Cybersecurity has never been a more pressing issue for modern businesses. Even in the past six months, news outlets have had a field day covering massive cyberattacks, from the Colonial Pipeline ransomware attack that cost $4.4 million in ransoms to the ongoing investigation into another ransomware attack against the meatpacking business JBS.
The truth is that companies are in a hidden arms race against cybercriminals, and right now, companies are losing. A massive cybersecurity skills shortage has left over one million jobs unfilled in the US alone, and it's one of the few industries with a 0% unemployment rate. Meanwhile, cybercriminals are constantly finding new ways to breach business networks, websites, and systems, and they're creating tools to make it easier for other cybercriminals to do the same.
However, no matter how secure your network and your systems are, your employees are the weakest link in your security plan. IBM estimates that human error causes 23% of all data breaches (e.g., accidentally misplaced data, lousy password hygiene)
No matter how big your business is, what kind of work you do, or even how much data you process, it's vital to learn what InfoSec (information security) risks you face. Whether you believe it or not, your data is your biggest asset and, potentially, your biggest downfall.
So, with that in mind, here are the most significant data risks modern companies face and what you need to do to minimize or mitigate those risks.
Why Is Data Risk Assessment Important?
One of the biggest mistakes companies make when examining data risk management is failing to consider the implications of a data breach.
All too often, companies assume that when they lose data, either through a data breach, their ineffective security, or both, the most significant cost is the money they have to invest in re-securing their data and fixing holes in their security. While this is a considerable cost associated with data breaches, it doesn't encapsulate the total cost of insufficient data risk assessments.
Data breaches not only cost companies money in the short term. Still, they also cost a company its reputation if they're not handled properly - mainly if the breached data includes personally identifiable information (PII) about customers and clients. Studies show that 65% of those users will lose trust in your organization when user information is breached. Not only that, but they'll go on to tell other customers about their experience, and over half of them will consider purchasing products from a competitor instead.
Other indirect costs incurred during a data breach include:
- Hiring cybersecurity forensics experts, incident responders, PR experts, and other staff to manage the fallout
- Providing hotlines for affected customers or employees
- Running in-house investigations to establish the cause of the breach
- Providing remedial support, such as free credit report subscriptions
- Paying potential settlements with victims of the data breach
All in all, IBM estimates that a data breach's average cost is $3.86 million, with mega breaches involving millions of records ranging from an average of $50 million to $392 million. An estimated 39% of that cost is incurred more than a year following the data breach, showing that data breaches can cost your company both time and money to resolve.
While mitigating the risk of a data breach isn't as simple as understanding how many data risks your company faces, it's undoubtedly the best starting point. Once you know what threats your company faces and the different factors that threaten your data, you're better prepared to hire experts and build policies that help you manage the threat.
Internal Vs. External Data Threats
As we mentioned earlier, you need to do a thorough data risk assessment when you're looking to minimise the risk of a data breach affecting your company. The key thing to remember is that there are two main causes of data breaches, which we can classify as internal or external threats.
Internal threats include people like your company's board of directors, your employees, or even contractors who work for your company. In short, anyone can bypass your external security through legitimate means, such as logging in to employee accounts or having admin privileges on a network. Internal threats can be malicious (for example, an employee intentionally leaking data for blackmail). Still, more often than not, these threats come down to human error (for example, having the same password for multiple accounts).
Sometimes, an internal threat isn't an employee but a consequence of internal practices. This could be poor external security, not keeping company software current, or not training employees to recognize threats like phishing emails.
External threats, on the other hand, are almost always malicious because someone outside the organization carries them out. However, for an external threat to gain access to your company's data, they need to breach your external security measures to get access to your network. This can be achieved through malware, gaining access to your network, or even physical access to restricted areas on your premises.
That's not to say that these two threat types are entirely separate entities, however. External threats often prey on network or system weaknesses, poor website security, or even IoT devices to gain access. In rare cases, disgruntled employees may also disclose security weaknesses or use their knowledge of a company's systems to breach them once they're no longer employees.
