Cybersecurity has never been a more pressing issue for modern businesses. Even in the past six months, news outlets have had a field day covering massive cyberattacks, from the Colonial Pipeline ransomware attack that cost $4.4 million in ransoms alone to the ongoing investigation into another ransomware attack against the meatpacking business JBS.
The truth is that companies are in a hidden arms race against cybercriminals, and right now, companies are losing. There’s a massive cybersecurity skills shortage that’s left more than one million jobs unfilled in the US alone, and it’s one of the few industries with a 0% unemployment rate. Meanwhile, cybercriminals are constantly finding new ways to breach business networks, websites, and systems, and they’re creating tools to make it easier for other cybercriminals to do the same.
However, no matter how secure your network and your systems are, your employees are, unfortunately, the weakest link in your security plan. IBM estimates that human error causes 23% of all data breaches (e.g., accidentally misplaced data, bad password hygiene)
No matter how big your business is, what kind of work you do, or even how much data you process, it’s vital to learn what InfoSec (information security) risks you’re facing. Whether you believe it or not, your data is your biggest asset and, potentially, your biggest downfall.
So, with that in mind, here are the biggest data risks that modern companies face, and what you need to be doing to minimise or mitigate those risks.
Why Is Data Risk Assessment Important?
One of the biggest things that companies get wrong when they’re looking at data risk management is that they often fail to consider what a data breach will actually mean for them.
All too often, companies assume that when they lose data, either through a data breach, their own ineffective security, or both, the biggest cost is the money they have to invest in re-securing their data and fixing holes in their security. While this is a big cost associated with data breaches, it doesn’t encapsulate the full cost of insufficient data risk assessments.
Data breaches don’t only cost companies money in the short term, but they also cost a company its reputation if they’re not handled properly - particularly if the data that was breached includes personally identifiable information (PII) about customers and clients. Studies show that 65% of those users will lose trust in your organization when user information is breached. Not only that, but they’ll go on to tell other customers about their experience, and over half of them will consider purchasing products from a competitor instead.
Other indirect costs incurred during a data breach include:
- Hiring cybersecurity forensics experts, incident responders, PR experts, and other staff to manage the fallout
- Providing hotlines for affected customers or employees
- Running in-house investigations to establish the cause of the breach
- Providing remedial support, such as free credit report subscriptions
- Paying potential settlements with victims of the data breach
All in all, IBM estimates that the average cost of a data breach stands at $3.86 million, with mega breaches involving millions of records ranging from an average of $50 million - $392 million. An estimated 39% of that cost is incurred more than a year following the data breach, which just goes to show that data breaches can cost your company both time and money to resolve.
While mitigating the risk of a data breach isn’t as simple as understanding how many data risks your company faces, it’s certainly the best starting point. Once you know what threats your company faces, and the different factors that threaten your data, you’re better prepared to hire experts and build policies that help you manage the threat.
Internal Vs. External Data Threats
As we mentioned earlier, you need to do a good degree of data risk assessment when you’re looking to minimise the risk of a data breach affecting your company. The key thing to remember is that there are two main causes of data breaches that we can classify as internal or external threats.
Internal threats include people like your company’s board of directors, your employees, or even contractors that work for your company. In short, it’s anyone who can bypass your external security through legitimate means, such as by being able to log in to employee accounts or having admin privileges on a network. Internal threats can be malicious (for example, an employee intentionally leaking data for blackmail purposes), but more often than not, these threats come down to human error (for example, having the same password for multiple accounts).
Sometimes, an internal threat isn’t an employee, but a consequence of internal practices. This could be poor external security, not keeping company software up to date, or not training employees to recognise threats like phishing emails.
External threats, on the other hand, are almost always malicious because they’re carried out by someone outside the organisation. However, for an external threat to gain access to your company’s data, they need to breach your external security measures to get access to your network. This can be achieved through malware, gaining access to your network, or even through gaining physical access to restricted areas on your premises.
That’s not to say that these two threat types are fully separate entities, however. External threats will often prey on network or system weaknesses, poor website security, or even IoT devices to gain access. Disgruntled employees, in rare cases, may also disclose security weaknesses or use the knowledge they have of a company’s systems to breach them once they’re no longer an employee.
