Data breach instances make the headlines regularly at the moment, and for good reason, they’ve become endemic. From large energy supply companies being held ransom, to hotel chains having customer data stolen, healthcare breaches of patient data — data governance and data security are top-of-mind for every organization.
Just recently, hackers walked into the front door of a Marriott hotel and stole 20 gigabytes of data, including credit card details. They coerced an employee into handing over the “keys” to a terminal in the lobby.
This isn’t the first time it’s happened to Marriott either. In 2014, they had over 340 million customer records stolen. This breach wasn’t even discovered until 2018. Data breaches are commonplace and are rarely a temporary inconvenience. Government organizations, businesses and even individuals are subjected to data breaches all the time.
With data security, the smallest vulnerability can open up your defenses and allow hackers to slip through, even for a brief period. Stealing your most valuable asset, your data.
Most people are simply unaware of the dangers, in some cases there's an awareness, but a general “I’m sure it’s being taken care of” attitude among the organization stakeholders.
How To Define A Data Breach?
A data breach is ostensibly any unauthorized person gaining access to confidential, protected, or sensitive information. The files can be viewed, stolen, or possibly even shared with others. Everyone from corporations to government entities are targeted because they have the most valuable data.
The Marriott story is the perfect example of one slight lapse in security, allowing access to valuable information. One employee letting their guard down can allow bad actors to infiltrate an entire organization.
Most breaches result from poor:
- User behavior
As businesses and the human experience become more connected across multiple instances, the opportunity for breaching those instances compounds exponentially.
Technology has moved fast to bridge these gaps, but human error is still an enormous factor. It takes one person to expose an entire organization. To understand the risk, we must first understand how breaches take place.
The obvious assumption is that hackers are trying to gain access to the system through the weakest point of entry, therefore gaining access to more important parts of the system. It’s true that a large amount of data breach incidents result from bad actors attempting to extort the victim, but they can just as easily occur through oversight and flawed infrastructure.
Thieves are, mostly, opportunist by nature.
Data breach incidents that make the news headlines are usually high profile and have sinister intent, but as we shall see from the list below, this isn’t always the reason for a data breach.
We get it, salacious headlines get clicks, but here’s a more sober view of this issue.
Here’s how a data breach may actually happen:
An Unauthorized Insider
If an employee accesses files meant for another employee without the correct clearance or permissions, this is still technically a data breach. Yes, access is unintentional (hopefully), no information is shared (hopefully), but an unauthorized person viewed it. This is usually the first point when an organization recognizes the need for stronger data governance policies.
An Unauthorized Outsider
This is usually a person with pre-existing permissions who gains entry to valuable data for nefarious reasons. They most likely intend to cause harm to an individual or an organization. In short, they may have had legitimate access, but they now use that access for the wrong reasons.
Stolen Or Lost Devices
It appears not a week goes by that a politician doesn’t leave a laptop on a train or some sort of document in a Starbucks bathroom. To make matters worse, they’re usually left unencrypted (because the user can’t remember passwords) and can sometimes contain mission-critical data or data that’s important to national security.
Sophisticated hackers with criminal intent. These are individuals or groups of highly skilled hackers who use multiple attack vectors to penetrate a system at its weakest point. They usually want to extort money, but political reasons are also sometimes given for the data breach.
Now we have established why data breach instances can occur, let’s look at how.
Phishing Or Socially Engineered Attacks
They hoodwink individuals into causing a data breach. Sophisticated phishing networks can send emails or texts from what appear to be legitimate sources, but they will attempt to coax access out of you. Or they’ll blatantly ask for the information up front.
To the untrained eye, these communications look legitimate and from people you trust. In fact, the phishing hack works by figuring out who you speak to most in your organization. The hope is that you’ll think nothing of handing over key elements of your network access to someone you already trust.
Brute Force Attacks
Hackers use advanced software to “guess” your password many thousands of times per minute. The system simply keeps hammering away at the password access, using AI to guess your password over and over. They will use social media accounts and personal data they can find online to guess names, pet names, birthdays, anything that might hint toward a password.
The most common attack approach is malware. Software that can go undetected is loaded onto your device, sometimes without even clicking anything. This spyware is then constantly uploading data like location, keystrokes, contact information, anything and everything you do on your device. Hackers will then dig into the data to find passwords (repeated keystrokes usually hint at a password you’re using), or location patterns (what time do you leave the house, or return). This information can then be used to gain access to your network at any moment.
Even though some data breach incidents are purely by mistake, this doesn’t mean actual damage can’t be done. If Personally Identifiable Information (PII) is leaked, it’s impossible to put the genie back in the bottle.
For targets who might have advanced levels of protections, the criminal elements will follow a basic pattern when targeting a potential victim. They perform in-depth research to learn detailed aspects of a person’s routine.
Do they update their devices' software regularly?
Software updates carry security updates and patches to thwart criminals.
Are they susceptible to phishing techniques?
Learning the target's weak points, they can develop a campaign, coax insiders to download software or just open a text message sometimes. Now they have access, and they have time to snoop around and find what’s valuable to them.
To make things worse, a well-planned data breach can take months to discover.
Weak credentials are the most common reason for a breach. A simple username or guessable password are all that’s needed to gain access to a network. According to a recent study, 80% of all data breach incidents were because of weak credentials, and 65% of people use the same password across multiple sites. One successful breach by a hacker means they have a 65% chance of guessing your other logins, including work-based logins.
This has increased with work from home and hybrid working where the lines between work and home life are blurred. When employees are allowed to bring their own devices to work and take that device home, the security risk increases exponentially.
What kind of damage can a data breach do?
In most cases, they are truly devastating. Far beyond fixing access issues or employee/stakeholder awareness training, an entire rethink of the system is in order.
For a business organization, the stain of a data breach is hard to wash off. Customers will always associate that organization with lackluster security.
A government organization has it even worse, the erosion of public trust in government institutions is a matter of national security. When a governmental department is found to have breached the confidence of the public, it can quickly find itself without public support. This makes their job that much harder.
Political decision making, details of national infrastructure, military operations at home and abroad, policing policy, emergency preparation policy, these are all valuable targets.
How To Prevent A Data Breach
- Limit access to your most valuable data. This can be difficult in an organization that requires many people to have access to sensitive data, but it’s a must. This is where having a solid data governance policy in place helps.
- Ensure third-party vendors comply with data governance procedures. Stakeholders must guarantee that third-party vendors aren’t allowing access to your system to unauthorized personnel.
- Train employees in security awareness and repeat the training regularly.
- Create and maintain a rigid data governance policy and implement it with the support of NOW Privacy.
Bifurcating your organizational stance on data governance is not only time consuming, it opens up the organization to attack. By elucidating the end goal of complete control over your data to all stakeholders, you ensure would-be attackers have a hard time gaining access.
Criminals are lazy, if you show a united front and make it hard for them, they’ll most likely move on. You can take control of your data leakage issues. You can become the data security bellwether your organization needs.