These days, it seems that you can count on three things:
Death, taxes, and…data breaches.
One day, it’s Facebook breaches. Next, it’s the entire Kingdom of Morocco (literally); and that was just what was reported this Fall.
Every day, there’s at least one headline in the news about hackers or the disingenuous among us stealing data from somewhere and/or someone that they weren’t supposed to.
In this post, we’ll explain why understanding how data breaches occur is important, explore various ways to mitigate security risks, and provide suggestions on tackling this pervasive issue.
How Data Breaches Occur, and What Happens Next
A data breach, defined by Trend Micro Antivirus, is “an incident where information is stolen or taken from a system without the knowledge or authorization of the system’s owner.”
Verizon’s 2021 Data Breach Investigations Report (DBIR) noted that breaches are most often caused by either:
- organizations suffering at the hands of cybercriminal hacks through networks and phishing emails, or
- websites delivering malware to commit fraud or espionage, or otherwise categorized as “human error”
The result, especially if the organization is under the jurisdiction of GDPR or CCPA, can be a staggeringly high fine. Verizon’s DBIR further reports that 95% of incidents had their fines falling between $826 and $653,587.
Between GDPR, CCPA, and hundreds of pieces of local legislation, privacy law is ubiquitous, and enforcement of those laws is only going to increase over time.
Data Breaches in 2021
Are data breaches on the rise? According to statistics collected in Q2 2021, yes.
Eva Velasquez, President and CEO of the Identity Theft Resource Center, notes that they are “seeing a shift with the increase in data breaches in 2021 compared to 2020, primarily because of the growing number of phishing attacks, ransomware attacks and supply chain attacks.”
The names attached to these data breaches are also far more recognizable, at least as far as large enterprises go. Amazon, Facebook, Microsoft, and Tesla have all unintentionally disclosed information.
In fact, the names of U.S. companies that have suffered from one or more data breaches in the last several years reads like the top of the NASDAQ. Rob Sobers from cybersecurity organization Varonis notes, “it’s also apparent that companies are still not prepared enough for breaches even though they are becoming more commonplace.”
The truth is that many U.S. companies ignored decades worth of warnings before the GDPR was passed by the European parliament as well as the 2-year grace period before enforcement became serious.
This doesn’t mean that data breaches are inevitable, though. While they can never be 100% prevented, the security risks can be mitigated. Here’s how:
How to Mitigate Security Risks
Today, managing both digital documents and paper records makes information governance a challenge.
Think both Physical and Digital
Phishing, spam emails, unexpected phone calls, people you don’t recognize showing up and saying they have an appointment – all of these fall under the wide umbrella of social engineering.
Social engineering is defined by Oxford English Dictionary as “the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes”. It remains a very popular method for “bad actors” to get access to information they’re not supposed to.
Going back to Verizon’s DBIR, they report “a jump in Social Engineering breaches as a pattern from last year with an overall upward trend since 2017.”
Psychology is a hard tool to overcome. This video demonstrates how we often think that what we see is what we get and, essentially, if you have a ladder, you can get in just about anywhere.
While the video plays social engineering for laughs, this makes our next point all the more important.
Educate and Involve your Team on Security Risks
Data breach prevention isn’t something you can manage by yourself like some kind of one-person army—it takes vigilance from everyone in your organization to make sure that proprietary information is only accessed by the right people at the right time.
Everyone in your organization needs to be a part of the process and understand what a phishing email looks like, how to handle sensitive data, and more.
As we wrote in How to Build a Modern Records and Information Management Program, “Consultation is vital to engage the organization in the records plan development process. For any companywide initiative to succeed, all staff must have an opportunity to contribute to its development.”
Building an information management program to protect and govern data against breaches (that your employees will embrace) starts with three key steps:
- Collect feedback: get input from across the organization about the types of records they manage or produce.
- Build a committee: Create an information governance board with representatives from each department to provide input on new procedures and training needs, bring up issues as they arise, and drive adoption of the program among their staff.
- Find a partner to help: Research information management partners, not just vendors, who can assist with every step of the process in managing the full lifecycle of your information, regardless of whether it starts as paper or digital files.
Protecting Information Isn’t a One-time Job
That’s the end. You’re done, right? Unfortunately not.
Security and risk mitigation is an ongoing process. Once you’ve got everything written and recorded and the whole team bought in, it’s time to set up a regular audit of your processes.
If you feel your plan for preventing data breaches is not up to par or lagging behind, the most important step is simple: Start.
It may seem intimidating at first, but there’s an old adage that says, “The best time to plant a tree was 20 years ago. The second best time is now.”
So, if you haven’t already, go plant that tree.
Dive into more tips on building a privacy compliance program that’s compliant now and scalable for tomorrow in our digital guide: Developing a Privacy Program That Works