An ever-growing number of organisations are getting worried about data breaches. Don’t fixate too hard on the cinematic idea of cunning hackers infiltrating your computers with sinister purpose; the range of threats against your systems and data is broader than you might imagine.
This wide-ranging survey of data threats is intended to expand your horizons and get you thinking about some of the most likely data breach scenarios your organisation needs to consider. Data protection officer services in the UK can help, but you first need to know what risks they can help with.
1) Human Error
From the most secure government system to the humblest small business, the greatest data breach threat is always the same: ordinary human error.
A distressing number of data breaches come down to a single individual exposing sensitive information by failing to follow procedures – or by acting rashly in a situation where an organisation has no data security procedures. A simple example that’s all too common is the accidental release of a mailing list. If an employee puts a list of recipients into the CC field instead of the BCC field, every recipient gets a look at every email address on the list. This can be embarrassing if all the members of a marketing newsletter now have each other’s contact information. The problem can turn into a disaster if the common theme uniting the recipients is something more sensitive, like political affiliation or sharing a medical condition.
2) Social Engineering
This is a type of malicious attack that is so common and so insidious that it deserves consideration ahead of movie-type hacking. The perpetrators will masquerade as people who might conceivably be entitled to the data they’re after. Then they will attempt to coax an authorised user to break data security without knowing it. Common social engineering goals include:
- Getting targets to turn over sensitive data directly.
- Getting targets to share access credentials to a restricted space (digital logins or even physical access to a premises)
- Convincing targets to download/install a malicious piece of software
A common form of social engineering that targets both businesses and individuals is phishing. A phishing email is one designed to look like a legitimate (and usually urgent) request for assistance from a reliable organisation. Victims who fall for the phishing communication will end up sharing sensitive information with the perpetrators.
3) Cyber Attack
Focused criminals who are after a specific piece of information or set of data will use a range of tools to defeat an organisation’s security measures and get it. In addition to targeted social engineering like that discussed above, there are two main weapons in the cybercriminal’s arsenal.
The first is exploiting vulnerabilities in the security system. These can be features of the hardware, the software, or the procedures that govern how employees use them. An organisation without strong password rules, for instance, becomes vulnerable to hackers using “brute force” methods to try every possible permutation of access credentials.
The second weapon is malware, hostile software inserted into the target organisation’s system to achieve the hacker’s purpose. Malware covers a host of different programs that can have many different effects. A program may be designed to collect sensitive information or clandestinely use the organisation’s own IT resources to run unauthorised code. There are more offensive types of malware (e.g. ransomware, viruses) designed to damage or destroy the organisation’s IT system and data.
4) Employees Acting Maliciously
We already identified human error as a prime vulnerability in every data security system. This is one of the reasons that keeping data safe becomes orders of magnitude harder if someone inside the system chooses to act maliciously. It becomes trivially easy to steal or destroy data when the criminal has gained legitimate access to it first. Like any criminal, malicious employees can be motivated by many different drives. Revenge is a common problem, particularly if employees with data access are laid off and feeling resentful about it. Financial gain is also a large issue – employees with access to sensitive data may be tempted into stealing it if they have an easy path to monetising it, like selling it on the dark web.
5) Physical Security Breaches
In the online age, many organisations run the risk of tunnel-vision when it comes to data security. It can be all too easy to forget that physically removing data – on devices or even on paper – results in a data breach just as potentially damaging as hacking.
Paper that contains sensitive information needs to be disposed of in a way that renders the data unrecoverable, usually shredding. Similar rules should be applied to discarded devices and storage media (e.g. USB drives).