Almost 15 billion data records have been lost or stolen since 2013 – an issue that affects North America disproportionately more than other parts of the world. Should a company fall victim to an effective data breach, it could result in a loss of reputation, and could incur heavy financial losses.
According to the 2019 Cost of a Data Breach Report by the Ponemon Institute, the global average cost of a data breach in 2019 was $3.92 million – a 1.5 percent increase since the previous year. In the United States, the average total cost of a data breach stands at $8.19 million – more than twice the global average.
Now, with the GDPR in full effect, we will likely see these costs increase.
Under the GDPR, fines due to non-compliance can reach up to €20 million, or 4% annual global turnover – whichever is greater. The largest GDPR fines we’ve seen so far include British Airways – who was fined £183.39 million (approximately €200m) after traffic to the BA website was diverted to a fraudulent site – resulting in the theft of approximately 500,000 customer records. Marriott International was fined $123m (approximately €110m) after 383 million guest records were breached. And then we have non-GDPR fines, such as the €4.49bn fine that was issued to Facebook by the Federal Trade Commission (FTC) following the Cambridge Analytica scandal.
Attracting new customers or regaining the loyalty of existing customers following a successful and widely publicized breach is very difficult task. The company in question must prove that they have implemented the necessary safeguards to mitigate any further breaches. Of course, there is no silver bullet when it comes to protecting sensitive data. However, providing we can answer the following questions, we will be in a much better position to prevent data breaches, as well as avoid the lawsuits and potentially large fines.
1. Do you have a tried and tested incident response plan (IRP) in place?
An incident response plan that has been tested, retested and perfected, will really help you reduce the time it takes to detect and respond to a data breach. It can help reduce the potential costs of a data breach and reduce compliance fines. Regular backups of your most sensitive data should be a part of this IRP to help you mitigate the damages a data breach could cause to business functions.
2. Do you have strong password policy and is it being adhered to?
One of the most common causes of a data breach is weak password policies. Password policies that include regular rotation and high levels of complexity help to stop attackers from getting easy, long term access to sensitive data and systems. If your users are not changing their passwords regularly, then an attacker who manages to steal credentials will be able to access the compromised account indefinitely. Passwords should be length, contain multiple special characters, numbers and capitalized letters and not be related to the user in any way.
3. Are you using multi-factor authentication?
If an attacker does manage to get hold of credentials, then you need to make sure you have another way to stop them from getting access to your systems. Multi-factor authentication provides another level of protection beyond passwords to help keep data secure against external and internal threats. Multifactor authentication can take numerous forms, from simple security questions all the way through to biometric data.
4. Are you encrypting sensitive data both at rest and in transit?
If you encrypt data whilst in rest and in transit, if you experience a data breach, you can reduce compliance fines because the actual sensitive data itself has not been exposed. There are numerous other benefits to data encryption when it comes to protecting sensitive data, mainly in that encryption is cheap to implement and helps to maintain the integrity of data and improve consumer trust.
5. Do you have a tried and tested security awareness training program in place?
Unfortunately, your end users present the biggest threat to your data security. Most breaches either originate at or go through end users, especially those users with privileged access. Employees may click on links in phishing emails or provide their credentials through intelligent social engineering attacks. Either way, you need to make sure you are confident that your employees (in all areas of the business) are fully aware of modern cybersecurity risks and what steps they can take to keep data secure.
6. Do you have a data discovery and classification solution in place?
You need to know exactly where your most sensitive data is and why it is sensitive to help focus your cybersecurity strategy. Trying to do this without a data classification tool simply isn’t going to work. Data classification tools allow you to locate sensitive data within your data stores, tag it and classify it according to risk levels and any compliance requirement you are mandated by. Knowing where this data is will help you assign the appropriate permissions and monitor your most valuable assets more closely.
7. Are you adhering to the “principle of least privilege”?
Excessive permissions are one of the biggest causes of insider threats. Users who have access to your sensitive data, in essence, have the keys to your safe. This makes them a risk to your security. Such users may inadvertently or purposefully abuse their privilege and cause a data breach. Make sure your users only have access to the files and folders they need to do their job, nothing more, in order to limit your potential attack surface.
8. Are you monitoring privileged user behavior in real-time?
Once you have limited access rights, you may still end up with a handful of users who require access to sensitive data. These are your privileged users. You need to know what these users are doing and whether they are making changes that could affect your security. For this, you’ll need to deploy a solution that makes use of user behavior analytics and enables you to automatically create alerts and set up a response plan for data breaches.
9. Are you auditing files, folders and email accounts containing sensitive data?
Focus your auditing on the files and folders that matter most. You should be able to determine when access and user behavior around these files and folders is anomalous or unwanted. Are you using threshold alerting to determine whether a certain number of events occur over a defined period of time? This kind of alerting will help you to spot unusual or potentially damaging changes being made to sensitive data.
10. Do you have a data security platform in place to help with all of this?
It can seem like a daunting task to stay ahead of data breaches. Data breach detection and prevention solutions [link to blog 7] can help automate some of the more time-consuming tasks and create a more proactive and continuous monitoring environment – helping to detect data breaches and prevent them from causing damage.
These are some of the more common questions that need to be answered in order to mitigate data breaches. However, there are other (less common) factors that need to be taken into account. For example, is all of your sensitive data stored on the same server? Even with strict access controls in place, this is not the best idea as it creates a single point of failure.
That doesn’t mean you need to jump on the Blockchain bandwagon. It means that data should be distributed across multiple servers and supported by a zero-trust security model to prevent hackers moving laterally across your network. Additionally, it’s a good idea to automate everything you can and use AI/machine learning where possible.
Finally, if you are allowing employees to bring their own devices into the workplace, you will need to make sure that you have a BYOD policy in place. If we are to stay afloat amidst the constantly evolving threat landscape, we must ensure that we keep up-to-speed with the latest trends, tools and technologies that are available to us.