The ability to secure and protect data is crucial to the success of your organization. When business-critical or sensitive customer data is exposed, your organization can face serious consequences — financial and otherwise. But avoiding data breaches — or at least drastically reducing the likelihood of them happening — is possible, if you take the right steps.
Approximately 16 billion records were exposed in data breaches in the first half of 2020, as online criminals ramped up phishing and social engineering scams amid the Covid-19 pandemic. And, the companies that have fallen victim to data breaches aren’t confined to any specific size or vertical.
What’s the secret to avoiding data breaches? The key is to understand them and recognize where you’re vulnerable. An ounce of prevention is worth a pound of cure.
What is a Data Breach?
A data breach occurs when sensitive, protected, or confidential data is viewed, copied, transmitted, stolen or used by someone who isn’t authorized to access that data. Information compromised in data breaches can include customers’ personal or financial data, business-critical information, trade secrets or intellectual property.
For many of us, the phrase “data breach” conjures up visions of malicious hackers using software and coding skills to gain remote access to our systems. It’s important to understand that, while cyberattacks can absolutely result in compromised information, data breaches can come in many other forms.
Why Data Breaches Occur
In addition to guarding against cybercriminals, avoiding data breaches requires you to be on guard against:
Employee Error
Staff who don’t follow security procedures can put you at risk.
Social Engineering
Criminals may trick you or your staff into handing over sensitive information.
Visitor Access
Lax security measures mean anyone on your premises can access your systems.
Ransomware
Files — often transmitted via email — can give bad actors control of your data.
Disgruntled Staff
Employees out for revenge or financial gain might sabotage your security from inside.
Physical Theft
Improper disposal of paper documents can also leave you vulnerable to a breach.
The tactics used by cybercriminals are continually evolving to keep pace with new security technology developments. So avoiding data breaches completely is probably not an option. The complex and intricate connections between the real and virtual worlds we occupy make fragmentation inevitable — and a gap in information security programs is an opening for bad actors.
Gaps in your cyber defenses can be caused by any one of a myriad of factors:
- Failure to keep up with software upgrades and patches
- Poor development practices
- Mismanagement of firewall and router security
- Decisions made by executives/managers who don’t understand cybersecurity risks
- Weak encryption and key management practices
- Failure to regularly check your system for vulnerabilities
- Employees that don’t follow or understand security protocols
Avoidable Data Breaches: How They Happened
No company is too big or too small to be at risk of data breaches. Fractional CTO and Senior Software Developer Walter McGinnis, Senior Network Engineer Alex Chernamazov and Jack Green, principal at Vigilant Security of Vermont, provide some insights into some of the biggest avoidable data breaches companies have faced.
1. Lack of Cybersecurity Training
If your staff don’t know or understand security protocols — or recognize their value — avoiding data breaches can be challenging.
CheckPeople.com, a site that allows users to look up others’ personal information was the victim of a data breach that exposed the personal data of over 56 million people. The site was likely left vulnerable by a temporary shortcut that offered database access but was never closed.
Resolution: Avoiding data breaches like this one can be achieved through investment in the development team, including cybersecurity awareness training and the adoption of a comprehensive information security program.
An attack on Koodo Mobile this year compromised customer account and telephone numbers from 2017, providing scammers with the two-factor authentication needed to access email and bank accounts.
Resolution: This type of attack is most commonly caused by malware or phishing scams. Ensure your staff understand security protocols with regular, thorough training.
2. Lack of Oversight
Strategies and steps to secure your sensitive data can go overlooked when each part of your team thinks that someone else is responsible. Ensure your organization has someone charged with monitoring security and compliance protocols.
An unauthorized user gained access to Clearview’s Android application package, which was stored in an unsecured Amazon S3 public cloud space and reportedly contained over 3 billion images scraped from public social media profiles.
Resolution: Secondary controls like database encryption could have prevented this exposure of credentials and source code. Adequate governance could reduce the risk of this type of mistake.
A lack of authentication and encryption by Jailcore left completely exposed the sensitive personal data — including names, prescriptions, mealtimes and bathroom habits — of thousands of U.S. state and county inmates as well as jail staff.
Resolution: Improved oversight or change control is key to avoiding data breaches of this type. Working with a CISO or managed security service provider can eliminate risk.
Malicious software on Wawa’s payment processing servers compromised credit and debit card information at all the company’s locations, allowing hackers to put data on over 30 million customers for sale online.
Resolution: The infiltration vectors of the malware have not been made public, but the length of time it operated unnoticed on Wawa systems suggests that a more robust data security program combined with cybersecurity governance are needed.
3. Inadequate Risk Management
Avoiding data breaches requires proactive measures to ensure your systems are secure against continually evolving threats. Develop a comprehensive IT risk management strategy, including regular risk assessments, penetration testing and incident response plans.
Customers of electronics skin manufacturer SlickWraps first discovered their data had been compromised when the hacker emailed them. Non-production databases were reportedly made public by accident, and a white hat hacker claimed a vulnerability on their website offered access to high-level server directories.
Resolution: Avoiding data breaches like this one requires a commitment to information risk management. Regular investment in the adoption of security frameworks like NIST CSF can help reduce risk.
A misconfigured Amazon S3 bucket belonging to Tetrad left the personal information of 120 million Americans exposed. The analytics firm responded rapidly, locking down the data within a week of discovering the vulnerability.
Resolution: Tetrad implemented their cybersecurity response plan relatively rapidly, minimizing the risk that customer or business data was compromised. Regular IT risk assessments could have prevented the exposure or allowed them to recognize it sooner.
A Virgin Media marketing database that was incorrectly configured left the phone numbers, addresses and email addresses of 900,000 customers exposed to hackers.
Resolution: Improved change control processes would have helped in avoiding this data breach. Standard operating procedures should include regular penetration testing, as well as details of how and when to report a breach.
Be Proactive to Avoid Data Breaches
Regulatory safeguards implemented to protect user privacy are not enough to secure your data. The public sector is not immune to data breaches — hackers are targeting councils and governments and threatening to leak citizen data or holding systems for ransom. And new threats are always evolving as online criminals grow more sophisticated in their efforts to circumvent security measures.
Avoiding data breaches isn’t just about reacting when an incident occurs or a new threat appears. Securing your systems and data requires a proactive approach to information security. Invest in organization-wide awareness through employee training and regularly review both threats and vulnerabilities.
Working with information security experts you can trust is an important step toward avoiding data breaches like those listed above. At AISN, we take cybersecurity seriously and we’ll help your organization do the same. Contact us today to learn more about how to protect your data.