As scary as it sounds, it’s very likely that your personal password is already out there, available to a hacker who might be trying to use it at this moment. In 2016, Kromtech had access to a giant database containing more than 560 million emails and passwords collected from a variety of sources. More recently in June, Dixons Carphone, admitted that hackers got access to records of nearly six million payment cards. People got used to opening their personal emails on many devices, either at work or at home, and when using unsecured open WiFis in public places. Typically, when companies find themselves in the midst of a data breach, they experience a loss of sensitive information that can cause either financial harm, or a strain on their professional reputation. According to an IBM Cost of Data Breach Study, data breaches cost 419 of the companies interviewed a total of $3.62 million in 2017. If companies want to stop losing money due to data breaches, it’s important to identify the reasons that cause them. Let’s take a look at the three most prominent examples:
-
Hacking
Hackers are experts at finding new ways to invade people’s privacy, but in reality, most cyber breaches and attacks are preventable. Within most companies, attacks occur due to password inefficiencies (such as using a default across multiple accounts or having a weak password), or opening emails and links that contain malware or viruses.
As stated in the IBM report mentioned above, almost half of organizations represented in this research (47%) identified the root cause of a data breach as a malicious or criminal attack, and the average cost was approximately $156. Prevention methods may decrease this cost; some of these methods include investing in or installing an anti-malware program on the company’s system, and resetting passwords consistently (on average, once a month). Realistically, no one follows standard rules that prevent these hacker attacks. Even the most paranoid person will let his guard down from time to time. Regardless, companies can implement easy-to-maintain actions for prevention such as:
Install a password manager: Update all the passwords by using the “generate strong password feature”; most current apps include it by default.
Activate 2-factor authentication: Do this for both work and personal accounts. It’s a classic attack vector; breaking into corporate networks by compromising employees’ personal accounts first.
Check “have I been pwned?”: The website is a free resource for anyone to quickly assess if they may have been put at risk due to an online account of them having been compromised or “pwned” in a data breach. With a simple click on this website, you can easily check and see if your email has been compromised or “pwned” in a data breach.
-
Lost or stolen documentation and equipment
In 2014, the “Veteran’s Administration (VA) Incident” became famous as the first security breach to create awareness on this issue. Records from 26.5 million discharged veterans, including their names, social security numbers, and dates of birth, were stolen from an employee who “improperly took the material home”. According to the VA, the employee, a data analyst residing in suburban Maryland, saved the information on a disk called “in violation of policy,” and took the data home with him to use on his laptop. The employee’s home was burglarized, and the laptop was stolen.
Mobile phones, company laptops, USBs, or any other device that stores data can be interlinked with a corporate network. Loss or theft of any of these devices could result in data being leaked or used inappropriately. IBM’s research points out that in terms of cost for companies, system glitches and human error or negligence averaged approximately $128. People today have access to work accounts from anywhere; smartphones, iPads, and home computers. We can’t expect them to encrypt everything. Additionally, a big amount of valuable data gets exposed by third party service providers, so the best way to remain protected is by paying close attention to password updates and to follow security policies implemented by the company.
-
Insider treason
Last March, The Department of Homeland Security (DHS) confirmed a data breach involving personally identifiable information of more than 240,000 current and former DHS employees.
According to the agency, the files were found in the possession of a former DHS Office of Inspector General (OIG) employee. Insider treason is one of the hardest forms of data breaches to prevent. Companies can implement a disposal procedure once the distribution of data is implemented by deleting or disconnecting all of the employee’s work-related accounts and devices, but it’s still hard to monitor employees actions once he or she has access to the network.
Each method of data breach comes with its own precaution to take, or a contingency plan that can rectify the wrongful distribution of private information in an unauthorized network or with the public. In the end, prevention methods can’t provide a final solution to the problem.
Perhaps, data breaches can’t be eliminated forever; maybe the most important question to answer is, “How does a company minimize collateral damage caused by a data breach?”
Honesty is always the best policy. Once the breach occurs, the company should explain the situation to the clients immediately. In the end, a quick and honest reaction will mitigate the damage and keep their public image intact by taking responsibility.
Data breaches are one of the cyber world’s greatest threats and each company should educate themselves, as well as their employees, on the types that can occur and the proper protocol to take after the fact. Decentralized technologies, like blockchain, could introduce some new approaches and insights that might result in a solution for data breaches. Creating awareness on data attacks may not be the only effective prevention method out there, but it’s a good jumping off point to discovering more that will help us eliminate them in the long run.