Internal Data Threats
A Lack of Data Risk Assessment
Of course, one of the biggest threats to your enterprise and your data is a lack of data risk assessment. Not understanding what data you have stored, how it's stored, and even the vulnerabilities within your system that can be exploited presents a significant risk to your business, finances, and your whole IT system.
Every modern business should not only conduct data risk assessments when the business is founded but at least once a year following that.
Even a small business can collect a lot of data and significantly change its IT practices over the space of a year, which is why it's essential to regularly assess how much data you have, what policies and procedures you have in place to keep it secure, and what the chances are of a data breach occurring.
With that in mind, you need to create a thorough report each year that covers the following areas of information security:
Data Storage
Knowing what data your organization stores, how it's stored, and why it's necessary to your business is the first step in any robust data risk management plan. As a general rule, your organization should only store data if required.
You must also fully understand the path data takes from entering the network to where it's stored. Good InfoSec practice reduces how many different machines or systems data has to travel through within your network, as, again, this can strengthen the data stream against intrusion if there are fewer potential entry points.
Finally, you need to assess how secure your data storage is. However, this doesn't just cover what security protocols exist on your data servers. You also need to look at what encryption algorithms you're using, what password hashing is in place, and whether your data is encrypted and scrambled enough that, if you do suffer a data breach, the leaked data can't be used to identify customers or employees personally.
Data Access and Handling
Once you've thoroughly covered what data your business stores, why you store it, and what procedures and policies you have to keep it secure, you need to look at who has access to that data in your organization.
Assessing the data in your system requires determining who has continuous access to it and for what reason. As you might expect, having inactive accounts with data access privileges or employees with higher privileges than they need for their work is a significant security concern.
Similarly, you also need to assess how data is handled when it needs to be used by your organization. Because departments like sales, customer service, HR, and your security teams will need access to customer and employee data, employees with data access privileges must be trained in data security.
Network Security
The final major part of any data risk assessment procedure covers network security. You'll need to look at what internal and external security measures you have in place on your systems and network, who has high-level network privileges, and whether any inactive accounts need to be deleted.
At this point, you'll also have to assess your network security measures against the current threats facing your industry and your business and whether there have been any significant technological developments to bypass them. By understanding what weaknesses exist in your network, you can start preparing to strengthen your security before a data breach occurs.
No Data Privacy or Information Security (InfoSec) Practices
With your business collecting and creating new data every single second, one of the most significant data risks you face internally is a lack of practices to keep this information secure.
As discussed in the last section, you need to understand who can access what data, for what purposes, and to what degree they can edit that information. This is a fundamental part of InfoSec, so we recommend including it in your data risk assessment and management procedures.
So, what do we mean by poor InfoSec practices? Here are some common ways you might create data risks without realizing them.
You don't restrict access to data-sensitive areas.
Employees should only have access to the data necessary to do their job. However, that's not to say they won't have to travel to different areas of your building or campus to meet with colleagues or access other resources.
If you don't restrict access with proximity card readers or doors protected by passcodes, you risk employees without the correct clearance and training to access sensitive data. Moreover, this can even leave the metaphorical doors open for an outsider to access your systems and harvest your data.
You allow employees to work on unsecured networks.
Even before the COVID-19 pandemic accelerated the rate at which businesses started allowing employees to work remotely, many companies without meeting spaces were comfortable with having meetings over public Wi-Fi networks.
Unsecured, or public, networks can be a significant risk to data privacy.
While your business network should use encryption protocols to keep data passing through secure, this isn't guaranteed on all networks.
Public Wi-Fi networks, in particular, are notoriously vulnerable to man-in-the-middle attacks, meaning attackers can intercept data being sent between your device and its end destination. You won't even necessarily know this is happening, either. So, to keep data private and secure, you need policies that only allow employees to work on approved, authorized networks.
You allow any device to connect to your network.
By allowing personal devices on your business's network, you add hundreds or thousands of potential entry points to your network and data. If these devices aren't adequately protected against malware, they can quickly act as an infected host and spread malicious code throughout your network.
This is even more risky if you have Unix or Linux-based machines on your network that aren't secured with scanners that detect malware from different operating systems.
You don't adequately delete stale data.
