Data is one of the most valuable assets that you have at your disposal as a business or organization. Whether it’s strategic internal data or customer information, the right data can be useful for everything from providing insights that can help hone strategies to prediction. For both data compliance, maintaining a competitive advantage, and keeping the trust of customers, no-one wants data slipping into the wrong hands.
This is where the issue of data security comes in. As with any valued asset, you must take the right precautions to protect what is yours. According to the Ponemon Institute’s Cost of Data Breach Study, the average data breach in the United States costs around $8 million in damages. That is without even mentioning the possibility of eroded user trust, long-term damage in the form of stolen intellectual property, and more.
Simply put: protecting data should be a top priority in a landscape where, unfortunately, breaches are becoming all the more common every day.
Data breaches in 2020 and beyond
2020 saw a number of high profile leaks. The year commenced with Microsoft disclosing an enormous data breach consisting of 250 million entries, including information about email addresses, support cases, IP addresses, and more. That only turned out to be the tip of the iceberg when it came to data breaches. A June data breach by the user-generated stories website Wattpad exposed more than 268 million records. This included names, usernames, IP addresses, birth dates, passwords, and other pieces of identifying information. In one of the year’s biggest leaks, security company Keepnet Labs exposed a massive 5 billion records, covering passwords, email addresses, and additional information.
2021 certainly doesn’t look like things will slow down, either. In February 2021, Malaysia Airlines admitted that it had suffered a data breach which spanned nine years, and exposed personal data belonging to customers in its Enrich frequent flyer program. This was supposedly the result of a breach involving a third-party IT provider. Customer information including names, contact info, age, gender, and more were exposed from March 2010 through June 2019.
By accident or by design
Not all of these data breaches are the result of malicious action by external forces. In the same way that finding your front door unlocked could be due to thieves or your own failure to lock it, many data breaches are the result of accidental exposure. These data breaches, which represent a sizable percentage of such breaches, come from accidental or negligent exposure of data. That could be a person sharing access with the wrong person, losing data, or otherwise leaving it exposed in some manner.
For example, Microsoft said that its leak was not the result of “malicious use.” Similarly, the Keepnet Labs leak was reportedly due to an error that took place while migrating database information during scheduled maintenance. During this migratory process, an engineer carrying out the work disabled a firewall for a period of just 10 minutes. While the firewall was disabled, the data was automatically indexed by an internet indexing service, thereby making it publicly available.
However, while many breaches may be due to accidental exposure, there are certainly many bad actors who target systems. Data taken during the Wattpad breach was sold for more than $100,000, and later published on a public hacking forum.
This data can then be exploited by hackers who can use it to carry out other attacks, such as attempting to log into other customer accounts using the password and additional identifying information. Cyber attackers use multiple methods to gain access to this data, ranging from malicious code that can sit on webpages and siphon off data to phishing and other social engineering attacks, which can help gain a foothold in systems for the later exfiltration of data.
The effects of a data breach can be devastating for a company. Attackers may seek to extort money by carrying out what is known as a Ransomware attack, in which they encrypt vital files and only decrypt them if they are paid a ransom.
Damage may also come from attackers breaking into a system and deleting or modifying data, or exfiltrating it and using it for nefarious purposes. Companies may also suffer as a result of dented customer loyalty following a data breach. Increasingly, industries also require a level of data security in order to comply with regulations. Failing to protect data from attackers can mean businesses are hit with heavy fines, which can prove extremely damaging in and of themselves.
There are multiple steps companies and organizations should take in order to practice good data security. They should ensure that they have the proper data detection and classification systems in place to identify which data is sensitive and take proactive measures to secure it. Steps like data masking, the introduction of Identity Access Management (IAM) tools, proper authentication measures, and thorough use of data encryption can all help to safeguard against exposing sensitive data.
On top of this, cybersecurity systems such as database firewalls, data loss prevention (DLP), and behavior-based database activity monitoring can all ensure that the owners of valuable data streams are properly protected. Doing so is an absolute must in 2021 — and will be for many years to come.
Data, as the saying goes, is the new oil. So make sure you protect it like you would a physical asset. Your customers, shareholders, and just about everyone else will thank you for it.