How to Prevent Data Breaches
Google ‘data breach’ and you’ll likely see news headlines about the latest company dealing with the fallout from the hacking of their data.
Information is valuable, and this unfortunately means it is under constant threat from cybercriminals.
Read on to learn everything you need to know about data breaches and how to protect yourself, including:
- What constitutes a data breach
- Examples of famous data breaches
- How they happen
- How companies can prevent them
- What to do if you’re affected by a data breach
What is a data breach?
A data breach occurs when an unauthorized person gains access to a data source, either physical or digital, and views, copies, transmits, steals or uses the sensitive information for their own gains.
Businesses, as opposed to individuals, are usually the target of data breaches due to the sheer volume of valuable data they hold. Breach the defences of an individual and a cybercriminal might gain access to one person’s sensitive information. Breach the defences of a company and they could be looking at the sensitive information of millions of people.
Types of information leaked in data breaches
All kinds of information can be vulnerable to a data breach. Some of the data most commonly leaked includes:
- Personally identifiable information (PII)
Any information that can identify a specific individual such as mail or email address, phone number, login IDs or passwords.
- Personal health information (PHI)
Any information associated with a person’s physical or mental health status, test results, medical history, health insurance and anything else your healthcare providers might have on your file.
- Financial details
Details such as your bank account number, credit card number, credit ratings, account balance, budgets and anything else money-related.
- Intellectual property (IP)
In companies today, the outputs of human intellect are typically the drivers for business success and hence are highly valuable. Examples include innovations, formulas, business processes, proprietary technology and trade secrets.
Examples of famous data breaches
Data breaches are incredibly common and affect hundreds of millions of people worldwide.
Below are just three high profile examples of data breaches to have hit the headlines since 2017, affecting more than 500 million people between them.
In June 2019, Quest Diagnostics, a firm providing billing services for the US healthcare sector, announced how one of its third party providers, the American Medical Collection Agency (AMCA), had its website hacked. As a result, the personal health and financial information of 12 million Quest customers was exposed.
In November 2018, Marriott Hotels announced its central reservation system had been compromised, exposing the personal information, including credit card and passport details, of 383 million guests. Upon investigation it turned out the breach had originated on the Starwood Hotels network as far back as 2014.
Starwood was bought by Marriott in 2016 and by 2018 was still operating on the compromised IT infrastructure until the breach was identified.
The European authorities came down hard on Marriott and the UK data protection authority issued a fine of $123 million.
As recently as March 2020, Marriott reported a further data breach involving the personal information of 5.2 million guests.
In September 2017, Equifax, a consumer credit reporting agency was hacked affecting 147 million people - more than 40% of the U.S. population.
Names, addresses, dates of birth, Social Security numbers and drivers’ licences were all laid open. The credit card details of about 200,000 customers, who had paid to see their own credit reports, were also exposed.
Often described as the most expensive data breach in history, Equifax agreed to a global settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau, and 50 U.S. states and territories, including up to $425 million to help those affected by the breach.
Those are some eye watering figures. All raise the question, what is the real cost of a data breach?
The cost of data breaches
The annual ‘Cost of a Data Breach Report’ by the Ponemon Institute, analyzes data breaches from over 500 organizations across 16 geographies and 17 industries.
According to the latest findings:
- The average cost of a data breach is $3.9 million
- The average cost per record lost is $150
- Healthcare is the most costly industry. Aa breach costs $6.45 million on average
- The U.S. is the country with the highest average breach cost at $8.19 million.
Organizations can take positive steps to reduce the cost of a data breach. For example, any organization with an incident response team will reduce the cost of a data breach by an average of $360,000. Organizations with extensive encryption in place reduce the cost of a breach by the same amount.
How do data breaches happen?
As we move more of our interactions with various organizations and businesses online, we create more and more data. This data is highly valuable so breaches are likely to be an ever present threat.
The first step in protecting yourself is understanding how breaches happen.
Here are the most common ways for a data breach to occur.
Sometimes a data breach is made all too easy when employees suffer a lapse of concentration or have bad habits such as:
- Leaving devices open and unattended
- Losing devices or documents
- Using weak passwords
- Sending information to the wrong recipients
- Sharing password/account logins
On the other side of accidental human error is the intentional abuse of data by trusted employees. These intentional acts by trusted and authorized users are difficult to defend against.