No matter how large your business is, you must delete data no longer in use at least every 90 days. However, you'll need to wipe the data from a machine or server's hard drive for sensitive and personally identifiable information to ensure that opportunistic cybercriminals can't access it.
However, when you erase data from your hard drive, the data still exists, but it's often inaccessible without specialist tools. These tools are easy to access for opportunistic data scavengers who get their hands on old hard drives, so you need to be careful.
If you're disposing of old hard drives, the best way to ensure that data cannot be retrieved is to destroy the magnetic disk within the hard drive physically.
Poor Privilege Management
When businesses assess the risks of malware and unauthorized access to their network, they very rarely analyse what IT permissions are granted to which employees. Knowing which employees can access which parts of your systems is important for two key reasons.
The first is that insider threats, such as disgruntled employees, or hybrid threats, like employees being blackmailed by cybercriminals, are genuine threats to your data security and privacy. Because employees know how to access your systems, they can easily access and move data around without raising any suspicions. While this is, admittedly, rarer than some other types of data breaches, the consequences can be far more catastrophic.
Secondly, certain types of malware and cyberattacks can access your network through user accounts. Still, depending on the program, they can be limited in what network privileges they can access based on their compromised account.
By only granting employees the privileges they need to perform their job role, you can effectively reduce the number of entry points for both internal and external data threats. Plus, knowing who has admin-level or root-level privileges can narrow down your search if a data breach occurs.
Inadequate Employee Cybersecurity Training
While robust security protocols, effectively managing user privileges, and conducting thorough data risk assessments and management will go a long way toward protecting your organization, all of this needs to be paired with employee cybersecurity training.
In 2017, phishing attacks accounted for 90-95% of all successful cyberattacks, and this trend shows no signs of slowing down. Most employees assume that IT departments have a handle on data security, and even if they click on a suspicious link, it'll be dealt with by someone else. Other employees don't have the data risk awareness or IT knowledge to understand phishing attacks, let alone more sophisticated cyberattacks.
Research shows that even a moderate investment in training data security awareness can reduce the risk of a data breach by 72%. Unfortunately, it's not as easy as sitting employees down in a classroom and teaching them to differentiate between a phishing email and a legitimate one. Training needs to be engaging, ongoing, and broken up into individual sessions so your employees can fully understand their role in preventing a data breach.
External Data Threats
Ransomware
Unless you've lived under a rock, you'll know that ransomware is growing in popularity with cybercriminals. With ransomware-as-a-service hacking groups like DarkSide making it easier than ever for cybercriminals to attack businesses of all sizes, defending against ransomware is one of the biggest priorities in any external data threat management plan.
More often than not, the types of ransomware that reach the news cycle are known as "double extortion" scams, where hackers demand a ransom to retrieve encrypted files and prevent the data from being published online. These are the most sophisticated ransomware attacks, presenting any ransomware's most significant data risk. However, even with screen-lockers and encryption ransomware, there's nothing to say that attackers aren't using this as a distraction to access and copy your data.
The first line of defense against ransomware is internal solid security policies, such as those we discussed in the last section. Employee training is vital to prevent ransomware from being delivered through phishing scams, the most common cause of modern ransomware infections.
You should also invest in cybersecurity monitoring services or, if you have the budget, an in-house team that can dedicate their time fully to monitoring, analyzing, and improving your security. The advantage of investing in cybersecurity, particularly when it comes to ransomware and malware, is that they can visualize how attacks can enter and spread across your network.
This means that, in tandem with IT and any in-house development teams, they can patch any holes in your IT infrastructure before they can be exploited. They have professional tools to respond to and contain ransomware infections if they detect a data breach.
You should also frequently back up your data. Not all types of ransomware follow the "double extortion" scam, and in these cases, a data backup will allow you to purge your system of the malware without risking data loss.
Social Engineering Attacks
Social engineering attacks can be as simple as sending mass emails to your employees inviting them to click on a compromised link. Or, they can be as sophisticated as an attacker spending months calling different people around the company to learn enough information about a system to infiltrate it without raising suspicion.
As with most types of external threats, social engineering attacks can be countered by having strong internal security policies that guard against them. However, social engineering attacks often differ from typical cyber-attacks because they can occur physically and through your network and, more often than not, can be hybrids.
