How to Protect Your Business From a Data Breach

How to protect your business from a data breach

Here are four steps you can take to protect your business’s data. 

1. Evaluate your security procedures.

The first step is to look at your current security protocols. Layering your security capabilities is the best approach because hackers will have to infiltrate multiple safeguards before accessing any sensitive data. Tools such as firewalls, encryption, secure file-sharing software and antivirus software protect sensitive data from falling into the wrong hands.

If your cloud-based data-storage service offers security tools, you should still configure your own safety measures. Limit cloud access to employees, and use an extra layer of protection, such as multifactor authentication or single sign-on. [Learn more about cyber insurance.]

Back up data frequently so that if a violation occurs, your system will be restored quickly and easily with the most current data. Also, conduct screening and background checks on new hires, and mandate security training. Make sure all virus-scanning software stays current, and delete any suspicious files right away.

2. Protect your cloud and data.

To develop a more comprehensive cloud security strategy, consider using a cloud access security broker (CASB). These software platforms offer continuous visibility, data security, monitoring and governance for all cloud-based file storage. The CASB data protection feature uses machine learning and user behavior to discover unauthorized users and events. The organization can then use the CASB to respond in real time, thus preventing hackers from gaining access to sensitive information. Even when you are not watching the system, the software will block any unauthorized attempts to reach your data.

Visibility is another crucial element of cloud security. CASBs alleviate visibility issues by auditing a company’s cloud services and sanctioning useful products while blocking risky ones. CASBs also provide data security capabilities, such as encryption and tokenization.

Improper configuration and weak security procedures are a growing cause of cloud data breaches. These types of leaks are often overlooked, since they usually occur because of insiders and companies’ assumptions that the cloud service providers will protect their data. In fact, based on the shared responsibility model, the user, not the cloud provider, is responsible for cloud security.

Prevent these issues by enforcing strict password policies and user access controls. Make sure your cloud data storage is private and available only to the users who need it. A CASB can also help with this by monitoring and configuring your cloud services to maximize security. This can be applied to large cloud platforms such as Amazon Web Services, Salesforce and Office 365. [Read about cybersecurity and risk management.]

The more layers of security you can add, the more protected your data will be. As with cloud technology, limit employee access with unique codes and biometrics. Only essential employees should have access to sensitive company data.

3. Train your employees to follow security procedures.

Your data security requires that employees understand your policies and procedures. Clearly define password requirements, user access rules and any other security measures. Give examples of different scenarios people use to gain information. Alert employees about telephone callers requesting personal or business information.

Although many people can spot email scams, teach employees to recognize less-obvious ones, like phishing, in which emails appear to have come from official companies but instead contain malware. View any request for sensitive information as suspicious, and warn employees not to click email attachments or links. In other words, if you did not ask for the document, don’t open it. Hackers and thieves are inventive, so alert your staff of any new schemes you hear about.

One of the most common uses for information obtained through data breaches is identity theft. You must protect yourself, your employees and your customers from becoming victims. Medical clinics are at incredibly high risk because of the confidential information they store about patients. Plus, you need protection from liability if that information gets out. Make sure all employees, and anyone else with permission to access your data, know the security procedures and follow them closely. Failure to enforce these rules leads to costly mistakes.

Data breaches take many forms, and hard-copy files are susceptible to theft, too. Institute a clean-desk policy so that no one leaves files visible at the end of the day. Make sure all employees know retention guidelines and shredding procedures. Don’t allow documents to stack up while waiting for shredding. If you cannot destroy documents quickly, hire a service to come at scheduled times to shred your unneeded files.

4. Respond when a mistake happens.

Despite your best prevention techniques, your company may still experience a data breach. Learn from data security mistakes by examining what happened. Ask yourself how the company can do a better job of protecting its information and, if necessary, win back customer trust. If a breach occurs, act within 24 hours. Designate a team of key leaders, and assign roles and responsibilities. A quick response helps employees and clients regain a sense of security.