This is a type of malware capable of infiltrating your system and locking down your data, forcing you to pay a ransom to retrieve it.
Criminals send messages to their victims, pretending to be from trusted contacts, to trick them into sharing personal information such as credit card details or online account logins.
Spyware is a type of malware. It infects a device and quietly steals all kinds of information from account logins and passwords to credit card details.
Distributed Denial-of-Service (DDoS)
This malicious attack aims to flood an organization’s network or website with false traffic to overwhelm, then crash it. In data breaches it can be used as a distraction tactic, opening up a window for hackers to install more nefarious malware and carry out a data breach.
How to prevent data breaches in the workplace?
Former CEO of Cisco Systems, John Chambers once famously said: "There are two types of companies: those who have been hacked, and those who don't yet know they have been hacked."
In other words, the chances of any business suffering a data breach are high.
As a minimum, follow these best practices to give your business the best chance of avoiding a breach.
- Improve network security
Ensure your antivirus, antimalware and firewall software are all in place and up-to-date at all times.
- Improve information disposal
This goes for data in digital and hard copy formats. Wipe any hard drives on old devices before retiring them. Also, be vigilant about how and where you dispose of sensitive data in paper formats.
- Implement a Bring Your Own Device (BYOD) policy
Employees today frequently use personal devices such as cell phones and personal computers to access work emails and files on the go. While this is a handy way to get a head start on your workload, it’s also another avenue for business data to be exposed. A BYOD policy will outline the protocols for accessing company data remotely and define how the organization’s IT team can access and protect any device with access to the business network.
- Patch and update regularly
Software and security updates aren’t there to irritate you (although it might feel like it sometimes). More often than not, they focus on fixing bugs and enhancing your security. For this reason, make sure you keep on top of software updates.
- Educate employees
As we saw in the previous section, human error is a common cause of data breaches. One of the best things a business can do to prevent a breach is to invest time in educating employees on topics such as how to recognise a phishing email, the importance of strong passwords and company policy on handling data.
- Use data encryption
Data encryption transforms digital information into an unreadable format to prevent unauthorized users from reading it, thus providing an additional layer of security.
- Use strong passwords and multi-factor authentication
Use strong passwords with a mixture of uppercase, lowercase, special symbols and numbers at all times and update these regularly. Adding multi-factor authentication will mean users will have to present two or more pieces of evidence to be granted access to a device or data source.
- Back up data regularly
Backing up your files won’t prevent a data breach, but it will make data recovery in the event of a breach much easier. It’s also an effective defence against ransomware, whereby if you have up-to-date backups, the hacker holding your files hostage has no leverage.
How can I protect myself from data breaches?
As the victim in all this, you might be wondering if there’s anything you can do to protect yourself. It’s true, dealing with organizations like your healthcare provider, hotels you book, your banking institutions, your social media platforms and so on requires you to have a degree of trust in the security surrounding your information.
However, if a business you’re associated with does announce a breach, there are steps you can take to lessen its impact.
- Confirm the breach happened
Surprise, surprise, fake emails informing you of a data breach is one tactic cybercriminals use to try and trick you into sharing personal data with them. So make sure you hear directly from an organization whether a security breach has actually occurred. Check their secure website or call them to confirm.
- Find out what information was exposed
Your name and address is one thing, but your Social Security number is a whole other kettle of fish. Make sure you understand what information has been breached. Then you can figure out which institutions you need to notify.
- Change passwords
If an online account has been hacked, change your password. If you use the same password on other accounts, change those too.
- Notify relevant institutions
Get in touch with your banking institution immediately to notify them if your banking information has been breached. They will be on high alert for any unusual activity and will cancel and replace any compromised credit cards.
- Set up a fraud alert
In the US, it’s possible to set up a fraud or credit alert in your name. This means you’ll be notified if anyone tries to open a credit card in your name or view your credit history.
- Stay alert and monitor your account
Keep a close eye on your various online accounts and bank statements in the aftermath of a breach. Remember, you may be unaware of a breach even taking place at first. Cybercriminals often wait and bide their time until you’re feeling more at ease before they strike.
Your data requires constant protection, but that doesn’t mean you need to be thinking about it 24-7.
Clario’s online security software has been developed to do this hard work for you. So sign up now to be among the first to hear about exciting updates we have in the works and to receive special offers and promotions.