Data breaches are a common threat to businesses of all kinds and sizes. Stolen information or data corruption can cause irreparable harm and become a financial burden. The cost of a data breach in 2020 averaged $3.86 million, and it took around 280 days on average to identify and contain a breach.
No matter what size of business you have, you need to protect your information and prevent data breaches before they happen. You should have strategies in place to help in case of a crisis. Here are some proven strategies that you can use to keep your data safe.
Types of business data breaches
These are a few of the most common types of business data breaches:
- Malicious attacks can happen due to glitches or gaps in the cloud, vulnerabilities in third-party software, and weak passwords. These attacks typically involve stolen or leaked information that hackers then sell on the black market.
- Destructive and ransomware attacks involve someone destroying records or holding them for ransom. The average cost of a destructive malware breach is $4.52 million, and the average ransomware breach costs $4.44 million.
- Nation-state attacks are less common, but they can be the most costly. These attacks happen when hackers work with a government to commit crimes against the U.S. and/or any of its allies.
Tip: The best way to know if your business is vulnerable to any of these attacks is to conduct a cybersecurity risk assessment.
How to prevent data breaches
1. Evaluate your security procedures.
The first step is looking at your current security protocols. Layering your security capabilities is the best approach because hackers will have to infiltrate multiple safeguards before accessing any sensitive data. Tools such as firewalls, encryption, secure file-sharing software and top antivirus software protect sensitive data from falling into the wrong hands.
If your cloud-based data storage service offers security tools, you should still configure your own safety measures. Limit cloud access to employees and use an extra layer of protection, such as multifactor authentication or single sign-on.
Frequently back up data so if a violation occurs, your system restores quickly and easily with the most current data. Also, conduct screening and background checks on new hires and mandate security training. Make sure all virus-scanning software stays current, and delete any suspicious files at once.
2. Protect your cloud and data.
To develop a more comprehensive cloud security strategy, consider using a cloud access security broker, or CASB. These software platforms offer continuous visibility, data security, monitoring and governance for all cloud-based file storage. The CASB data protection feature uses machine learning and user behavior to discover unauthorized users and events. The organization can then use the CASB to respond in real time, preventing hackers from gaining access to sensitive information. Even when you are not watching the system, the software will block any unauthorized access attempts to reach your data.
Visibility is another crucial element of cloud security. CASBs alleviate visibility issues by auditing a company’s cloud services and sanctioning useful products while blocking risky ones. CASBs also provide data security capabilities such as encryption and tokenization.
Improper configuration and weak security procedures are a growing cause of cloud data breaches. These types of leaks are often overlooked because they usually occur because of insiders and because companies assume the cloud service providers (CSPs) will protect their data. In fact, based on the shared responsibility model, the user is responsible for the security in the cloud, not the CSPs.
Prevent this by enforcing strict password policies and user access controls. Make sure your cloud data storage is private and only available to required users. A CASB can also help with this by monitoring and configuring your cloud services to maximize security. This can be applied to large cloud platforms such as AWS, Salesforce and Office 365.
FYI: Electronic information not stored in the cloud is still at risk. An internal breach of security is the most dangerous type of breach and the hardest to spot.
The more layers of security you can add, the more protected your data will be. As with cloud technology, limit employee access with unique codes and biometrics. Only essential employees should have access to sensitive company data.
3. Train your employees to follow security procedures.
Your data security depends on employees understanding your policies and procedures. Clearly define password requirements, user access rules and any other security measures. Give examples of different scenarios people use to gain information. Alert employees about telephone callers requesting personal or business information.
Although many people can spot email scams when they read them, teach employees to recognize less obvious ones, like phishing, where emails appear to have come from official companies but instead contain malware. View any request for sensitive information as suspicious and warn employees not to click on email attachments or links. In other words, if you did not ask for the document, don’t open it. Hackers and thieves are inventive, so alert your staff of any new schemes you hear about.
One of the most common uses for information obtained through data breaches is identity theft. You must protect yourself, your employees and your customers from becoming victims. Medical clinics are at incredibly high risk because of the confidential information stored on patients. Plus, you need protection from liability if that information gets out. Make sure all employees, and anyone else with permission to access your data, know the security procedures and follow them closely. Failure to enforce these rules leads to costly mistakes.
Data breaches take many forms, and hard copy files are susceptible to theft too. Institute a clean-desk policy so that no one leaves files visible at the end of the day. Make sure all employees know retention guidelines and shredding procedures. Don’t allow documents to stack up while waiting for shredding. If you cannot destroy documents quickly, hire a service to come at scheduled times to shred your unneeded files.
4. Respond when a mistake happens.
Despite your best prevention techniques, your company may still experience a data breach. Learn from data security mistakes by examining what happened. Ask yourself how the company can better protect its information and, if necessary, win back customer trust. If a breach occurs, act within the first 24 hours. Designate a team of key leaders and assign roles and responsibilities. A quick response helps employees and clients regain a sense of security.
Keep up to date on laws and regulations about the proper disposal techniques for sensitive files and data. Although technology allows more convenience in our lives, dangers grow alongside it. Connecting more devices like smartphones, tablets and even smartwatches gives hackers additional ways to break in and obtain personal and proprietary data.
Keeping your company information secure, and preventing media scrutiny, involves more than one step. The days when a username and password offered enough protection are over. Make sure your company uses the latest in software technology to safeguard digital data, and don’t forget to secure paper documents as well. Data security resources are a necessary part of today’s business world.
What to do if your company’s data has been breached
Identify the source and extent of the breach.
First, assess what type of breach it was and what data was compromised. Businesses should have intrusion detection or prevention systems to track these things. However, it will be difficult to identify the breach and its cause without these systems or software.
Tip: Discuss the breach with IT and see what can be done to take action and restore or recover the data.
Take security to the next level.
Work to fix the issue or vulnerabilities in your security systems. If there was a breach due to employee errors, such as clicking on an email link that implanted a virus or using a weak password, train your employees to recognize phishing emails and other scams, and encourage them to use stronger passwords.
Talk with legal authorities.
Each state has different requirements for reporting data breaches. Contact legal authorities to discuss the breach, the time frame in which you need to inform the affected parties, and what exactly needs to be reported.
Notify those who were affected and neutralize the breach.
Customers must be notified so they can take action to change passwords, cancel credit cards, and otherwise protect themselves. Be honest and provide context about the situation. By acting quickly, you minimize damage and loss of trust in your business.
Bottom line: Your business will need to rebuild trust with customers after a breach, but they’re more likely to trust you if you are honest in your communication.
Examples of high-profile business data breaches
In August 2013, hackers accessed 3 billion Yahoo accounts. While they did not access any financial information from users, they did access security questions and answers for all of those accounts. At the time of the breach, Yahoo was being acquired by Verizon and there were gaps in its security.
There was a massive breach of 700 million LinkedIn users’ information in June of 2021. A hacker named “God User” got a host of information, including email addresses, phone numbers, locations and genders. The hacker claimed they were going to sell the information they acquired.
In April 2019, about 530 million Facebook users were affected by a cyberattack. Users’ names, phone numbers and Facebook IDs were exposed to the public. In 2021, the data was posted for free, indicating a criminal intent behind the breach.
In August 2021, T-Mobile announced that about 7.8 million current customer accounts were compromised. The compromised data included customer names, birthdates, Social Security numbers and driver’s license numbers. The company also reported that about 40 million former customers’ information was compromised. While it noted that no financial information was stolen, tons of data were still exposed.
Megan Totka contributed to the writing and research in this article.