Menu
Business.com aims to help business owners make informed decisions to support and grow their companies. We research and recommend products and services suitable for various business types, investing thousands of hours each year in this process.
As a business, we need to generate revenue to sustain our content. We have financial relationships with some companies we cover, earning commissions when readers purchase from our partners or share information about their needs. These relationships do not dictate our advice and recommendations. Our editorial team independently evaluates and recommends products and services based on their research and expertise. Learn more about our process and partners here.
Stolen information or data corruption can hurt your business by ruining your reputation and harming you financially. Here's how to protect yourself.
Data breaches are a common threat to businesses of all kinds and sizes. Stolen information or data corruption can cause irreparable harm and become a financial burden. IBM found that the average cost of a data breach in 2024 was a record-breaking $4.88 million, with average costs reaching a high of $9.8 billion in the health care sector.
No matter the size of your business, you need to protect your information by preventing data breaches. Here’s what you need to know about business data breaches, including proven strategies for keeping your data and sensitive customer information safe.
Protecting your business data requires ongoing vigilance and strong security protocols. “Security is not an activity that can be completed and then forgotten — it is a process that has to be incorporated into your business’s routine,” said Marcelo Barros, global markets leader at Hacker Rangers. “The concept of security should be made part of the day’s work.”
Here are some of the top strategies to reduce the chances of a business data breach.
The first step is to look at your current security protocols and ensure they’re up to date. Layering your security capabilities is the best approach; hackers will have to infiltrate multiple safeguards before accessing any sensitive data. “[You] should regularly update operating software, applications and security software [such as] firewalls [and] antivirus … to ensure they are running with the latest security patches that fix critical security vulnerabilities,” said David Ruchman, CEO of Powersolution.com.
If your cloud-based data-storage service offers security tools, you should still configure your own safety measures. Limit cloud access to employees and use an extra layer of protection, such as multi-factor authentication (MFA) or single sign-on. [Learn more about cyber insurance.]
Ruchman advised backing up data frequently and securely — both locally and in the cloud. This way, if a violation occurs, your system will be restored quickly and easily with the most current data. Also, mandate security training and conduct screening and background checks on new hires. Make sure all virus-scanning software stays current and delete any suspicious files right away.
Barros recommended setting up automatic updates or creating a schedule to check and install updates on your operating systems, applications and firmware. If your business has multiple devices, a patch management tool can help automate this process.
To develop a more comprehensive cloud security strategy, consider using a cloud access security broker (CASB). These software platforms offer continuous visibility, data security, monitoring and governance for all cloud-based file storage. The CASB data protection feature uses machine learning and user behavior to discover unauthorized users and events. The organization can then use the CASB to respond in real time, thus preventing hackers from gaining access to sensitive information. Even when you are not watching the system, the software will block any unauthorized attempts to reach your data.
Improper configuration and weak security procedures are a growing cause of cloud data breaches. These types of leaks are often overlooked; they usually occur because of insiders and companies’ assumptions that the cloud service providers will protect their data. In fact, based on the shared responsibility model, the user, not the cloud provider, is responsible for cloud security.
Prevent these issues by enforcing strict password policies and user access controls. Make sure your cloud data storage is private and available only to the users who need it. A CASB can also help with this by monitoring and configuring your cloud services to maximize security. This can be applied to large cloud platforms such as Amazon Web Services, Salesforce and Office 365. [Read about cybersecurity and risk management.]
The more layers of security you can add, the more protected your data will be. As with cloud technology, limit employee access with unique codes and biometrics. Only essential employees should have access to sensitive company data.
According to Verizon’s 2024 Data Breach Investigations Report, 68 percent of breaches involved a nonmalicious human element. This means that employee knowledge is a key element of your organization’s digital health. “Most data breaches result from human errors like phishing and weak passwords,” said Barros. “Enhancing employees’ awareness of threats and security measures helps to minimize risks to a greater extent.”
It is essential that employees understand your policies and procedures. Clearly define password requirements, user access rules and any other security measures. Give examples of different scenarios people use to gain information. Alert employees about telephone callers requesting personal or business information.
Although many people can spot email scams, teach employees to recognize less-obvious ones. Such sneak attacks can include phishing, in which emails appear to have come from official companies but instead contain malware. View any request for sensitive information as suspicious and warn employees not to click email attachments or links. In other words: If you did not ask for the document, don’t open it. Hackers and thieves are inventive, so alert your staff of any new schemes you hear about.
You and your team should also stay up to date on laws and regulations regarding the proper disposal techniques for sensitive files and data. Although technology allows more convenience, it also introduces dangers. Connecting more devices — like smartphones, tablets and even smartwatches — gives hackers additional ways to break in and obtain personal and proprietary data.
