Data breaches can happen in any organization. Our latest research, undertaken with Ponemon Institute, shows that just under half, 48%, of the organizations surveyed in five countries around the world experienced a data breach incident in the last year involving the loss or theft of sensitive information about customers, prospects, or employees. This rises to 54% among financial services organizations.
We’ll look at the main causes of data breaches later. But first, let’s talk about risk.
For cybersecurity to be fully effective, it needs senior executive level support. And risk is the language all business leaders understand. When it comes to ensuring a robust, compliant approach to data privacy and protection, business leaders need to know “what would happen if …” they lost valuable data.
What does a data breach mean for your business?
The research reveals that not all data loss carries the same level of business risk. This matters because it enables organizations to focus their security resources accordingly.
Not altogether surprisingly, financial data tops the list of information that, if lost or stolen, would have the greatest financial or operational impact on the organization. Overall, 43% of respondents named this as one their two highest impact data losses.
Other interesting insights include:
- The loss of employee records has the second highest impact (37%) overall. The margin between second and third place (customers’ personally identifiable information, PII, at 36%) is slim, but it is higher for the largest organizations surveyed (40%). This could reflect the fact that organizations often hold more, and more detailed, sensitive, and confidential information about their employees than about their customers. This could be abused by attackers for extortion, to recruit malicious insiders, leave the business exposed to costly lawsuits and compliance breaches, and more.
- The loss of intellectual property has a greater impact on smaller (30%) than larger companies (21%), possibly because smaller businesses rely heavily on IP for competitive advantage and are less likely to have a broader range of assets.
- The loss of emails and informal chats/texts has the greatest impact on larger companies (32%). This could reflect the risk of advanced email threats such as business email compromise, and the need to keep such records for legal disclosure and compliance.
The main causes of data breaches
Respondents were asked about the root causes of data breaches. The findings show how broad digital attack surfaces have become, with numerous points of weakness that can expose networks and data.
The root causes appear to fall into four categories — people, cyberthreats, supply chain, or system fault/misconfiguration.
They include:
- Employee/contractor activity, whether through negligence (a root cause in 42% of breaches) or malicious act (39%)
- IT security oversights — including unpatched vulnerabilities (34%), errors in the system or operating process (41%)
- Third-party mistakes (45%)
- External adversary — hacking (34%), phishing (39%), and viruses or other malware (49%).
Elsewhere in the study, the findings show that one in six (17%) successful phishing attacks resulted in the loss of sensitive and confidential information, rising to more than one in five for organizations in manufacturing (22%), the public sector (21%), and for respondents from the UK (23%) and France (21%).
Many of these potential break points can be addressed through effective security technologies and policies.
Protecting your data
If around one in every two businesses experienced a data breach in the last year, it is not a big leap to assume that over time every organization will experience a data breach. If nothing else, every organization should approach its data security and compliance as if that were the case.
Regardless of the size of your organization, you can’t go wrong by getting the basics right. These include a robust approach to authentication and access, with multifactor authentication as standard and ideally moving towards a Zero Trust approach.
Your IT infrastructure should feature defense-in-depth, AI-powered security technologies that cover and provide full visibility into your entire attack surface and every entry point, from devices to APIs, cloud assets, and more.
Ideally this should be backed by 24/7 security operations and monitoring so that you are ready to respond to, mitigate and neutralize any threat before it moves further along the cyber kill chain.
Alongside this, you need to continuously back up your data. Ensure that all backup data is encrypted, both while at rest and in motion. Apply the gold standard of 3:2:1 — three backup copies, using two different media, one of which is kept offline.
Employee engagement and training is critical. All employees should understand why cybersecurity matters, the latest threats and scams to look out for, and what to do if they spot something suspicious.
Know your obligations
Last, but not least, make sure you know and abide by the data privacy and protection regulations for any market you do business in.
Information on data privacy is available in the U.S. from the Cybersecurity & Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), the Federal Trade Commission (FTC), and many more public, private, and educational institutions.
The same applies for EMEA and Asia Pacific. Alongside key regional sites, such as the GDPR Compliance Checklist, and more, Deloitte’s Europe Data Guidance and Asia Pacific Data Guidance include up-to-date information on data protection and privacy laws and developments across the regions.
Originally published on the Barracuda Blog, January 29, 2024 by Siroui Mushegian
