July 9, 2021
In half of the small and middle-sized businesses, negligent employee and contractor behavior is the root cause of a data breach.
There’s no drama to poor password hygiene or an open database left for everyone out there to see, but they still deserve our attention. Often, data breaches result from lax risk assessment, no permission management, and no comprehensive plan to remediate the potential breach damages.
According to Varonis’ Global Data Risk Report, 1,000 sensitive files are exposed to all employees in 53% of companies. This reinforced the point that not enough is being done to protect sensitive information and that overexposure doubles the risk for lazy security protocols.
So what should organizations do to prevent data breaches, and how should they react if a breach happens in their company?
When dealing with such an important matter, we need to give a clear data breach definition.
“Data breach is any release of confidential, private, and classified information to an untrusted environment.”
This security incident can be internal or external, arise from a cyberattack carried out by a third party or caused by own employees, whether intentional or not. According to the Ponemon Institute, 28% of security incidents are caused by insiders or workers with unharmful motives who fall into traps thanks to the "human factor" and cyber ignorance.
For example, an employee of the Governor's Office of Information Technology in Colorado caused a data breach by losing a memory stick with social security numbers, first and last names of nineteen thousand authorities. He failed to keep personal information encrypted, even though that requirement was adopted and implied by his organization.
The man was fired on the spot for failing to comply, and although it is sad to see a person be axed for losing the stick while transferring his things from one office to another, it is a punishment that puts others on notice.
It’s important to understand that workers that lose their own devices are also responsible for data breaches, as most of them store some work-related files on their hard drives. People who leave their smartphones, tablets, and notebooks at airports not only expose them to public Wi-Fi but also to off-the-mill thieves.
If thieves can log into the accounts after accessing the devices, they can also feast on personal and corporate data.
Corporate emails contain vast volumes of confidential and highly sensitive data, either pinned in email attachments or laid out as plain text in the body of the email.
Printed-out copies are often lost, left behind, and improperly disposed of, becoming public. Just dropping documents into a trash can is a sure way to leak the personal data of co-workers, patients, and clients.
Even a wrongfully sent, misdirected, and unencrypted email is considered a data breach, as confidential data leaves the perimeter of your company and gets exposed to a third party.
Another human factor that can lead to a breach is the departure of one of the workers and their desire to still be in the mix of things. That's why former staff members must get their access revoked.
However, in some cases, workers create backdoors in the system to remain informed about the next steps their ex-company would attempt to make.
Here’s a data breach example for you.
Michael Leeper, ex-director of the technical infrastructure at Columbia Sportswear Company, created a burner account in the email server of his former company.
He wasn’t found out and remained unpunished for two years, as he stole information to give his new place of work in Denali an unfair advantage. Leeper accessed Columbia’s electronic systems over 700 times and had an unlimited view of thousands of email accounts used by other Columbia employees worldwide.
After being caught, Leeper paid a sum of $100,000 to Columbia Sports to settle the company's civil case alleging breach of loyalty and computer fraud. He was also sentenced to 3 years of probation with 400 hours of community service.
In some industries, the punishment for sticking the nose where it doesn’t belong can get worse.
Workers who have access to the medical files of patients feel very tempted to find out the nitty-gritty details about the lifestyle of celebrities, friends, family members, even their own peers.
Because of that risk, medical privacy legislation systems like HIPAA became the primary safeguards of enacted data privacy laws. According to the OCR Breach Portal, email is the top vector for HIPAA data breaches.
Electronically shared medical information has to be protected, and patients have to be notified if their medical records are lost or compromised. Medical data breach notifications are mandatory, and individuals responsible for the disclosure often lose their license.
This is why a human element is so important when it comes to data breach prevention. Make sure you employ diligent workers who know the boundaries and limit the access they can have to protect the company.
In this blog we have already discussed how to be HIPAA compliant. And now that we can differentiate between different types of breaches.
Let’s revise how exactly we should react to them.
Dealing with a breach without knowing what was stolen is as hard as protecting the company from cyberattacks without knowing what to defend.
Just identifying information loss is a complex task of its own. According to data breach statistics, the average number of days for identification stands at 191 days. In some cases, the companies find out about their stolen data years after the fact, if they are still active.
While fear-mongering is too widespread in cybersecurity, one should not rest on their laurels - similar security incidents could indeed lead to severe financial losses, backlash from the public, and hefty fines from data regulating bodies. If put together, all factors could contribute to the grave consequences for many young companies.
70% of small businesses are unprepared to deal with a cyberattack, according to Purplesec.
What about the bigger companies? The tech giants suffer from bad PR but ultimately can brush incidents off faster than other companies.
That also relates to their incident response speed. In the infamous 2018 data breach, where 50 million people were affected, Facebook needed only three days to identify a breach and go public with it.
The existence of data loss prevention systems surely helped make the discovery quicker.
When we talk about some of the loudest cases, we can’t leave the Equifax data breach out of the spotlight, as this company is what they call a "repeat offender".
Equifax experienced two similar incidents in just one year, failing to patch the already discovered Apache Struts vulnerability.