Internal Data Threats
A Lack of Data Risk Assessment
Of course, one of the biggest threats to your enterprise and your data is a lack of data risk assessment. Not understanding what data you have stored, how it’s stored, and even the vulnerabilities within your system that can be exploited presents a significant risk to your business, finances, and your whole IT system.
Every modern business should not only conduct data risk assessments when the business is founded but at least once a year following that.
Even a small business can collect a lot of data and have significant changes in their IT practices across the space of a year, which is why it’s important to regularly assess how much data you have, what policies and procedures you have in place to keep it secure, and what the chances are of a data breach occurring.
With that in mind, you need to create a thorough report each year that covers the following areas of information security:
Knowing what data your organisation stores, how it’s stored, and why it’s necessary to your business is the first step in any robust data risk management plan. As a general rule, your organisation should only be storing data if it’s absolutely necessary.
You also need to fully understand the path data takes from it entering the network to where it’s stored. Good InfoSec practice is reducing how many different machines or systems data has to travel through within your network, as again, this can strengthen the data stream against intrusion if there are fewer potential entry points.
Finally, you need to assess how secure your data storage is. This doesn’t just cover what security protocols exist on your data servers, however. You also need to look at what encryption algorithms you’re using, what password hashing is in place, and whether your data is encrypted and scrambled enough that, if you do suffer a data breach, the data that’s leaked can’t be used to personally identify customers or employees.
Data Access and Handling
Once you’ve thoroughly covered what data your business stores, why you store it, and what procedures and policies you have in place to keep it secure, then you need to look at who has access to that data in your organization.
As with assessing the data in your system, it’s important to continuously assess who has access to that data and for what reason. As you might expect, having inactive accounts with data access privileges, or employees with higher privileges than they need for their work, are a major security concern.
Similarly, you also need to assess how data is handled when it needs to be used by your organization. Because departments like sales, customer service, HR, and, of course, your security teams will need to have access to customer and/or employee data, employees with data access privileges need to be trained in data security.
The final major part of any data risk assessment procedure covers your network security. So, you’ll need to look at what internal and external security measures you have in place on your systems and your network, who has high-level network privileges, and whether any inactive accounts need to be deleted.
At this point, you’ll also have to assess your network security measures against the current threats facing your industry and your business, as well as whether there have been any significant developments in technologies to bypass them. By understanding what weaknesses exist in your network, you can start preparing to strengthen your security before a data breach occurs.
No Data Privacy or Information Security (InfoSec) Practices
With your business collecting and creating new data every single second, one of the biggest data risks you face internally is a lack of practices to keep this information secure.
As we touched on in the last section, you need to understand who can access what data, for what purposes, and to what degree they can edit that information. This is a fundamental part of InfoSec, which is why we recommend including it as part of your data risk assessment and management procedures.
So, what do we mean by poor InfoSec practices? Here are some of the most common ways that you might be creating data risks without realising it.
You don’t restrict access to data-sensitive areas
Employees should only have access to the data that’s completely necessary for them to do their job. However, that’s not to say that they won’t have to travel to different areas of your building or campus to meet with colleagues or access other resources.
If you don’t restrict access with proximity card readers or doors protected by passcodes, you risk employees without the correct clearance and training being able to access sensitive data. What’s more is that this can even leave the metaphorical doors open for an outsider to get access to your systems and harvest your data.
You allow employees to work on unsecured networks
Even before the COVID-19 pandemic accelerated the rate at which businesses started allowing employees to work remotely, many businesses without meeting spaces of their own were comfortable with having meetings over public Wi-Fi networks.
Unsecured, or public, networks can be a significant risk to data privacy.
While your business network should be using encryption protocols to keep data passing through it secure, this isn’t a guarantee on all networks.
Public Wi-Fi networks, in particular, are notoriously vulnerable to man in the middle attacks, meaning attackers can intercept data being sent between your device and its end destination. You won’t even necessarily know this is happening, either. So, to keep data private and secure, you need to have policies in place that only allow employees to work on approved, authorised networks.
You allow any device to connect to your network
By allowing personal devices on your business’s network, you’re adding hundreds or thousands of potential entry points to your network and your data. If these devices aren’t adequately protected against malware, they can easily act as an infected host and spread malicious code throughout your network.
This is even more of a risk if you have Unix or Linux-based machines on your network that aren’t secured with scanners that detect malware from different operating systems.