Every business should implement basic cybersecurity measures like firewalls and user authentication at minimum. However, as Ruchman pointed out, these protections can only go so far against more complex threats. “Especially over the last few years, cybercriminals have been using increasingly sophisticated hacking techniques, including the use of artificial intelligence (AI),” said Ruchman. “Small business cybersecurity protections must include advanced techniques, such as the use of AI and continuous automated and human threat monitoring, detection and response.”
These more sophisticated, multi-layered measures use cutting-edge technology to respond to and predict and prevent new threats. One example is MFA, which requires users to verify their identity with a second item — such as a phone code or biometric factors — in addition to a password. “Even if criminals gain access to the password, using the system without the second factor is impossible,” Barros explained. “Enable MFA for all critical accounts, including email, cloud services and financial platforms.”
While these and other cutting-edge measures were previously only accessible to larger enterprises, small businesses can now benefit from advanced cybersecurity protocols. “In recent years, [these technologies] have become affordable and designed for small businesses, making them compelling for small business owners who want to mitigate cybersecurity risks,” added Ruchman.
These are a few of the most common types of business data breaches:
>> Learn more: How to Create a Small Business Cybersecurity Plan
Despite your best prevention techniques, your company may still experience a data breach. If this happens, act as soon as possible — ideally, within 24 hours. This practice will avoid further damage and help both employees and clients regain a sense of security. If you don’t already have one, designate a team of key leaders. Also, assign roles and responsibilities to streamline the response.
Here’s how to handle a data breach that’s affected your business.
First, assess what type of breach it was and what data was compromised. Businesses should have intrusion detection or prevention systems to track these things. However, it will be difficult to identify the breach and its cause without these systems or software.
Work to fix the issue or vulnerabilities in your security systems. Was the breach the result of employee errors (e.g., clicking an email virus link or using a weak password)? Then train your employees to recognize phishing emails and other scams. Also, encourage them to use stronger passwords.
Each state has different requirements for reporting data breaches. Contact legal authorities to discuss the breach. Learn the time frame in which you need to inform the affected parties and exactly what needs to be reported.
Customers must be notified so they can take action to change passwords, cancel credit cards and otherwise protect themselves. Be honest and provide context about the situation. By acting quickly, you minimize damage and loss of trust in your business.
While businesses of all sizes can experience a data breach and its negative impacts, small businesses are at an incredibly high risk. According to the Identity Theft Resource Center’s 2024 Consumer & Business Impact Report, over 80 percent of surveyed small businesses fell victim to a cyberattack and/or data breach in the past year.
Several factors put small businesses at higher risk of cybersecurity incidents than their larger counterparts, including:
Here are some noteworthy data breaches that have affected large corporations. They emphasize the importance for businesses big and small to protect data using the right security measures.
In August 2013, hackers accessed 3 billion Yahoo accounts. While they did not access any financial information, they did obtain security questions and answers for all of those accounts. At the time of the breach, Yahoo was being acquired by Verizon, and there were gaps in its security.
There was a massive breach of 700 million LinkedIn users’ information in June 2021. A hacker named “God User” got hold of a host of information, including email addresses, phone numbers, locations and genders. The hacker claimed they were going to sell the information they acquired.
In April 2019, about 530 million Facebook users were affected by a cyberattack. Users’ names, phone numbers and Facebook IDs were exposed to the public. In 2021, the data was posted for free, indicating a criminal intent behind the breach. [Read about the cost of cybersecurity and how to budget for it.]
Between November 2022 and January 2023, T-Mobile reported a breach affecting 37 million accounts. It revealed that a threat actor had accessed limited customer data (e.g., names, addresses and phone numbers) through an exploited API — without compromising sensitive information. The breach saw T-Mobile notify federal agencies and talk to law enforcement about an investigation.
Then, T-Mobile disclosed a second 2023 data breach impacting 836 customers. Unlike the other data breach, this one exposed extensive personal data and thus led to identity theft risks. The breach, identified between late February and March 2023, revealed details such as names, contact information, Social Security numbers and account PINs. This breach prompted T-Mobile to reset PINs and offer two years of identity protection services.
OpenAI confirmed ChatGPT’s first breach, exposing ChatGPT Plus subscribers’ information and conversations with others. The breach occurred in March 2023, when about 1.2 percent of active ChatGPT Plus users had their details exposed. It resulted from a bug in ChatGPT’s open-source code, allowing user data mix-ups due to canceled requests in a specific time frame.
Danielle Fallon-O’Leary and Megan Totka contributed to this article.