Protect your business from a 50% chance of data breach! Learn top risks (financial data, employee records), causes (phishing, employee actions), and essential security measures (multi-factor, backups, training).
Data privacy is about deciding who may have access to what information, while data protection is about safeguarding that information. A data breach blows both out of the water.
Data breaches can happen in any organization. Our latest research, undertaken with Ponemon Institute, shows that just under half, 48%, of the organizations surveyed in five countries around the world experienced a data breach incident in the last year involving the loss or theft of sensitive information about customers, prospects, or employees. This rises to 54% among financial services organizations.
We’ll look at the main causes of data breaches later. But first, let’s talk about risk.
For cybersecurity to be fully effective, it needs senior executive-level support. And risk is the language all business leaders understand. When it comes to ensuring a robust, compliant approach to data privacy and protection, business leaders need to know “what would happen if …” they lost valuable data.
What does a data breach mean for your business?
The research reveals that not all data loss carries the same level of business risk. This matters because it enables organizations to focus their security resources accordingly.
Not altogether surprisingly, financial data tops the list of information that, if lost or stolen, would have the greatest financial or operational impact on the organization. Overall, 43% of respondents named this one of their two highest-impact data losses.
Other interesting insights include:
- The loss of employee records has the second highest impact (37%) overall. The margin between second and third place (customers’ personally identifiable information, PII, at 36%) is slim, but it is higher for the largest organizations surveyed (40%). This could reflect that organizations often hold more detailed, sensitive, and confidential information about their employees than their customers. This could be abused by attackers for extortion, to recruit malicious insiders, to leave the business exposed to costly lawsuits and compliance breaches, and more.
- The loss of intellectual property has a greater impact on smaller (30%) than larger companies (21%), possibly because smaller businesses rely heavily on IP for competitive advantage. They are less likely to have a broader range of assets.
- Losing emails and informal chats/texts greatly impacts larger companies (32%). This could reflect the risk of advanced email threats such as business email compromise and the need to keep such records for legal disclosure and compliance.
The main causes of data breaches
Respondents were asked about the root causes of data breaches. The findings show how broad digital attack surfaces have become, with numerous points of weakness that can expose networks and data.
The root causes are people, cyber threats, supply chain, or system fault/misconfiguration.
They include:
- Employee/contractor activity, whether through negligence (a root cause in 42% of breaches) or malicious act (39%)
- IT security oversights — including unpatched vulnerabilities (34%), errors in the system or operating process (41%)
- Third-party mistakes (45%)
- External adversary — hacking (34%), phishing (39%), and viruses or other malware (49%).
Elsewhere in the study, the findings show that one in six (17%) successful phishing attacks resulted in the loss of sensitive and confidential information, rising to more than one in five for organizations in manufacturing (22%), the public sector (21%), and for respondents from the UK (23%) and France (21%).
Effective security technologies and policies can address many of these potential breakpoints.
Protecting your data
Suppose around one in every two businesses experienced a data breach last year. In that case, it is not a big leap to assume that every organization will experience a data breach over time. If nothing else, every organization should approach its data security and compliance as if that were the case.
Regardless of the size of your organization, you can’t go wrong by getting the basics right. These include a robust approach to authentication and access, with multifactor authentication as standard and ideally moving towards a Zero Trust approach.
Your IT infrastructure should feature defense-in-depth, AI-powered security technologies that cover and provide full visibility into your entire attack surface and every entry point, from devices to APIs, cloud assets, and more.
Ideally, this should be backed by 24/7 security operations and monitoring so that you are ready to respond to, mitigate, and neutralize any threat before it moves further along the cyber kill chain.
Alongside this, you need to back up your data continuously. Ensure all backup data is encrypted while at rest and in motion. Apply the gold standard of 3:2:1 — three backup copies, using two different media, one kept offline.
Employee engagement and training are critical. All employees should understand why cybersecurity matters, the latest threats and scams to look out for, and what to do if they spot something suspicious.
Know your obligations
Lastly, ensure you know and abide by the data privacy and protection regulations for any market in which you do business.
Information on data privacy is available in the U.S. from the Cybersecurity & Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), the Federal Trade Commission (FTC), and many more public, private, and educational institutions.
