“I just didn’t think that it would happen to us,” is a fairly common reaction to a data breach. But it did happen. Just as it happens to other businesses like yours, day in, day out. We’ve started 2023 with a data breach involving one of the UK’s largest sportswear brands, so reviewing data security is very much on the agenda for many companies.
It turns out that data breaches are shockingly common, and can result from very basic failings in cyber security. According to IBM’s latest Cost of a Data Breach Report, two out of five UK businesses—that’s 40%—identified a cyber attack in the last twelve months. And if 40% identified a data breach, how many more also experienced one, but haven’t realised?
It might be imagined data breaches result from meticulously planned cyber attacks. After all, movies typically portray cyber attacks as a complex and highly skilled activity.
But in fact, suffering a data breach can be shockingly easy. And, just as businesses say: “I didn’t believe that it could happen to us,” just as many tend to say, after the event: “I didn’t believe that we could be so stupid.”
So how do you prevent a data breach?
Granted, some data breaches are the result of technically sophisticated attacks targeting specific businesses.
The so-called Stuxnet attack took down Iran’s nuclear enrichment centrifuges, back in 2012. The attack involved an employee using a USB device that unknowingly contained a malicious computer worm. The virus spread from the device throughout the facilities’ systems, causing irreparable damage to technical and physical infrastructure. It sounds like a storyline straight out of a James Bond film.
But in truth, many breaches are the result of things such as poor employee training, out-of-date software, unsecured hardware, insider threats, poorly-configured devices, and what’s known as ‘social engineering’.
As odd as it might sound, this actually turns out to be good news for many businesses. Because normal businesses like yours are unlikely to be targeted by technically sophisticated attacks. This in turn means that just getting the basics right goes a long way to keeping your data secure.
What does ‘getting the basics right’ entail?
By basics, we mean the sort of thing listed above—user training, using up-to-date software, securing unsecured hardware, configuring software properly, and so on.
Consider, for example, the vulnerabilities posed by stolen or lost hardware—an employee laptop, for instance, perhaps snatched from the back seat of a car, or accidentally left on a train. To what business systems does it provide automatic access? What passwords and logins are stored on it? Are such devices automatically and routinely deactivated within hours of being reported lost or stolen?
Now, it might be imagined that no passwords are stored on such a device. Your business’s IT security policies expressly prohibit this, you might think. To which, we would simply observe: don’t be so sure about that—and in any case, to criminals, the lack of a password isn’t a barrier.
How so? Because in skilled hands, a login is all that’s required: passwords can be obtained.