You don’t adequately delete stale data
No matter how large your business is, you need to ensure that you delete data that is no longer in use at least every 90 days. However, for sensitive data and personally identifiable information, you’ll need to wipe the data from a machine or server’s hard drive to make sure that opportunistic cybercriminals can’t access it.
However, when you erase data from your hard drive, the data actually still exists, but it’s often inaccessible without specialist tools. These tools are easy to access for opportunistic data scavengers who get their hands on old hard drives, so you need to be careful.
If you’re disposing of old hard drives, the best way to make sure data is impossible to retrieve is by physically destroying the magnetic disk within the hard drive itself.
Poor Privilege Management
When businesses are assessing the risks of malware and unauthorized access to their network, they very rarely analyse what IT permissions are granted to which employees. It’s important to know which employees can access what parts of your systems for two key reasons.
The first is that insider threats, such as from disgruntled employees, or hybrid threats, like employees being blackmailed by cybercriminals, are a genuine threat to your data security and privacy. Because employees know how to access your systems, it’s easy for them to access and move data around without raising any suspicions. While this is, admittedly, rarer than some other types of data breaches, the consequences can be far more catastrophic.
Secondly, certain types of malware and cyberattacks can gain access to your network through user accounts, but depending on the program, can be limited in what network privileges they can access based on the account they’ve compromised.
By only granting employees the privileges they need to perform their job role, you can effectively reduce the number of entry points for both internal and external data threats. Plus, by knowing who has admin-level or root-level privileges, you can narrow down your search if a data breach occurs.
Inadequate Employee Cybersecurity Training
While having strong security protocols in place, effectively managing user privileges, and doing thorough data risk assessments and management will go a long way to protect your organisation, all of this needs to be paired with employee cybersecurity training.
In 2017, phishing attacks accounted for 90-95% of all successful cyberattacks, and this is showing no signs of slowing down. Most employees simply assume that IT departments have a handle on data security, and even if they click on a suspicious link, it’ll get dealt with by someone else. Other employees simply don’t have the data risk awareness or IT knowledge to understand phishing attacks, let alone more sophisticated kinds of cyberattacks.
Research shows that even a moderate investment in training data security awareness can reduce the risk of a data breach by 72%. But, unfortunately, it’s not as easy as sitting employees down in a classroom and teaching them to tell the difference between a phishing email and a legitimate one. Training needs to be engaging, ongoing, and broken up into individual sessions so your employees can get a full understanding of their role in preventing a data breach.
External Data Threats
Unless you’ve been living under a rock, then you’ll know that ransomware is growing in popularity with cybercriminals. With ransomware-as-a-service hacking groups like DarkSide making it easier than ever for cybercriminals to attack businesses of all sizes, defending against ransomware is one of the biggest priorities in any external data threat management plan.
More often than not, the types of ransomware that reach the news cycle tend to be those known as “double extortion” scams, which is where hackers demand a ransom to retrieve encrypted files and prevent the data from being published online. These are the most sophisticated kinds of ransomware attacks, and they present the biggest data risk of any kind of ransomware. However, even with screen-lockers and encryption ransomware, there’s nothing to say that attackers aren’t using this as a distraction to access and copy your data.
The first line of defence against ransomware is having strong internal security policies, such as those we went into more detail about in the last section. Employee training is vital to prevent ransomware from being delivered through phishing scams, which is the most common cause of modern ransomware infections.
You should also make sure to invest in cybersecurity monitoring services or, if you’ve got the budget available, an in-house team that can dedicate their time fully to monitoring, analysing, and improving your security. The advantage of investing in cybersecurity, particularly when it comes to ransomware and malware, is that they can visualise how attacks can enter and spread across your network.
This means that, in tandem with IT and any in-house development teams, they can patch any holes in your IT infrastructure before they can be exploited. Plus, if they do detect a data breach, they have professional tools available to respond and contain ransomware infections.
You should also make sure you frequently backup your data. Not all types of ransomware will follow the “double extortion” style of scam and, in these cases, a data backup will mean you can purge your system of the malware without risking any data loss.
Social Engineering Attacks
Social engineering attacks can be as simple as sending mass-email messages to your employees inviting them to click on a compromised link. Or, they can be as sophisticated as an attacker spending months calling different people around the company to learn enough information about a system that they can infiltrate it without raising suspicion.
As with most types of external threats, social engineering attacks can be countered by having strong internal security policies that guard against these types of attacks. However, social engineering attacks often differ from other typical cyber-attacks because they can occur physically as well as through your network and, more often than not, can be a hybrid of the two.
