Almost 15 billion data records have been lost or stolen since 2013 – an issue that affects North America disproportionately more than other parts of the world. Should a company fall victim to an effective data breach, it could result in a loss of reputation, and could incur heavy financial losses.
According to the 2019 Cost of a Data Breach Report by the Ponemon Institute, the global average cost of a data breach in 2019 was $3.92 million – a 1.5 percent increase since the previous year. In the United States, the average total cost of a data breach stands at $8.19 million – more than twice the global average.
Now, with the GDPR in full effect, we will likely these costs increase.
Under the GDPR, fines due to non-compliance can reach up to €20 million, or 4% annual global turnover – whichever is greater. The largest GDPR fines we’ve seen so far include British Airways – who was fined £183.39 million (approximately €200m) after traffic to the BA website was diverted to a fraudulent site – resulting in the theft of approximately 500,000 customer records. Marriott International was fined $123m (approximately €110m) after 383 million guest records were breached. And then we have non-GDPR fines, such as the €4.49bn fine that was issued to Facebook by the Federal Trade Commission (FTC) following the Cambridge Analytica scandal.
Attracting new customers or regaining the loyalty of existing customers following a successful and widely publicized breach is very difficult task. The company in question must prove that they have implemented the necessary safeguards to mitigate any further breaches. Of course, there is no silver bullet when it comes to protecting sensitive data. However, providing we can answer the following questions, we will be in a much better position to keep the bad guys out, as well as avoid the lawsuits and potentially large fines.
1. Do you have a tried and tested incident response plan (IRP) in place?
An incident response plan that has been tested, retested and perfected, will really help you reduce the time it takes to detect and respond to a data breach. It can help reduce the potential costs of a data breach and reduce compliance fines. Regular backups of your most sensitive data should be a part of this IRP to help you mitigate the damages a data breach could cause to business functions.
2. Do you have strong password policy and is it being adhered to?
Password policies that include regular rotation and high levels of complexity help to stop attackers from getting easy, long term access to sensitive data and systems.
3. Are you using multi-factor authentication?
Multi-factor authentication provides another level of protection beyond passwords to help keep data secure against external and internal threats.
4. Are you encrypting sensitive data both at rest and in transit?
If you encrypt data whilst in rest and in transit, if you experience a data breach, you can reduce compliance fines because the actual sensitive data itself has not been exposed.
5. Do you have a tried and tested security awareness training program in place?
Make sure you are confident that your employees (in all areas of the business) are fully aware of modern cybersecurity risks and what steps they can take to keep data secure.
6. Do you have a data discovery and classification solution in place?
You need to know exactly where your most sensitive data is and why it is sensitive to help focus your cybersecurity strategy. Trying to do this without a data classification tool simply isn’t going to work.
7. Are you adhering to the “principle of least privilege”?
Make sure your users only have access to the files and folders they need to do their job, nothing more. Excessive permissions are one of the biggest causes of insider threats.
8. Are you monitoring privileged user behavior in real-time?
Privileged accounts are users that have access to your most valuable data. You need to know what these users are doing and whether they are making changes that could affect your security.
9. Are you auditing access to files, folders and email accounts containing sensitive data?
Focus your auditing on the files and folders that matter most. You should be able to determine when access and user behavior around these files and folders is anomalous or unwanted. Are you using threshold alerting to determine whether a certain number of events occur over a defined period of time? This kind of alerting will help you to spot unusual or potentially damaging changes being made to sensitive data.
10. Do you have a data security platform in place to help with all of this?
It can seem like a daunting task to stay ahead of data breaches. Data security platforms can help automate some of the more time-consuming tasks and create a more proactive and continuous monitoring environment.
These are some of the more common questions that need to be answered in order to mitigate data breaches. However, there are other (less common) factors that need to be taken into account. For example, is all of your sensitive data stored on the same server? Even with strict access controls in place, this is not the best idea as it creates a single point of failure.
That doesn’t mean you need to jump on the Blockchain bandwagon. It means that data should be distributed across multiple servers and supported by a zero-trust security model to prevent hackers moving laterally across your network. Additionally, it’s a good idea to automate everything you can and use AI/machine learning where possible.
Finally, if you are allowing employees to bring their own devices into the workplace, you will need to make sure that you have a BYOD policy in place. If we are to stay afloat amidst the constantly evolving threat landscape, we must ensure that we keep up-to-speed with the latest trends, tools and technologies that are available to us.