A data breach can have a devastating effect on a business. Data breaches can affect the brand's reputation and cause the company to lose customers. Breaches can damage and corrupt databases. Data breaches also can have legal and compliance consequences.
Data breaches also can significantly impact individuals, causing loss of privacy and, in some cases, identity theft. Although the risk of data breach can’t be eliminated, companies can dramatically reduce their risks through developing and executing a security plan. ne Digital can help you assess your risks, develop a cybersecurity roadmap, and manage day-to-day security.
What is a Data Breach?
A data breach occurs when unauthorized parties access sensitive or confidential information, such as social security or credit card numbers and health records. Data breaches can occur in various industries and organizations of all sizes. A data breach differs from a data leak because a data breach is a cyber attack, while a data leak occurs because of a mistake, such as misconfigured software. The consequences of data leakage are the same as the consequences of a data breach.
The number of data breaches is increasing in the United States. According to Statista, 157 breaches occurred, exposing 66.9 million records. In 2017, data breaches reached a high point of 1,632, with 197.61 million records exposed. In 2020, 1,001 data breaches occurred, exposing 155.8 million records. Most data breaches occur at financial institutions, according to Verizon.
What Causes Data Breaches?
Data breaches occur because of the acts of cybercriminals, either employees or those outside the organization. Sometimes employees have authorized access to the information but use the information in unauthorized and malicious ways. Those outside the organization cause data breaches because of activities such as phishing, hacking, and malware.
Phishing attackers pose as organizations or people you trust, such as banks, to trick people into providing access to sensitive data. Often they send emails that look legitimate but are not.
Hackers gain access to information by exploiting vulnerabilities. One is by releasing automated bots that troll the Internet seeking sensitive information. They also sometimes use software to access user passwords to financial sites, health care portals, and similar websites.
Malware is any software, program, or code created to damage a computer or server. Viruses are one type of malware. Ransomware, which blocks access to a computer until the user pays a ransom, is another type of malware.
What are Data Breach Targets?
Data is more likely to be a target if it can provide some financial value to the third party. Data breaches most often target:
- Personal data, such as social security numbers, birth dates, and contact information.
- Financial Information, such as credit card numbers, bank accounts, and investment details.
- Health Information, such as medical records.
- Intellectual Property, which includes inventions, formulas, manuals, and proprietary data belonging to the organization.
- Competitive Information, such as market studies and business plans.
- Legal Information, including information on mergers and acquisitions and regulatory rulings
- IT security data, including encryption keys and passwords.
What are the Consequences of Cyber Breach?
The consequences of data breach can be far-reaching and often long-term. For example, 60 percent of small and medium-sized businesses will end up closing within six months of a data breach, according to Security Intelligence. Larger organizations may not typically close but can incur high costs. Security Intelligence quotes IBM and Ponemon Institute research that the average financial loss to organizations from a data breach is $4.24 million. More than a third of that average cost comes from lost business.
Company reputations are tainted because of data breaches for years because news of the breaches remains forever on the Internet and social media. Companies often have to do significant marketing and public relations to fix the damage to their good name.
Loss of Sales
When people lose trust in an organization, they may cease to be customers. Loss of trust is particularly detrimental to financial firms and health care providers. It is also detrimental to small businesses whose clientele is primarily local.
Loss of Budget Control
Organizations will incur unexpected expenses as a result of the data breach, and the budget will be difficult to control. Companies can buy cyber insurance to alleviate some of the losses from breaches. However, many companies are downsizing their policies, according to the Harvard Business Review. Insurance also often fails to cover all the costs.
Loss of Employees and Potential Employees
When a data breach occurs, some employees, especially tech employees and executives, will lose their jobs. Others will leave because of the stress from mitigating the incident.
To make matters worse, when potential employees discover that a company has been a victim of a data security breach, they sometimes decide to apply elsewhere. Cybersecurity professionals and IT employees often are the least likely to want to work for a company that has experienced a data breach. Unfortunately, cybersecurity and IT positions also are in high demand.
Companies also can face significant legal penalties for failure to protect customer data. First, companies must ensure they meet federal and state notification requirements. All 50 states, the District of Columbia, Guam, and Puerto Rico, have laws requiring organizations to notify customers about personal data breaches. The length of time companies have to make the notifications varies by state. Federal laws are being considered.
Congress passed the Data Breach Prevention and Compensation Act in May 2019. The law created an Office of Cybersecurity at the Federal Trade Commission. The law also supervises data security at consumer credit reporting agencies, such as Equifax. It also imposes specific penalties on the agencies and credit monitoring agencies for putting consumer data at risk.
U.S. companies can face fines for data security issues. For example, Equifax paid $575 million to $700 million for "failure to take reasonable steps to secure its network," according to CSO. Marriott also was fined $124 million, and Uber was fined $150 million.
The European Union regulates data breach notification through the General Data Protection Regulation (GDPR). GDPR went into effect in June 2018 and requires that organizations notify authorities within 72 hours of the breach. The regulation applies to all organizations within the EU and those outside the EU that sell goods and services to EU citizens. Fines for violations of can be as high as 4 percent of the company's global revenue for each occurrence or 20 million Euros, whichever is greater. In 2020, French authorities fined Google $57 million, according to Reuters.