Social engineering attacks will typically exploit people into clicking links, sending money or information, or even accepting an infected USB dongle or CD by manipulating people’s generosity, trust, curiosity, excitement, or willingness to comply with an authority figure.
Real-world examples of social engineering attacks include:
● Gaining access to a high-level executive’s email account, and asking employees to transfer funds. By preying on employee trust and the authority of the account holder, FACC lost $60 million to this “fake president” scam.
● Capturing user credentials with fake attachments. In this phishing scam, users thought they were opening an Excel spreadsheet file. However, the file was a disguised .html file, which when run, told users they had to re-enter their login information.
● Gaining access to verified Twitter accounts to run a Bitcoin scam. While the exact details of this attack remain unclear, it’s believed that hackers infected multiple Twitter employee systems with malware to gain administrative access to verified user accounts.
While you might think that countering this type of attack is as easy as teaching your employees not to click on suspicious links in emails, you’d, unfortunately, be mistaken. Even if every single employee in your organization never clicked a link in an email again, there are still thousands of ways that social engineering attacks can target your company.
The best way to counter these types of attacks is to build a company culture that values security and empowers employees to challenge suspicious behaviour.
Employees should feel able to ask to see employee badges when someone is trying to access a restricted area and verify with managers and other employees if the email that appears to be from that person is genuine.
You should also run employee training sessions that focus on social engineering tactics and how employees can recognise them in the context of their job. With attacks getting more sophisticated with each passing day, employees need to be trained to look out for missing details, typos, and misspelt website URLs, as these can often be a hallmark of these kinds of attacks.
Unauthorised Application Downloads
Employees who regularly use a computer in the office will undoubtedly want to install applications and software to use alongside their work. From music applications like Spotify to time management desktop applications to help them manage their workload, employees will always try to download applications that make their working life easier.
The issues with legitimate applications isn’t necessarily the application itself, but all the issues that can creep in when you allow employees to download applications without needing authorisation.
First of all, when a user wants to download an application, the first place they’re likely to go is to a search engine. It’s not unheard of for cybercriminals to pay for a sponsored search result for popular applications and spoof the website to trick users into downloading what they think is the legitimate application they’re looking for.
This allows them to execute “drive-by downloads” - installing malware when the user loads the page - or trick users into downloading an application with hidden malicious code. Then, as you might expect, this code could spread throughout your network, steal data from a user’s computer, or even compromise your internal security to make way for a large-scale data breach.
Secondly, giving all users privileges to download applications from the Internet is a major security risk. While you will have users that have a good awareness of security risks and will take precautions to make sure the applications they download are legitimate, others won’t have the same level of security foresight.
The best option here for data security is to only allow administrators and users with root-level privileges to install applications, regardless of what that application is. By blocking all application downloads on non-admin or root user accounts, you can easily eliminate the risk that comes with unauthorised application downloads.
Securing Your Company Against Data Risks
Unfortunately, this is by no means an exhaustive list of all of the data risks facing your company. With each passing day, cybercriminals create new tools to help them infiltrate and steal data from company networks, and the cases we’ve used as examples above were, in previous years, completely unthinkable.
That’s why it’s important to take action now. While identifying the data risks that your company faces is a good start in securing your systems and your network, you need to invest in security solutions that keep you secure against both opportunistic attacks and those planned by large-scale cybercrime gangs.
The truth is that there’s no one solution to making your data secure. Investing in security isn’t a small investment, and regardless of the size of your company, it shouldn’t be. While risk management and good InfoSec practices might be expensive, the alternatives are far worse.
Cybersecurity isn’t cheap because it takes cross-functional risk management techniques to keep everything secure.
In the cybersecurity arms race, the name of the game is proactivity. Having a game plan for if a data breach occurs is good, but what’s even better is mitigating and minimizing the risks of one occurring in the first place. Emerging technologies aren’t even guaranteed to be secure, regardless of how “cutting edge” they claim to be. So, every time you add new technology to your business or your network, you need to be the first person to ask what vulnerabilities this new technology presents and if it can be exploited to gain access to your data.
We can guarantee that your network, your systems, and even the software you use isn’t as secure or as private as you think. With a new cyberattack being launched every 39 seconds, it pays to stay ahead of the curve so your business isn’t the next victim.