With the number of data breaches increasing year on year, organisations are slowing waking up to the realisation that no company is immune to this growing threat.
46% of all UK businesses identified a breach in the last 12 months and the IDC predicts that by 2020, more than 1.5 billion people, or roughly 1/4 of the world’s population, will be affected by a data breach.
These statistics are truly frightening and highlight the scale of the problem that organisations across the world are now facing.
It’s a myth that it’s just the big multinational companies that are being targeted, cybercriminals are increasingly going after smaller and mid-size organisations as they tend to have less money and resources to invest in cybersecurity.
This leaves them especially vulnerable to attack, and research has shown that 60% of these organisations are unable to recover from the devastating effects of a data breach and will be forced to shut down as a result.
Even if a business can weather the storm, the fall-out from the breach can have massive ramifications which can include a drop in share price, loss of customers, financial penalties and damage to reputation.
The steady stream of data breach horror stories in the press has made senior executives sit up and realise that if they want to reduce their chance of being attacked, they need to become more proactive in their approach to data security and look at the areas of their business that need strengthened and protected.
How do Data Breaches occur?
A data breach typically occurs when an unauthorised attacker gains access to a secure database that contains sensitive, protected or confidential information.
There are a host of reasons why hackers want to get their hands on sensitive data, but more often than not, it all comes down to money. Cybercrime is a lucrative business and our data can be used to commit identity fraud or sold on for a nice lump sum on the dark web.
A data breach can also occur accidentally through the loss of a laptop, lost documents or emailing the wrong person but targeted attacks are usually carried out in one of the following ways:
- Exploiting System Vulnerabilities – Hackers will often do their research and carry out a full reconnaissance of a business before launching an attack. They will methodically scan a network for any weaknesses in security and as soon as they locate an area to exploit, they will launch a targeted attack to infiltrate the network.
- Social Engineering – Rather than use traditional hacking attacks, cybercriminals take advantage of our trusting human nature to trick us into breaking normal security practices. These types of attacks have grown in frequency and are proving to be a very successful way for hackers to gain unauthorised access to computer networks and sensitive data.
The most frequently used methods include:
Phishing – Phishing remains the most popular social engineering attack due to its high success rate. 72% of data breaches are related to employees receiving phishing emails and the attackers will typically impersonate a legitimate company to trick an employee into disclosing sensitive information.
Malware, viruses and spyware– Malware, viruses and spyware account for 33% of all data breaches. They are installed on a computer when a user clicks on a link, downloads a malicious attachment or opens a rogue software programme. Once installed, attackers can use the malware to spy on online activities, steal personal and financial information, or the device can be used to hack into other systems.
Passwords – Weak and insecure passwords provide an easy way for hackers to gain access to a network. Sophisticated hackers will often use specialist software that enables them to test thousands of possible username and password combinations.
How can I protect my business from a Data Breach?
Organisations need to develop a robust and comprehensive security strategy that will protect sensitive data, reduce threats and ensure the reputation of an organisation remains intact.
To reduce the chance of a data breach occurring, there are a number of steps organisations should take:
- Update Security Software – Security software should be regularly updated to prevent hackers gaining access to networks through vulnerabilities in older and outdated systems. This is exactly how hackers were able to access the data of over 143 million Americans in the infamous Equifax Data Breach in 2017. A fix for this vulnerability was made available two months before the breach but the company failed to update its software.
- Regular Audits and Risk Assessments – The GDPR specifies that organisations must conduct regular audits of data processing activities and comply with a set of data protection principles that will help safeguard data. This will ensure that a suitable framework is in place that will keep personal identifiable information of customers secure and mitigate any risks. The implementation of an effective policy management system will enable organisations to demonstrate compliance with legislative requirements and effectively target the areas that present the highest risk to data security.
- Use Strong Passwords – One of the easiest ways for hackers to gain access to sensitive company systems is to guess passwords. 60% of people use the same username and password for all their accounts so if hackers are able to gain access to one account, they have free reign to break into them all. A strong password should be between 8-15 characters long, a mix of uppercase and lowercase letters and include numbers or symbols. For extra security, a passphrase can be created which is a password composed of a sentence or combination of words. The first letter of each word will form the basis of the password and letters can be substituted with numbers and symbols to add a further line of defence.
- Staff Training – Effective security is not just about technology. 88% of all data breaches can be attributed to human error so it’s vital that organisations invest in high-quality security awareness training that will enable staff to recognise the important role they play in safeguarding sensitive company data. Staff are central to an organisation’s ability to operate safely and securely so it’s vital that employees have all the information and knowledge they need to support the security of a company’s network and information systems.
For further advice and guidance on how to improve security within your organisation, join us at our webinar on the 17th October 3PM, on ‘A Nightmare on Breach Street – Could a lack of staff education lead to an information security nightmare’. Register here: go.metacompliance.com/halloween18