Hackers gained access to Equifax’s TALX payroll division, giving them the power to change the 4-digit PINs used by managers. This manipulation allowed criminals to compromise the Equifax customer service that would redirect users to a phishing site.
To make matters worse, Equifax didn’t even disclose their breach correctly, correcting the final number numerous times. Increasing the numbers a few days after admitting to the mishap is all sorts of wrong. Someone even sent out non-malicious phishing links from their Twitter account to make them blush once again. Equifax couldn’t catch a break, and all the shots were coming their way.
Eventually, they got fortunate, only being forced to pay £500,000 to UK’s ICO (Information Commissioner's Office) and not the projected post-GDPR sum that would be around $124 million. What they got was a simple slap on the wrist.
There’s no incentive for them to learn, and that’s why they don’t attempt to improve their security.
For another data breach example, let’s look at Uber. Uber experienced a gigantic breach in 2016, when about 25 million drivers in the US and 57 million Uber riders worldwide got their personal data exposed.
Uber decided to pay $100.000 under the guise of a bug bounty program to the 20-year old hacker who had to sweep it all under the carpet.
An eventual forensic investigation of the board found out about the hush payment and went public with it.
Better late than never, but Uber’s attempt to hide the truth resulted in the hefty fine. Uber settled with all 50 states for $148 million. As part of their reaction to the breach, Uber fired Joe Sullivan, their Chief Security Officer, who denied the accusations even though the company was caught red-handed.
As Serene Davis, the underwriter with Beazley said, "A breach alone is not a disaster, but mishandling it is."
Unfortunately, not all companies have the same security budget as Facebook, Uber, or Equifax.
Most of them find out about the leak either while scouring the dark web markets or looking over the logs if the malicious attackers left any signs of their work and triggered basic security mechanisms for suspicious activity.
Foul play can be identified by discovering new system processes or software, repetitive crashes, abnormal logging locations, high network activity, configuration changes, activity on unusual network ports, and unexpected lockouts from accounts.
Then again, reports from customers, contacts, or even from attackers are more straightforward.
When the scope of a breach is identified, it’s time to close the stable door. Yes, even if the proverbial horses have bolted it. Accept the defeat and make sure it doesn’t happen again!
“If you don’t have a corporate strategy, don’t have the understanding of the security, and if you treat it with negligence, and don’t address this within the management team, sooner or later, you will be breached.” - Johan Nordstrom, The Art of Email Security.
Many companies fail to realize that their reaction to the breach is more important than the breach itself.
Many companies get breached, but what they do after it separates a good security company from a bad security one. The first bit of business after completing an evaluation stage is to remain calm. Ideally, security specialists follow the pre-built incident response plan, the checklist of actions one must stick to after a data breach.
Having an incident response plan may not return the data, but it will show you the way out of the predicament, if built correctly. Here are some of the recommended steps to include in the plan:
Password resetting is critical for a multitude of reasons. When the breach becomes public, malicious hackers could use bulk information for credential stuffing. It is a type of attack where a hacker tries to log in to a not-compromised-yet account by using a leaked password across any other accounts a data breach victim may own.
This can also put other companies in hot water, as we saw before with Dropbox in 2012.
"The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to login to sites across the internet, including Dropbox".
Pivoting the entire system into a secure mode is not an easy task, but it’s the only correct one.
If your company lacks forensic representation or doesn’t have experienced IT professionals, consider delegating the safeguarding process to verified security specialists. Sometimes inviting a non-biased person is better, as your own IT department can keep you in the dark about the severity of the breach, trying to “soften the blow”.
During the investigation, you should learn what happened, what data was compromised, what should be done to prevent it from happening in the future, and what you can do for people that had their data compromised. As soon as the investigation is carried out, find out if your type of breach fits the type covered by any applicable law.
If yes - contact the law enforcers and stay in the clear about the severity of the breach.
It is not recommended to go to the media or address the users when “the wound is still fresh”, as by doing so, you would attract more attackers to your already vulnerable system.
A “broken window” effect is very real and can lead to more security incidents in the future.
Now that you have found out how to minimize the losses and save your reputation in front of the public, you might want to find out how you can stay out of trouble in the first place.
As established in the past segment, following proactive approaches is always better than being in a reactive environment. It also helps to know where the threat is coming from in the first place. Almost 70% of CISOs agree that if their company would ever experience a data breach, it would happen due to malicious email.
Targeted emails, or spear phishing, are reported by businesses to be used in 91% of successful data breaches and 95% of all enterprise networks. There are plenty of reasons for email data breach being so likely.
Email operates on an outdated SMTP protocol, which sends all the data as plain and unprotected text.
Encryption is the process of decoding the original message of the correspondence to make it unreadable for outsiders. End-to-end encryption can guarantee your personal information the invisibility and privacy it deserves.
One security solution that can safeguard you from costly data breaches is called StealthMail.
Its biggest strength is making your emails invisible to relays, hackers, and other public internet threats by keeping them inside your perimeter.
With StealthMail, you are the only party in control of your encryption keys.
This proactive technology is ideal for preventing security breaches thanks to its 'Revoke Email' feature. You can cut access to confidential information even after a third party has opened the email!
Link copied to clipboard!