Data breaches are rapidly becoming one of every organization’s biggest fears. As the importance of data security continues to grow, hackers are becoming more brazen and finding more creative ways to get their hands on valuable information. In January 2019 alone, an astonishing 1.76 billion records were compromised in data breaches all over the world. To make matters worse, the cost of ransomware attacks alone is expected to hit $11.5 billion in 2019.
Despite the immense financial and reputational damage companies incur as a result of data breach issues, very few organizations are ready to face an attack. Businesses tend to make a variety of mistakes before experiencing a data breach, as well as falling victim to several pitfalls after a data breach occurs. Familiarizing yourself with these mistakes is a smart step to better safeguarding your company’s data.
Table of Contents
- Common Mistakes Made By Businesses Before a Data Breach
- Common Mistakes Made By Businesses After a Data Breach
- How to Solidify Your Data Security Plans
Common Mistakes Made By Businesses Before a Data Breach
Sometimes even companies with robust cybersecurity practices experience a data breach, but failing to implement certain policies greatly increases an organization’s vulnerabilities. These five mistakes make it much easier for malicious actors to infiltrate your security and steal company data.
1. Implementing BYOD Policies
Companies that allow you to bring your own device (BYOD) to work are exposing themselves to unnecessary security risks. The main danger is the mixing of corporate and personal data on the same device. Many people tend to play fast and loose with their personal mobile devices and don’t think twice before downloading a new app. If that newsfeed app an employee just downloaded happens to contain malware, it will affect any company data stored on the device as well as the employee’s personal data.
When employees interact with company data on their personal devices, it’s crucial to have a policy in place to help mitigate the risk of that information being lost or transmitted to unauthorized parties. Two of the most common and effective policies include remote wipe capabilities and requirements for keeping devices up to date with all operating system and software updates.
2. Not Providing Adequate Training About Data Security & Cyber Attacks
Human error accounts for a significant portion of data leakage. Many companies never provide the basic training employees need to prevent simple cyber attacks like those carried out by phishing. Phishing emails fool people into thinking they’re communicating with a legitimate entity, making them feel safe to give up money or data. These scams have become significantly more sophisticated over the years, with Symantec estimating that bills and fake invoices make up just under 16 percent of attacks.
One survey by Crowd Research Partners revealed that 55 percent of organizations consider users with privileged data access to be the biggest internal security risk. Failing to provide adequate training and uphold security policies creates a large loophole for cybercriminals to exploit. Current research clarifies the value of a strong data security training program, showing that changing employee behavior lowers an organization’s risk of a security breach by 45 to 70 percent.
Even small businesses should have at least some mandatory training for employees, especially if they bring their own devices to work.
3. Using Generic Passwords
The need for passwords is so ubiquitous that people often fail to follow best practices when setting them up. This mindset is fairly easy to understand. When you’re working with multiple emails, social media accounts and more every day, the idea of coming up with a new password for each service can feel overwhelming. However, password security is absolutely crucial for data security. According to research by Verizon, stolen or weak passwords facilitate more than 80 percent of hacking-based breaches.
Hackers know that generic passwords are a common vice among employees so training around best practices for passwords can go a long way toward bulking up your data security. Using a password manager like LastPass makes it easy to generate, store and retrieve strong passwords.
4. Forgetting to Backup & Secure Important Data
Here’s a scary thought: What if the data you lost in a breach was gone forever? That could be a very real possibility if your organization doesn’t have a backup strategy in place. Cyber attacks in the form of ransomware can hold your data hostage and completely scrub it if your organization doesn’t meet hacker demands. If you have a backup of your data, you can restore a version without the malware.
You can choose between physical backups and cloud-based solutions, but you should always have multiple backups and test them regularly. Backups don’t just protect your organization from outside attacks. They can be invaluable when an employee accidentally deletes or modifies critical data, or when a system experiences a glitch and goes down. They’re an excellent way to prevent costly downtime, and an essential part of your continuity plan when data has been breached.
5. Failing to Utilize Encryption
Tools like strong passwords, removable storage and firewalls are all useful in securing data, but they don’t help once a hacker has gotten access to the information. Encryption uses algorithms to convert information into codes that no human could ever break. The codes are so complicated that it would take even the most powerful computers months or years to decipher, so only the people with the correct authorization can view the information instantly.
Businesses that don’t encrypt their information put their own data and that of their customers at unnecessary risk. According to research from the Ponemon Institute, only 43 percent of organizations have a consistent encryption strategy across the enterprise.
Any and all confidential information should be encrypted, especially if it will be transmitted over a wireless network where it could be intercepted. Cybercriminals are constantly developing new ways to break encryption faster, so it’s important to choose a reliable service that stays a step ahead of hackers.
Common Mistakes Made By Businesses After a Data Breach
Failing to implement basic safeguards to prevent data breaches is deeply dangerous, but actions taken in the wake of a data security event can make or break an organization. About 60 percent of small companies go out of business after suffering a cyber attack, and many of them make the following five mistakes.
1. Having No Decision-Maker
A data breach response team will necessarily be made up of several employees. These teams usually include IT staff as well as executive management. If the team doesn’t have a leader, however, a data breach can cause chaos in a hurry. An organization should have one person who owns and facilitates the response plan. That individual should function as the central point of contact for customers as well as internal teams.
