How to Prevent a Data Breach

“I just didn’t think that it would happen to us,” is a fairly common reaction to a data breach. But it did happen. Just as it happens to other businesses like yours, day in, day out. We’ve started 2023 with a data breach involving one of the UK’s largest sportswear brands, so reviewing data security is very much on the agenda for many companies.

It turns out that data breaches are shockingly common, and can result from very basic failings in cyber security. According to IBM’s latest Cost of a Data Breach Report, two out of five UK businesses—that’s 40%—identified a cyber attack in the last twelve months. And if 40% identified a data breach, how many more also experienced one, but haven’t realised?

It might be imagined data breaches result from meticulously planned cyber attacks. After all, movies typically portray cyber attacks as a complex and highly skilled activity.

But in fact, suffering a data breach can be shockingly easy. And, just as businesses say: “I didn’t believe that it could happen to us,” just as many tend to say, after the event: “I didn’t believe that we could be so stupid.”

So how do you prevent a data breach?

Granted, some data breaches are the result of technically sophisticated attacks targeting specific businesses.

The so-called Stuxnet attack took down Iran’s nuclear enrichment centrifuges, back in 2012. The attack involved an employee using a USB device that unknowingly contained a malicious computer worm. The virus spread from the device throughout the facilities’ systems, causing irreparable damage to technical and physical infrastructure. It sounds like a storyline straight out of a James Bond film.

But in truth, many breaches are the result of things such as poor employee training, out-of-date software, unsecured hardware, insider threats, poorly-configured devices, and what’s known as ‘social engineering’.

As odd as it might sound, this actually turns out to be good news for many businesses. Because normal businesses like yours are unlikely to be targeted by technically sophisticated attacks. This in turn means that just getting the basics right goes a long way to keeping your data secure.

What does ‘getting the basics right’ entail?

By basics, we mean the sort of thing listed above—user training, using up-to-date software, securing unsecured hardware, configuring software properly, and so on.

Consider, for example, the vulnerabilities posed by stolen or lost hardware—an employee laptop, for instance, perhaps snatched from the back seat of a car, or accidentally left on a train. To what business systems does it provide automatic access? What passwords and logins are stored on it? Are such devices automatically and routinely deactivated within hours of being reported lost or stolen?

Now, it might be imagined that no passwords are stored on such a device. Your business’s IT security policies expressly prohibit this, you might think. To which, we would simply observe: don’t be so sure about that—and in any case, to criminals, the lack of a password isn’t a barrier.

How so? Because in skilled hands, a login is all that’s required: passwords can be obtained.

Logon exploits

On its own, a stolen business laptop or piece of BYOD hardware has obvious value. Typically, such devices are of higher specification than consumer-grade equipment. But crucially, they can contain sensitive information that is valuable to cybercriminals.

Sometimes, this information is sold ‘as is’ on the so-called Dark Web, where other criminals buy it, generally using cryptocurrency. At Aspire Technology Solutions, one of the IT security services that we provide is Dark Web Monitoring. This involves routinely scanning the Dark Web to check if any login credentials have been leaked. This is a practice we would highly recommend every business conducts.

But logons are most useful when accompanied by other information—the sort of information typically contained in a laptop bag, briefcase, or similar. The organisation to which the laptop belongs, for instance. The individual user’s name, title, and department. And—vitally—odd personal nuggets of corporate information that can be leveraged to support a ‘social engineering’ attack, particularly when supplemented by some basic research such as the name of the finance director or the chief executive.

In skilled hands, it doesn’t take long for a plausible ‘user’, supposedly working remotely—perhaps on a supposed ‘rush project’ for top management—to acquire a new login and password.

Experts on your side

There’s more—much more. Our recent articles address many basic IT security weaknesses and vulnerabilities that hackers routinely use leading to data breaches.

In each case, you might think, elementary precautions should suffice: much of it, after all, is common sense. Except that in practice, common sense precautions often fail.

Laptops are stolen. Unsecured devices—Android tablets and Chromebooks, for instance—do access corporate networks. Passwords aren’t routinely changed, irrespective of what it says in the IT security policy. Users do make mistakes. Old unwanted laptops and other devices are just thrown in a skip, rather than being securely wiped. Passwords are guessable. Phishing attacks do succeed. And so on, and so on.

What’s the answer? Some businesses know one answer, from first-hand experience. They invest considerable internal resources in monitoring the Dark Web, continually monitoring their internal networks for signs of compromise. They develop and maintain detailed cyber incident response plans. They practice safe hardware disposal. They continually educate employees and conduct cyber security teaming exercises to test their systems for weaknesses.

As we say, this is one answer – although not a particularly easy one.

Other businesses achieve the same thing, but a little more easily—and also cost-effectively. They leave IT security to a team of always-available experts, and come and talk to us. Our UK-based Security Operations Centre operates 24/7/365, and monitors and manages IT security for businesses just like yours. With a highly skilled staff, leading-edge software tools, 24/7 vigilance, and proven IT security methodologies and toolsets, we are single-mindedly focused on keeping your business secure from data breaches.

Remember: when it comes to IT security, a hacker has to get lucky just once—but your business has to stay lucky all the time. Stack the odds in your favour: get the experts at Aspire Technology Solutions on your side.