Social engineering attacks will typically exploit people into clicking links, sending money or information, or even accepting an infected USB dongle or CD by manipulating people's generosity, trust, curiosity, excitement, or willingness to comply with an authority figure.
Real-world examples of social engineering attacks include:
● Gaining access to a high-level executive's email account and asking employees to transfer funds. FACC lost $60 million to this "fake president" scam by preying on employee trust and the account holder's authority.
● Capturing user credentials with fake attachments. Users thought they were opening an Excel spreadsheet file in this phishing scam. However, the file was a disguised .html file, which, when run, told users they had to re-enter their login information.
● Gaining access to verified Twitter accounts to run a Bitcoin scam. While the exact details of this attack remain unclear, it's believed that hackers infected multiple Twitter employee systems with malware to gain administrative access to verified user accounts.
While you might think that countering this attack is as easy as teaching your employees not to click on suspicious email links, you'd, unfortunately, be mistaken. Even if every employee in your organization never clicked a link in an email again, there are still thousands of ways social engineering attacks can target your company.
The best way to counter these types of attacks is to build a company culture that values security and empowers employees to challenge suspicious behaviour.
Employees should feel able to ask to see employee badges when someone is trying to access a restricted area and verify with managers and other employees if the email that appears to be from that person is genuine.
You should also run employee training sessions that focus on social engineering tactics and how employees can recognise them in the context of their jobs. As attacks become more sophisticated, employees need to be trained to look out for missing details, typos, and misspelt website URLs, as these can often be a hallmark of these kinds of attacks.
Unauthorized Application Downloads
Employees who regularly use a computer in the office will undoubtedly want to install applications and software alongside their work. From music applications like Spotify to time management desktop applications to help them manage their workload, employees will always try downloading applications that make their working life easier.
The issues with legitimate applications aren't necessarily the application itself but all the problems that can creep in when you allow employees to download applications without authorization.
First, when a user wants to download an application, they're likely to go to a search engine. It's not unheard of for cybercriminals to pay for a sponsored search result for popular applications and spoof the website to trick users into downloading what they think is the legitimate application they're looking for.
This allows them to execute "drive-by downloads" - installing malware when the user loads the page - or trick users into downloading an application with hidden malicious code. Then, as you might expect, this code could spread throughout your network, steal data from a user's computer, or even compromise your internal security to make way for a large-scale data breach.
Secondly, giving all users the privilege to download applications from the Internet is a significant security risk. While some users are aware of security risks and will take precautions to ensure the applications they download are legitimate, others will not have the same level of security foresight.
The best option for data security is to allow administrators and users with root-level privileges to install applications, regardless of what those applications are. By blocking all application downloads on non-admin or root user accounts, you can quickly eliminate the risk of unauthorized application downloads.
Securing Your Company Against Data Risks
Unfortunately, this is by no means an exhaustive list of all the data risks facing your company. With each passing day, cybercriminals create new tools to help them infiltrate and steal data from company networks. The cases we've used as examples above were unthinkable in previous years.
That's why it's essential to take action now. While identifying the data risks your company faces is a good start in securing your systems and your network, you need to invest in security solutions that keep you secure against opportunistic attacks and those planned by large-scale cybercrime gangs.
The truth is that there's no one solution to making your data secure. Investing in security isn't a small investment, and regardless of the size of your company, it shouldn't be. While risk management and good InfoSec practices might be expensive, the alternatives are far worse.
Cybersecurity isn’t cheap because it takes cross-functional risk management techniques to keep everything secure.
In the cybersecurity arms race, the name of the game is proactivity. Having a game plan for if a data breach occurs is good, but what's even better is mitigating and minimizing the risks of one occurring in the first place. Emerging technologies aren't guaranteed to be secure, regardless of how "cutting edge" they claim to be. So, every time you add new technology to your business or your network, you need to be the first person to ask what vulnerabilities this new technology presents and if it can be exploited to gain access to your data.
We can guarantee that your network, systems, and even the software you use aren't as secure or private as you think. With a new cyberattack launched every 39 seconds, it pays to stay ahead of the curve so your business isn't the next victim.