A data breach occurs when protected or private/confidential information is released to an untrusted environment, whether intentionally or unintentionally. Unintentional database exposure, data theft, information leakage, and data spill are also common terminology used to describe this type of cybersecurity breach. The repercussions of a data breach are often severe for individuals, enterprise businesses, small businesses, and government agencies. A minor flaw in your security can lead to a major data breach and allow cybercriminals to steal data if it is not addressed properly. 

How does a data breach occur?

A data breach is often assumed to be the result of an external cybercriminal, although this isn’t necessarily always the case in cyberattacks.

Intentional threats may also be traced back to the causes of data breaches. It may, however, be caused by a single mistake on the part of individuals or weaknesses in a company’s infrastructure. Cybercriminals often use phishing, malware, or brute force attacks to carry out a data breach. 

A data breach can occur in one of many ways:

An Accidental Insider

An employee accessing a coworker’s machine and reading files without the correct authorization permissions is one example of an accidental insider. There is no information exchanged, and the access is unintended. The data was compromised when it was viewed with unauthorized access from another user.

A Malicious Insider 

A malicious insider accesses and/or exchanges data with the intent of causing damage to a person or an organization. The malicious insider may have legal permission to access the data, but the aim is to use it for sinister purposes like cybercrime scams. This data can be sold on the dark web. 

Devices That Have Been Misplaced or Stolen

Anything that holds classified material, such as an unencrypted and unlocked notebook or external hard drive, can go missing. When devices go missing this can lead to authentication issues and individuals gaining unauthorized access to sensitive data. 

Outside Hackers

These are cybercriminals who collect information from a network or an entity using a variety of attack vectors. These cybercriminals can gain access to bank account information, card data, credit card information, dates of birth, driver’s license numbers, login credentials, and other personal details. This information can be used to access an organization’s information that could then be used for malicious purposes or sold on the dark web. 

The Biggest Data Breaches

A data breach can affect anyone and any organization, from everyday people to large corporations and government agencies. The risks of a data breach are compounded by the fact that one data breach can put hundreds to thousands of others at risk by leaking sensitive information. One example of this is the infamous Equifax data breach of 2017, a security incident that impacted millions.

The Equifax Data Breach

Equifax reported a data breach in September 2017 that compromised the sensitive and personal information of 147 million individuals. The credit reporting firm was first infiltrated via a customer complaint website, with attackers exploiting a well-recognized loophole that should have been fixed, but wasn’t because of flaws in Equifax’s internal processes. Since the Equifax networks were not properly segmented from one another, the attackers were able to switch from the web portal to other sites and locate usernames and passwords stored in plain text, allowing them to hack even more sensitive systems. 

The Equifax breach went undetected for months. Equifax did not make the hack public until more than a month after it was found, and stock trades by senior executives at the time sparked allegations of insider trading. Victims of the Equifax data breach were able to access free credit monitoring to compensate for the attack. 

Unfortunately, cyberattacks and crime have increased every year since 2008. There are ample examples in recent history of well-known companies that have been breached and suffered significant losses, including the following instances:

Adobe: Lost tens of millions of user records including user IDs and passwords. Was forced to pay out over $1,000,000 to consumers.

Equifax: The 2017 Equifax breach may be one of the most well-known in U.S. history. Over one hundred million records were lost.

Yahoo: Lost over 3 billion records in what is widely regarded as the largest data breach in history. At the time of the breach, Yahoo was being acquired by Verizon and lost over three hundred million of its selling price.

Sensitive Information Your Small Business Handles 

Cataloging IT properties and data is the first step toward proper protection. The first move is to create a comprehensive and accurate list of all IT assets, program assets, and version details that your business uses. Any IT asset, as well as the operating system and data owned by the asset, should be identified. There are several different types of data, but the following are some of the most common:

Personally Identifiable Information: This may consist of names, phone numbers, addresses, social security numbers or any other data that can be used to uniquely identify an individual. This personal data can be used in social engineering attacks and can often easily be found on social media accounts. This sensitive information can also be used to answer security questions or password managers. 

Personal Health Information: These are personal health records of individuals that can be tied back to the individual. If your organization handles PHI in a meaningful way you are likely bound by the HIPAA Security Rule and should seek immediate guidance on compliance.

Financial Information: This data consists of the financial information of your employees or customers and should be guarded with strict security measures. Implementing advanced data protection around critical information assets containing PII, PHI for healthcare industries, and financial data like credit card numbers is absolutely critical. 

Once your inventory is complete you should have a solid understanding of what your IT assets are, what software is running on them, and what sensitive data is being stored on them. The next step is implementing measures to prevent your sensitive data from being breached.  

How to Prevent Data Breaches 

There are many ways to help prevent data breaches:

Create clear cybersecurity policies, procedures, and plans for your small business.

From a security standpoint, any employee should be aware of what is expected of them. Take the time and draft high-quality cybersecurity protocols and practices that are well-documented. You should also include a roadmap for emergency recovery, a vulnerability prevention plan, a business continuity plan, and policies for patching vulnerabilities. All employees should be aware of what is required of them in terms of cybersecurity, and the inability to follow policy and protocols should result in disciplinary action. Here are some useful resources:

SANS Cybersecurity Policies Library

FCC Cyberplanner

Security Awareness Training 

Providing end-user cybersecurity training is important if you want to start a small business cybersecurity program. At the very least, users should be trained on risks such as phishing, DDOS, and watering hole attacks. They should also be educated on the various forms of data they may encounter on a daily basis (such as PHI and PIII), as well as the regulatory enforcement standards they must adhere to. Training has consistently proven to be one of the most cost-effective aspects of small business cybersecurity systems. End-user training should also include what to do if a user finds that ransomware has been installed.

Enable 2FA

Two-factor authentication is known as 2FA. To ensure that the person signing into your account is you, two-factor authentication involves both a password and a second factor (unique identifier). It’s one of the easiest and most powerful ways to lower the chances of being involved in a cybersecurity event. 2FA usually operates by sending a special code or SMS message to your phone that is valid for 30 seconds. It’s simple to allow two-factor authentication for most services, and it adds an effective extra layer of protection for free.

Keep Software Updated

Every year cyberattacks occur precisely because businesses refuse to update critical software. Microsoft has a monthly “Patch Tuesday” where they announce a complete list of patches for newly found bugs and exploits. In fact, Microsoft had already launched a patch to repair the exploit a few weeks before WannaCry ransomware hit in 2017. The issue was that a large number of machines had not been upgraded in a long time and were still fragile. Daily upgrades are a simple and cost-effective way to minimize risk and ensure that the IT assets are performing at their best.

Engage a Managed Security Services Provider

Managed Security Services can help take the pain and difficulty out of managing a competent and effective cybersecurity program. An MSSP can help evaluate what compliance requirements you need to meet, identify what your biggest security needs are, and design a custom program that cost-effectively meets your company’s individual needs.