical information, trade secrets, or intellectual property.

For many of us, the phrase “data breach” conjures up visions of malicious hackers using software and coding skills to gain remote access to our systems. It’s important to understand that while cyberattacks can result in compromised information, data breaches can come in many other forms.

What is a Data Breach

Why Data Breaches Occur

In addition to guarding against cybercriminals, avoiding data breaches requires you to be on guard against:
Employee Error

Staff who don’t follow security procedures can put you at risk.

Social Engineering

Criminals may trick you or your staff into handing over sensitive information.

Visitor Access

Lax security measures mean anyone on your premises can access your systems.

Ransomware

Files — often transmitted via email — can give bad actors control of your data.

Disgruntled Staff

Employees out for revenge or financial gain might sabotage your security from inside.

Physical Theft

Improper disposal of paper documents can also leave you vulnerable to a breach.

The tactics used by cybercriminals are continually evolving to keep pace with new security technology developments. So, avoiding data breaches entirely is probably not an option. The complex and intricate connections between the real and virtual worlds we occupy make fragmentation inevitable — and a gap in information security programs is an opening for bad actors.

Gaps in your cyber defenses can be caused by any one of a myriad of factors:
  • Failure to keep up with software upgrades and patches
  • Poor development practices
  • Mismanagement of firewall and router security
  • Decisions made by executives/managers who don’t understand cybersecurity risks
  • Weak encryption and key management practices
  • Failure to regularly check your system for vulnerabilities
  • Employees that don’t follow or understand security protocols

Avoidable Data Breaches: How They Happened

No company is too big or too small to be at risk of data breaches. Fractional CTO and Senior Software Developer Walter McGinnis, Senior Network Engineer Alex Chernamazov and Jack Green, principal at Vigilant Security of Vermont, provide some insights into some of the biggest avoidable data breaches companies have faced.

1. Lack of Cybersecurity Training

If your staff don’t know or understand security protocols — or recognize their value — avoiding data breaches can be challenging.
CheckPeople.com, a site that allows users to look up others’ personal information was the victim of a data breach that exposed the personal data of over 56 million people. The site was likely left vulnerable by a temporary shortcut that offered database access but was never closed.

Resolution: Avoiding data breaches like this can be achieved through investment in the development team, including cybersecurity awareness training and adopting a comprehensive information security program.

An attack on Koodo Mobile this year compromised customer account and telephone numbers from 2017, providing scammers with the two-factor authentication needed to access email and bank accounts.

Resolution: This attack is most commonly caused by malware or phishing scams. Ensure your staff understand security protocols with regular, thorough training.

Avoidable Data Breaches

2. Lack of Oversight

Strategies and steps to secure your sensitive data can go overlooked when each part of your team thinks that someone else is responsible. Ensure your organization has someone charged with monitoring security and compliance protocols.

An unauthorized user accessed Clearview’s Android application package, stored in an unsecured Amazon S3 public cloud space and reportedly contained over 3 billion images scraped from public social media profiles.

Resolution: Secondary controls like database encryption could have prevented this exposure of credentials and source code. Adequate governance could reduce the risk of this type of mistake.

A lack of authentication and encryption by Jailcore exposed the sensitive personal data — including names, prescriptions, mealtimes, and bathroom habits — of thousands of U.S. state and county inmates and jail staff entirely.

Resolution: Improved oversight or change control is vital to avoiding data breaches of this type. Working with a CISO or managed security service provider can eliminate risk.

Malicious software on Wawa’s payment processing servers compromised credit and debit card information at all the company’s locations, allowing hackers to put data on over 30 million customers for sale online.

Resolution: The infiltration vectors of the malware have not been made public, but the length of time it operated unnoticed on Wawa systems suggests that a more robust data security program combined with cybersecurity governance is needed.

3. Inadequate Risk Management

Avoiding data breaches requires proactive measures to ensure your systems are secure against continually evolving threats. Develop a comprehensive IT risk management strategy, including regular risk assessments, penetration testing, and incident response plans.

Customers of electronics skin manufacturer SlickWraps first discovered their data had been compromised when the hacker emailed them. Non-production databases were reportedly made public by accident, and a white hat hacker claimed a vulnerability on their website offered access to high-level server directories.

Resolution: Avoiding data breaches like this requires a commitment to information risk management. Regular investment in adopting security frameworks like NIST CSF can help reduce risk.

A misconfigured Amazon S3 bucket belonging to Tetrad exposed the personal information of 120 million Americans. The analytics firm responded rapidly, locking down the data within a week of discovering the vulnerability.

Resolution: Tetrad implemented its cybersecurity response plan relatively rapidly, minimizing the risk that customer or business data was compromised. Regular IT risk assessments could have prevented the exposure or allowed them to recognize it sooner.

A Virgin Media marketing database that was incorrectly configured left the phone numbers, addresses, and email addresses of 900,000 customers exposed to hackers.

Resolution: Improved change control processes would have helped avoid this data breach. Standard operating procedures should include regular penetration testing and details of how and when to report a breach.

Be Proactive to Avoid Data Breaches

Regulatory safeguards to protect user privacy are not enough to secure your data. The public sector is not immune to data breaches — hackers target councils and governments and threaten to leak citizen data or hold systems for ransom. And new threats are constantly evolving as online criminals grow more sophisticated in their efforts to circumvent security measures.

Avoiding data breaches isn’t just about reacting when an incident occurs, or a new threat appears. Securing your systems and data requires a proactive approach to information security. Invest in organization-wide awareness through employee training and regularly review threats and vulnerabilities.

Working with information security experts you can trust is essential to avoiding data breaches like those listed above. At AISN, we take cybersecurity seriously and help your organization do the same. Contact us today to learn more about how to protect your data.