Organizations can face lawsuits for damages caused by data breaches. Litigation requires that lawyers spend considerable time reviewing documents, and settlements can be costly. According to Capital One agreed in December 2021 to pay $190 million to settle a class-action lawsuit, for example. U.S. customers filed a lawsuit over a 2019 data breach affecting 100 million people. Previously, the U.S. Office of the Comptroller of the Currency fined Capital One $80 million for the same breach. In January, Morgan Stanley agreed to pay $60 to settle a legal claim in addition to a $60 civil penalty.
Cybersecurity Measures to Protect Data Privacy
While nothing can guarantee your organization will not face an information security breach, taking appropriate security measures can lessen the odds and mitigate any possible violations.
Tests and Assessments
An IT department or IT consulting firm such as Ne Digital can assess your system to find and correct vulnerabilities. These vulnerability assessments, or systematic reviews of security weaknesses, should be ongoing. Simulated cyberattacks, known as penetration testing also can pinpoint vulnerabilities that need to be corrected.
Tightening access can also improve security. Enterprises can do this in several ways, including
- Requiring strong passwords/passphrases and/or multifactor verification for all smartphones, laptops, and tablets.
- Instructing employees to avoid leaving devices in public areas.
- Having remote employees access the network through a VPN and avoiding connecting through public Wi-Fi.
- Changing settings on smartphones that automatically connect them to public Wi-Fi.
- Requiring that remote employees keep their work devices and personal devices separate.
Encryption protects data security by scrambling it into an unreadable format. Enterprises can increase security by adding encryption to any devices or media that contain sensitive information or that access the network remotely.
Software application makers often discover bugs after the software is released. Some of these bugs make the software more vulnerable to data breaches. One way to prevent breaches is to keep operating systems, apps, and browsers. Always install software patches as soon as they are released. To automate this process, configure your web browser, operating systems, and apps for automatic updates. Don’t forget to update malware protection as well.
Backing Up Files
However, companies can take other measures to improve data security or mitigate data breaches. Backing up files can help mitigate a breach that has destroyed data. Microsoft has some backup solutions which can help you get documents back if your data is corrupted. For example, if you accidentally delete emails, you may be able to get them back. Also, cloud object storage such as AWS S3 or Azure Blob, or with a managed service provider can help secure data and provide backups should an organization destroy data.
Microsoft recently introduced Microsoft Cloud for Sovereignty, which is designed to improve the storage and processing of sensitive information. Although Microsoft originally designed the program for government entities, it is also available to public sector organizations. Microsoft says the new Cloud for Sovereignty offers an additional layer of security to help customers protect their organizations from local cyber attacks.
Organizations can also set up Conditional Access policies to restrict employees' access to Office 365 and other Microsoft services. For example, they can allow access only from trusted locations or require multifactor authentication.
Organizations should develop cybersecurity policies and ensure these become a part of the onboarding process. The policies should describe the company's security and remote access rules and the process for handling a breach and remediating the impact on the business's operations.
Another way to lessen the odds of a data breach is to provide security awareness training to employees. About 59 percent of data breaches are caused by insider attacks within health organizations, according to Verizon. While some of these are deliberate, most occur when employees unknowingly expose patients' personal data to hackers.
Organizations should ensure employees understand the consequences of a cyber breach. They also should provide examples of what a cyber attack looks like. They should teach employees how to recognize spam and phishing emails and be alert to new apps appearing on their devices.
Companies can also seek help from cybersecurity experts to improve their systems' security. Cybersecurity consulting firms, such as ne Digital, bring deep knowledge about how to thwart common security threats. Many specialize industries or types of organizations. They offer an excellent value proposition because they can help companies avoid the overhead of hiring additional security staff.
A data breach occurs when unauthorized people access sensitive, personal, or confidential information. Data breach consequences can be significant. Some small businesses never recover from a data breach. Larger businesses often face fines, lawsuits, and the loss of customers, reputation, and employees. Hackers frequently target financial firms because they have personal information that can be sold for a profit.
While nothing can guarantee a company will not face cybersecurity issues, companies can help reduce the odds of a cyber attack. Developing a cybersecurity policy is important, as is employee training. Several common-sense measures, such as strong passwords, limited access, conducting vulnerability tests, backing up data, and running frequent updates, can also help prevent data breaches or lessen the financial loss from them. Companies need to take specific measures to ensure remote workers do not connect to company networks through public networks or use their personal devices for company business. They also need to develop a plan that limits the impact of a data breach should one occur. Companies can obtain help from consulting firms to improve their cybersecurity and develop plans.
ne Digital is an IT consultation powerhouse that designs and operates for private equity asset value creation. We run secure, IT mission-critical workloads for Hybrid Cloud with expert architects and certified engineers in Microsoft Azure Cloud and IBM Cloud.
Our focus is Managed Cybersecurity, Managed Services for Microsoft 365, and Managed Services for Azure. Our most popular clients are Private Equity organizations and their portfolio companies. Contact one of our experts today.