Data breaches are a costly affair in the UK and worldwide, and they’re happening with greater severity and frequency than ever before. Risk management professionals need to know the common ways in which data breaches can arise and plug the gaps where they can. Here are 5 common reasons for data breaches and recommended action that you can take.
1. Discarded IT Assets
As organisations cycle through their IT inventory, discarded hard drives, laptops, mobile phones and other devices containing sensitive media must be adequately destroyed so that any such data is rendered completely irretrievable by malicious actors. Having access to this data, especially with minimal or no encryption whatsoever, is one of the easiest avenues for a data breach to occur.
Recommended action
Consider an IT asset disposition (ITAD) strategy either internally or with the assistance of an ITAD company who can provide secure data destruction services.
2. Phishing
Another extremely common method of gaining unauthorised access to sensitive data and to cause a data breach is from phishing. Email scams impersonating authentic business entities or even internal corporate email addresses can easily attract employees to click on a malicious link, thereby compromising the user’s device or network with malware and thus causing a data breach.
Recommended action
Implement a robust anti-phishing education programme for all employees so that they are aware of the risks and exercise full due diligence with regards to email.
3. Compromised Credentials
If you can’t remember your login credentials for your workstation or for applications, writing down a password on a piece of paper or storing it in an unsecured, unencrypted location can be a recipe for disaster. Moreover, storing sensitive data in unencrypted file folders or offline might seem ‘easier’ but end up essentially giving away sensitive data ‘for free’ to a cybercriminal whilst also being grounds for a possible GDPR violation.
Recommended action
Multi-factor authentication and more secure login credentials are a good, safe way to reduce these types of risks should credentials fall into the wrong hands.
4. Brute-Force Attacks
One common method of unauthorised entry to an IT system and network is through brute force attacks or ‘attrition,’ whereby a cybercriminal ‘forces’ login credentials and passwords through software that repeatedly generates credentials until access is granted. Otherwise, distributed-denial-of-service (DDoS) attacks can be used to overwhelm the integrity of the network and to cripple operations.
Recommended action
The best way to mitigate these types of brute-force attacks on a network include robust cybersecurity, CAPTCHA, and forced time-outs for incorrect passwords that will slow down any attempts at guessing.
5. Removable Media Devices
USB thumb drives, SD cards, and external hard drives might be a handy way to port data between computers within an organisation, but it’s also a convenient way for a clever cybercriminal to gain unauthorised access to sensitive data and cause a data breach.
Recommended action
Trojan viruses and other malware can be hidden on USB thumb drives, so have a good policy in place for approved devices and approved file storage media to avoid this from happening.
Managing data breaches with Risk Wizard UK
Record all potential data breach risks in Risk Wizard and track how IT staff are controlling them in terms of preventative and detective risk controls. Take a short tour with one of our experts to see how easy the software is to work with. https://www.riskwizard.co.uk/demo