Stay up to date on laws and regulations regarding the proper disposal techniques for sensitive files and data. Although technology allows more convenience, it also introduces dangers. Connecting more devices — like smartphones, tablets and even smartwatches — gives hackers additional ways to break in and obtain personal and proprietary data.

Keeping your company information secure, and preventing media scrutiny, involves more than one step. The days when a username and password offered enough protection are over. Make sure your company uses the latest software technology to safeguard digital data, and don’t forget to secure paper documents as well. Data security resources are a necessary part of today’s business world.

Types of business data breaches

These are a few of the most common types of business data breaches:

• Malicious attacks can happen due to glitches or gaps in the cloud, vulnerabilities in third-party software and weak passwords. These attacks typically involve stolen or leaked information that hackers then sell on the black market.
• Destructive and ransomware attacks involve someone destroying records or holding them for ransom. The average cost of a destructive malware breach is $4.82 million, and the average ransomware breach costs $4.54 million, according to IBM.
• Nation-state attacks are less common, but they can be the most costly. These attacks happen when hackers work with a government to commit crimes against the U.S. and/or its allies. 

>> Learn more: How to Create a Small Business Cybersecurity Plan

What to do if your company’s data has been breached

Here are a few tips for handling a data breach that’s affected your business.

Identify the source and extent of the breach.

First, assess what type of breach it was and what data was compromised. Businesses should have intrusion detection or prevention systems to track these things. However, it will be difficult to identify the breach and its cause without these systems or software.

Take security to the next level.

Work to fix the issue or vulnerabilities in your security systems. If the breach was the result of employee errors, such as clicking an email link that implanted a virus or using a weak password, train your employees to recognize phishing emails and other scams, and encourage them to use stronger passwords.

Talk with legal authorities.

Each state has different requirements for reporting data breaches. Contact legal authorities to discuss the breach, the time frame in which you need to inform the affected parties, and exactly what needs to be reported.

Notify those who were affected, and neutralize the breach.

Customers must be notified so they can take action to change passwords, cancel credit cards and otherwise protect themselves. Be honest, and provide context about the situation. By acting quickly, you minimize damage and loss of trust in your business.

Examples of high-profile business data breaches 

Here are some noteworthy data breaches that have affected large corporations, emphasizing the importance for businesses big and small to protect data using the right security measures.  

Yahoo

In August 2013, hackers accessed 3 billion Yahoo accounts. While they did not access any financial information from users, they did obtain security questions and answers for all of those accounts. At the time of the breach, Yahoo was being acquired by Verizon, and there were gaps in its security.

LinkedIn

There was a massive breach of 700 million LinkedIn users’ information in June 2021. A hacker named “God User” got a host of information, including email addresses, phone numbers, locations and genders. The hacker claimed they were going to sell the information they acquired.

Facebook

In April 2019, about 530 million Facebook users were affected by a cyberattack. Users’ names, phone numbers and Facebook IDs were exposed to the public. In 2021, the data was posted for free, indicating a criminal intent behind the breach. [Read about the cost of cybersecurity and how to budget for it.]

T-Mobile 

Between November 2022 and January 2023, T-Mobile reported a breach affecting 37 million accounts, revealing that a threat actor had accessed limited customer data (e.g., names, addresses and phone numbers) through an exploited API — without compromising sensitive information. The breach made T-Mobile notify federal agencies and talk to law enforcement about an investigation. 

Then, T-Mobile disclosed a second 2023 data breach impacting 836 customers. Unlike the other data breach, this one exposed extensive personal data and thus led to identity-theft risks. The breach, identified between late February and March 2023, revealed details such as names, contact information, Social Security numbers and account PINs, prompting T-Mobile to reset PINs and offer two years of identity protection services.

ChatGPT

OpenAI confirmed ChatGPT’s first breach, exposing ChatGPT Plus subscribers’ information and conversations with others. The breach occurred in March 2023, when about 1.2% of active ChatGPT Plus users had their details exposed. It resulted from a bug in ChatGPT’s open-source code, allowing user data mix-ups due to canceled requests in a specific time frame.

Megan Totka contributed to this article.