The hackers of today are bold and sophisticated and they’re looking for the next big score. According to a recent study by Ponemon Institute, the probability that a company will experience data breach increases year over year, and the average cost of a data breach incident is a whopping $3.86 million. Interestingly enough, sensitive data isn’t always exposed through complex cyber assaults. Large-scale attacks might get the most news coverage, but many data breaches occur because of simple human mistakes. So as you think through ways to beef up your security, don’t forget to account for these four human causes of data breach.
Email Message Mistakes
When many email clients autofill a recipient address as you type, users can accidentally send a document to the wrong person. But that’s just one way it can happen. A year ago, the Gloucestershire Police were fined £80,000 (about $92,000) for accidentally revealing the identities of abuse victims in a bulk email. According to The ICO (an independent UK organization focused on information rights), a police officer was sending an update about an abuse case to recipients ranging from the victims themselves to lawyers and journalists. Instead of using the blind carbon copy (BCC) function, he sent the message directly to all the recipients, thereby exposing the names and email addresses of 56 people. IT pros can help users avoid issues like these by setting clear policies on how data is accessed and shared, and by making sure users understand how to use their systems.
Those Pesky Cyber Fakers
Cybercriminals can access troves of sensitive information if they can convince an employee to give them credentials using attacks like the following:
Social Engineering – In 2015, health insurance company Anthem revealed that attackers had obtained protected healthcare information including social security numbers, names, addresses, and more. The attackers used social engineering techniques to steal administrator credentials. Nearly 80 million customer records were exposed and costs were estimated at over $31 billion.
Phishing – We all remember the 2014 breach of Sony Pictures Entertainment, which exposed everything from emails to entire unreleased films. These hackers likely gained access to Sony’s systems using a phishing attack comprised of fake Apple ID verification emails. After gaining Apple IDs of top executives, hackers referenced LinkedIn profiles to guess network user names, then assumed correctly that some executives would use the same password for their Apple ID and their network login. Sony reportedly spent $35 million repairing the cost of the breach.
There are two key learnings from these stories. One is that social engineering can be a powerful way for attackers to extract data. IT pros need to help users understand how to recognize attacks like these, as well as implement relevant policies. Second is that users should always create different passwords for their accounts. While this should be an obvious precaution by now, a poll taken in May revealed that 59 percent of people use the same password everywhere. Be sure users know the risk they’re taking when they don’t diversify their passwords.
Poor Vendor Selection
Data breach doesn’t always happen because of your company’s vulnerabilities. Sometimes it’s through one of your vendors. The 2013 Target breach happened because of a flaw in an air conditioning vendor’s systems, which were networked to Target’s internal systems. It’s important to vet any provider you do business with, but it’s downright critical if they store or interact with your sensitive data or systems. Reduce your risk by asking vendors to validate their security procedures, and include clauses in their contract that require them to assume liability if there’s a data breach related to their systems.
The Insider Threat
Hackers seem like the scary ones, but employees have the most immediate access to your sensitive information. Bad eggs, disgruntled current employees, or those who have been recently terminated might steal devices and data with the hope of selling for profit. To reduce your risk, focus on deterring this behavior by creating a workplace culture of accountability. Also, ensure employees can only access critical information if they need it. Last, be sure to revoke devices and network access immediately following (or even during) employee termination if you have staffing changes.
One could argue that a human causes every data breach. Outside of rogue glitches or hardware failures, people are responsible for the decisions they make and the work they do to keep data safe. IT admins should do everything within reason to ensure the safety of critical information so they don’t end up paying the hefty tolls that come with data breach.