These days, it seems that you can count on three things:
Death, taxes, and…data breaches.
Every day, there’s at least one headline in the news about hackers or the disingenuous among us stealing data from somewhere and/or someone that they weren’t supposed to.
In this post, we’ll explain why understanding how data breaches occur is important, explore various ways to mitigate security risks, and provide suggestions on tackling this pervasive issue.
How Data Breaches Occur, and What Happens Next
A data breach, defined by Trend Micro Antivirus, is “an incident where information is stolen or taken from a system without the knowledge or authorization of the system’s owner.”
Verizon’s 2023 Data Breach Investigations Report (DBIR) noted that breaches are most often caused by either:
- organizations suffering at the hands of cybercriminal hacks through networks and phishing emails, or
- websites delivering malware to commit fraud or espionage, or otherwise categorized as “human error.”
The result, especially if the organization is under the jurisdiction of GDPR or CPRA, can be a staggeringly high fine. Additionally, companies are likely to suffer from increased customer turnover and a negative reputation.
Data Breaches in 2023
Are data breaches on the rise? According to statistics collected in the first half of 2023, yes.
As a matter of fact, a report from the Identity Theft Resource Center revealed that the number of data compromises in the U.S. is on pace to hit a record-high number in 2023.
So far this year, the healthcare and financial services sectors have been hit the hardest with a significant amount of personally identifiable information being compromised from companies like MCNA Insurance Company and TMX Finance Corporate Services.
The Identity Theft Resource Center report also showed that phishing, malware, and ransomware were some of the most common causes of data breaches reported, but “not specified” was the leading cause. This means most data breaches reported are “lacking actionable information about the root cause of a compromise.”
Rob Sobers from cybersecurity organization Varonis notes, “It’s also apparent that companies are still not prepared enough for breaches even though they are becoming more commonplace.”
The truth is that many U.S. companies ignored decades’ worth of warnings before the GDPR was passed by the European parliament as well as the 2-year grace period before enforcement became serious.
This doesn’t mean that data breaches are inevitable, though. While they can never be 100% prevented, the security risks can be mitigated. Here’s how:
How to Mitigate Security Risks
Today, managing both digital documents and paper records makes information governance a challenge. Start by ensuring physical documents are stored securely, either in locked closets and filing cabinets or with an off-site storage provider. For digital documents, consider a cloud-based records management software that allows you to control who has access to what, track the chain of custody, and ensure documents are secure. The goal is to give access to those that need it while keeping others out.
Think Both Physical and Digital
Phishing, spam emails, unexpected phone calls, people you don’t recognize showing up and saying they have an appointment – all of these fall under the wide umbrella of social engineering.
Social engineering is defined by the Oxford English Dictionary as “the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes”. It remains a very popular method for “bad actors” to get access to information they’re not supposed to.
Psychology is a hard tool to overcome. This video demonstrates how we often think that what we see is what we get and, essentially, if you have a ladder, you can get in just about anywhere.
While the video plays social engineering for laughs, it’s an example of how effective it can be.
From the Box and Beyond: Five Reasons to Store Your Records Offsite
Educate and Involve Your Team on Security Risks
Data breach prevention isn’t something you can manage by yourself like some kind of one-person army—it takes vigilance from everyone in your organization to make sure that proprietary information is only accessed by the right people at the right time.
Everyone in your organization needs to be a part of the process and understand what a phishing email looks like, how to handle sensitive data, and more.
In addition to training, getting employees involved with your information management program will ensure they understand how to protect important data against breaches. You can do this by:
- Collecting feedback: get input from across the organization about the types of records they manage or produce.
- Building a committee: Create an information governance board with representatives from each department to provide input on new procedures and training needs, bring up issues as they arise, and drive adoption of the program among their staff.
- Finding a partner to help: Research information management partners, not just vendors, who can assist with every step of the process in managing the full lifecycle of your information, regardless of whether it starts as paper or digital files.
Protecting Information Isn’t a One-time Job
That’s the end. You’re done, right? Unfortunately, no.
Security and risk mitigation is an ongoing process. Once you’ve got everything written and recorded and the whole team bought in, it’s time to set up a regular audit of your processes.
If you feel your plan for preventing data breaches is lagging behind, the most important step is simple: Start.
It may seem intimidating at first, but there’s an adage that says, “The best time to plant a tree was 20 years ago. The second-best time is now.”
So, if you haven’t already, go plant that tree.
Dive into more tips on building a privacy compliance program that’s compliant now and scalable for the future in our digital guide: Developing a Privacy Program That Works