A data breach typically occurs when an unauthorised attacker gains access to a secure database that contains sensitive, protected or confidential information.
There are a host of reasons why hackers want to get their hands on sensitive data, but more often than not, it all comes down to money. Cybercrime is a lucrative business and our data can be used to commit identity fraud or sold on for a nice lump sum on the dark web.
A data breach can also occur accidentally through the loss of a laptop, lost documents or emailing the wrong person, but targeted attacks are usually carried in one of the following ways:
- Exploiting System Vulnerabilities – Hackers will often do their research and carry out a full reconnaissance of a business before launching an attack. They will methodically scan a network for any weaknesses in security and as soon as they locate an area to exploit, they will launch a targeted attack to infiltrate the network.
- Social Engineering – Rather than use traditional hacking attacks, cybercriminals take advantage of our trusting human nature to trick us into breaking normal security practices. These types of attacks have grown in frequency and are proving to be a very successful way for hackers to gain unauthorised access to computer networks and sensitive data.
The most frequently used methods include:
Phishing – Phishing remains the most popular social engineering attack due to its high success rate. 72% of data breaches are related to employees receiving phishing emails and the attackers will typically impersonate a legitimate company to trick an employee into disclosing sensitive information.
Malware, viruses and spyware– Malware, viruses and spyware account for 33% of all data breaches. They are installed on a computer when a user clicks on a link, downloads a malicious attachment or opens a rogue software programme. Once installed, attackers can use the malware to spy on online activities, steal personal and financial information or the device can be used to hack into other systems.
Passwords – Weak and insecure passwords provide an easy way for hackers to gain access to a network. Sophisticated hackers will even use specialist software that enables them to test thousands of possible username and password combinations.
Preventing a Data Breach
Organisations need to develop a robust and comprehensive security strategy that will protect sensitive data, reduce threats and ensure the reputation of an organisation remains intact.
To reduce the chance of a data breach occurring, there are a number of steps organisations should take:
- Update Security Software – Security software should be regularly updated to prevent hackers gaining access to networks through vulnerabilities in older and outdated systems. This is exactly how hackers were able to access the data of over 143 million Americans in the infamous Equifax Data Breach in 2017. A fix for this vulnerability was made available two months before the breach, but the company failed to update its software.
- Regular Audits and Risk Assessments – The GDPR specifies that organisations must conduct regular audits of data processing activities and comply with a set of data protection principles that will help safeguard data. This will ensure that a suitable framework is in place that will keep personal identifiable information of customers secure and mitigate any risks. The implementation of an effective policy management system will enable organisations to demonstrate compliance with legislative requirements and effectively target the areas that present the highest risk to data security.
- Use strong passwords – One of the easiest ways for hackers to gain access to sensitive company systems is to guess passwords. 70% of people use the same username and password for all their accounts so if hackers are able to gain access to one account, they have free reign to break into them all. A strong password should be between 8-15 characters long, a mix of uppercase and lowercase letters and include numbers or symbols. For extra security, a passphrase can be created which is a password composed of a sentence or combination of words. The first letter of each word will form the basis of your password and letters can be substituted with numbers and symbols to add a further line of defence.
- Staff Training – Effective security is not just about technology. 88% of all data breaches can be attributed to human error so it’s vital that organisations invest in high-quality security awareness training that will enable staff to recognise the important role they play in safeguarding sensitive company data. Staff are central to an organisation’s ability to operate securely and safely so it’s vital that employees have all the information and knowledge they need to support the security of a company’s network and information systems.