Designating one person as the breach team leader makes it easier to stay organized and ensure that each question has only one answer. Without a decision-maker at the hub of data breach response, it’s nearly impossible to keep track of what steps have been taken and what still needs to be done in the aftermath of a data security breach.
2. Poor Communication
Failing to communicate with customers is one of the biggest mistakes after a data breach. If your organization doesn’t move quickly enough to address a breach, your reputation will take significant damage. Despite this common-sense notion, multiple large organizations have been criticized for failing to notify affected parties that a breach occurred.
When Equifax Inc. experienced a breach that compromised the records of 145.5 million Americans, they dragged their feet for six weeks before reporting the incident to the public. When the Securities and Exchange Commission (SEC) discovered that hackers had gotten into their database and possibly facilitated insider trading, they sat on the news for a full year before releasing any information about the attack.
Under the General Data Protection Regulation (GDPR) implemented in the European Union in 2018, affected companies have only 72 hours to report a security breach. This timeline is a good benchmark even for U.S. companies, as it balances the need to immediately begin your backup plan while respecting the right of customers to know what’s going on with their data.
3. Avoiding Accountability
When a data breach occurs, it’s natural to want to point the finger at a technological failure or instance of human error. In the past, CEOs could get away with firing the CIO and moving on with things, but recent examples show that the public expects executives to help shoulder the blame.
Richard Smith, former CEO of Equifax, went before the House Energy and Commerce Committee after the breach and combined his seemingly heartfelt apology with an acknowledgment that the incident occurred due to human error and technology failure.
While the apology came far too late to placate the public, it may have done some good if it were delivered in a timely fashion. Avoiding accountability for a data breach is a one-way ticket to losing customers and positive public opinion.
4. Failing to Provide Customer Solutions
Failing to consider the needs and safety of customers after a security incident is one of the worst data breach mistakes a company can make. Yahoo provides a disturbing example of this situation with the way the company added insult to injury after disclosing a breach of 500 million passwords in 2016. Marissa Mayer, CEO at the time, outright rejected a basic step that would have immediately shielded customers with exposed accounts.
A Yahoo spokeswoman revealed that the company decided the risk of the stolen passwords being misused was low, and so they declined to automatically reset passwords. Instead, they merely notified users and encouraged them to reset their passwords on their own. Needless to say, failing to do a full reset on Yahoo’s end unnecessarily worsened the impact of the initial breach.
The Equifax response to customers was even worse. Initially, the company offered a year of free credit reporting if customers waived their rights to sue. They also tried charging customers to freeze their credit reports, touting the feature as an extra layer of protection. Already-incensed customers were rightly outraged, and rolling back these responses was not enough to reverse the damage.
After a breach, it’s common for management to feel like they have to overcompensate by micromanaging. This response stems from the sense that if a data breach occurred while you weren’t paying attention, the best course of action is to pay as much attention as possible.
While it’s crucial for managers and executives to have a hand in your company’s post-breach plans, it’s not effective to put everyone under a microscope. Teamwork is essential in managing this kind of situation, and putting your trust in your outside counsel and vendors is the way to go. Delegation skills are a must for dealing with a data breach, and holding the appropriate parties accountable is a better use of time than attempting to oversee every minute step of the recovery plan.
How to Solidify Your Data Security Plans
The need for better data security practices is clear. If you want to save your business the $3.86 million the average data breach costs, it’s essential to invest in better practices and network security measures. These five steps are a good start for any organization.
- Limit access: If everyone has the same level of access to company information, anyone can accidentally delete or damage data. Additionally, more access points mean more opportunities for cybercriminals to target phishing and other attacks. Limit information to the employees who need it with passwords and encryption.
- Set a password policy: One weak password can bring down an entire organization, and many employees don’t understand how important it is to use different passwords for every account. Encourage the use of strong passwords with upper and lowercase letters, symbols and numbers with a minimum character limit.
- Train employees: Implementing a data security training program for all current and new employees is a good way to strengthen your company’s weakest links and reduce the impact of human error. Even an informal training session is better than nothing at all.
- Test your backups: It’s not enough to simply set up a backup system — the system has to work correctly every time. Regularly testing backups ensures your systems will be ready in the case of a security breach.
- Secure your network: Covering the basics of network security is critical in preventing cybercriminals from exploiting weaknesses. The basic tools of anti-virus, firewall, anti-malware, anti-spyware and encryption all have to be secured and kept up to date at all times.
Managing data security can be a complex job, especially when your organization has limited funds for IT and security teams. BlackStratus can do the hard work for you with a suite of security information event management (SIEM) products and services.
Whether you’re looking for on-site solutions or security as a service, you’ll find that we offer exceptional value in the form of cutting-edge technology and the support you need to take advantage of it. With multiple levels of compliance built into the platform, you can rest assured knowing your small business or enterprise security specs are fully in line with all applicable regulations.
If you’re ready to make progressive strides on data security for your organization, contact BlackStratus. Our experts will be happy to answer your questions, and you can even request a live demo to see exactly how we can improve the security of your business.
- 8 Common Security Mistakes and How to Avoid Them
- Back to Basics: What Is Network Monitoring?
- Guide to Detecting and Preventing Ransomware
- What Is a Security Operations Center, and Why Is It Important?