As many companies and institutions have discovered, data breaches are costly – not only in terms of financial losses, but also in terms of reputational damage. A data breach is defined as the intentional or unintentional release of secure information to an environment that is untrusted, such as the Internet.How is data breached?
Data breaches are often the result of four things:
Data theft involves a deliberate attack on systems or individuals who have access to sensitive data. Theft is perpetrated by one of two camps: insiders – usually former employees who bear a grudge; or hackers – criminals looking to make a profit from the sale of the data. Insiders take data by downloading it onto a device and removing it from the business premises. Hackers gain access to data via an Internet connection, and look for data stored on laptops, hard drives and USBs.
Data loss occurs when sensitive data is inadvertently exposed by people working within a business. This occurs when backup tapes or files or misplaced, when a USB stick is lost or when a laptop or smartphone is stolen. These are common ways in which data can end up in the wrong hands.
When old computers or hard drives are sold or recycled, the information contained on them might be deleted, but if not properly erased, that data can be retrieved by anyone with just a few cheap tools. Additionally, leaving data on media that is not adequately protected with a strong password or with encryption leaves it vulnerable to a hacker or thief. The same applies to sensitive paper files, which should be disposed of using a cross-cut shredder or a recycling/trash pickup service that ensures proper disposal.
Collecting, storing, sending, encrypting, finding and removing data may all have implications for its safety. Those who are handling sensitive data, may find they are doing one or more of these activities. If proper safety precautions are not taken, inadvertent data exposure could be the result. For example, breaches of sensitive data stored in folders accessible through the Internet, such as through file sharing software, has occurred more than once at universities.
How can you prevent it?
So what exactly can SMBs do to avoid data compromise? Realistically it boils down to awareness, education, monitoring and damage control:
* Awareness – first and foremost, individuals who are interested in starting a business must be aware of security implications and costs when building a business plan. Security is typically not top of mind when an entrepreneur is ready to start a business. The security industry, government and entrepreneur start-up communities must work together to build awareness around new business security.
* Education – as a business begins to expand, it is vital to educate employees on the importance of workplace security and choose vendors with superior security reputations. Businesses should build and enforce password, BYOD and social media policies from day one. The more well-educated the workforce is on the importance of security, the more likely they will be to employ better online habits at work as well as in their personal lives.
* Monitoring – take advantage of software solutions that can help monitor the security of your business. Anti-virus solutions can help protect against malicious malware and VPNs can help protect business data when conducting business outside of the company network. Businesses should also consider a monitoring service to keep track of your SMB’s overall health and mitigate the risk of breach. An SMB should monitor employee and customer credentials, its credit score and credit report to detect fraudulent activity.
* Damage control – be sure to have a breach preparedness plan. While a damage control plan may not reduce the cost of repairing the data breach, it certainly helps keep your customer relationships intact and reduces business reputation damage.
Major data breaches of 2014
This social media platform was breached in January 2014, compromising the names and phone numbers of 4,5-million people.
This crowd-funding site was breached in February 2014, with 5,6-million victims.
One of three open-source vulnerabilities in 2014, Heartbleed is a security bug in the OpenSSL cryptography library.
eBay’s database of 145-million customers was compromised in May 2014.
In September 2014, a number of celebrity iCloud accounts were hacked, and nude pictures were leaked.|
By far the highest profile hack of the last 12 months, Sony Pictures Entertainment was hacked in November 2015. Data leaked included personal information about Sony Pictures employees and their families, employee e-mails, executive salary figures and copies of previously unreleased Sony films.