As the old saying goes, there are two certainties in life: death and taxes. And if your organization deals with exchanging sensitive information, you can add data breach to that list.
Data breaches occur at an alarming rate, their causes ranging from high-profile cyberattacks, to breakdowns in workflow, to simple human error. No matter the cause, the effects of a breach can be disastrous to an organization and careers alike. While most modern, high-profile breaches are tech-heavy, a breach is not solely the IT department’s problem. To the contrary—according to a Gartner report, it is predicted that by 2024, 75% of CEOs may be held personally liable for a data breach. While a CEO may not be directly responsible for a breach, per se, this is an instance of a one-way train ticket to Accountability-ville. All aboard, including senior management! *train whistle, leaves the station*
While not every breach will make front page headlines or the 24-hour cable news cycle, organizations should expect a breach at some point and plan a defensive strategy. As I mentioned in the previous installment of this series, it is not a question of if a breach will occur, but rather, where and when.
In this installment of the Risk of a Data Breach series, I’ll focus on costs of a potential breach, and where analysts and operations can evaluate potential risks within their business, notably the people and processes associated with the exchange of sensitive data and documents.
School is in Session
Let’s start with the definitions of a hack versus a breach. The two may seem like the same thing, but there are important nuances. A hack is an intentional, malicious attack against your IT systems by a third party with the intent of stealing and selling information, blackmail, or some other self-serving use. A breach (which can result from a hack) occurs when information is left unsecured, exposing your data and documents to unauthorized viewers both internally and potentially the outside world. This article will focus on the latter.
The Business End of a Breach
The average cost of a breach is in the millions, with healthcare leading the way in bearing the highest breach-related costs, $7.1 million on average. The cost of a data breach for a business extends well beyond additional budgeting for the IT department. Immediate costs include enormous legal fees and regulatory fines (particularly for issues such as a HIPAA violation). Additionally, costs add up over time with the risk of lost current and future revenue stemming from bad PR and a loss of customer trust. You might think you are covered with insurance, but think again. Insurance payments typically only cover $500,000-$5 million per incident. If costs exceed your coverage limit, the business is responsible for the rest. Case in point: check out the fines associated with GDPR violations. Google doled out a cool 50 million Euros in 2019 for GDPR violations. That might be pocket change for an entity such as Google, but it is still a significant amount for most companies. To add insult to financial injury, after a particularly high-profile breach, a company might be associated with the breach rather than for the products and services they offer. Two examples of this are Target and Uber.
With high stakes for your reputation and bottom-line, as well as for the overall ethics of keeping sensitive data protected, reducing your business’ risk of a data breach is an enterprise-wide responsibility.
The Root of the Matter
A data breach has causes other than sloppy code, network loopholes, or poor defenses against malware. There are many other ways that data can make its way out of your organization and into public view. Knowing the processes that exist in your business that are at a greater risk of a data breach is step one towards increasing your organization’s security.
Unsecure Exchange Methods Some of our most tried-and-true communications methods no longer cut it. One example is the fax machine. Faxing may have been cutting-edge technology back in 1843 when Alexander Bain developed the first prototype, but no more. Not only do fax machines transmit unencrypted data over a public network, but their output is often in the open. Another example is your organization’s not-entirely-secure enterprise email system. Yes, access to mailboxes is password-protected, but does it encrypt sensitive messages and documents in ways that your employees and customers want to use?
Password Factors Password protection is great, except when it isn’t. While weak passwords are a problem, according to Windows Central, the majority of account hacks result not just from weak passwords but also from the lack of two-factor authentication. Essentially, because a password was the only line of defense, a hacker was able to grab that password and access a system because they only needed one form of identification.
Access Who should have access to your data and who really does? If you’re not employing a Zero Trust policy, you may be leaving the vault door wide open for stolen or compromised data, whether in the case of malicious intent or simple human error.
BYOD Policies Even before the meteoric rise in employees clocking in from home, a number of organizations allowed staff to use their own devices in addition to (or instead of) company devices—often with no accompanying user policy or documented expectations. Any device where employees conduct both personal and company business can compromise security, including that of sensitive data and documents. In addition to company-sanctioned devices, auxiliary devices, such as thumb drives, may be compromised, offering another hole for your data to escape.
Human Error People make mistakes—it’s a fact of life. An unattended laptop may result in device theft and access to data—especially if data was saved locally. Sometimes, a document is sent to the wrong email address or fax number. Speaking of common errors, who among us has never left a faxed/copied document on the machine, allowing others to see that confidential data? (And people look. Even if they say otherwise.)
Easy Way Around Security In addition to the common human errors I just described, employees may engage in less-than-secure practices to save time. For instance, if an employee has a full plate and deadlines, they may opt for the path of least resistance, particularly if your organization’s secure exchange and storage methods have a clunky interface. You can bet on shortcuts if exchanges require additional steps such as logging into separate portals. Like the sand in an hourglass, so slips security protocol.
“But We’ve Always Done it this Way”
The above phrase is highly dangerous to an enterprise for a myriad of reasons. In addition to stifling new ideas and workflows, resting on your BWADITW laurels can set your organization up for terrific security failures. This attitude enables the above risk elements I described; in particular, continuing with exchange methods that are not secure or inconvenient, such as regular emails simply marked “confidential” and multiple portal logins for secure message and document exchange. Resting on laurels might indicate that management is asleep at the wheel, not anticipating or planning for potential human errors and breakdowns in workflow. BWADITW invokes the meme of the dog surrounded by flames, sipping on coffee and saying “this is fine”. This attitude impedes the case for research and investment in systems upgrades, including a secure exchange system that does more than just tick a compliance checkbox and actually gets used.
This approach to cybersecurity is a whole lot o’ nope.*
Just because your organization hasn’t had a data breach yet doesn’t mean the risk isn’t there. Integrating data protection in ways that are most natural to your employees, systems, customers and partners ensures that your information security strategy becomes part of your data exchange workflows. While a secure exchange method might not prevent a breach, implementing one that gets in the way of workflows, productivity and customer experience will elevate the chance that simpler, non-secure methods of exchange will be used, greatly increasing your risk of a hack or data breach. If hackers and thieves cannot decipher the content, then they cannot use or sell the data, making it useless.
We’ve now discussed where the risks of a data breach lie within your organization, both on the IT and business sides. In the next installment of this series, we’ll explore how your organization can improve secure exchange practices and avoid both the risk of a data breach and the compliance nightmares that can accompany these events.
*Image is courtesy of imgflip.com