Data breaches are an increasingly common affair. A recent government report showed that 46% of all businesses identified at least one cyber attack in the last year, with 74% of directors regarding cyber security as a high priority issue for them.
Whilst the popular conception of such attacks is an external entity hacking in, a recent analysis in the US found that 85% of breaches are conducted by someone known to the business. To overcome this, companies need to up their game in terms of securing their data. Perhaps the first step in this process is to understand the risks you face.
Understanding internal security risks
There have been a number of high profile examples of employees going rogue and making off with sensitive data. For instance, Dupont recently charged an employee with stealing 20,000 sensitive files in order to sell them to a rival.
Similarly, employees at Wells Fargo were convicted of leaking customer information, thus allowing cybercriminals to impersonate customers and steal several hundred thousand dollars.
Such breaches are especially damaging because the data is so difficult to recover once it has been stolen. The ease with which data can be replicated makes it very hard to put the genie back in the bottle again. This is only likely to become more of an issue as technology improves to allow for greater storage and transmission of data.
Understanding your data
Organizations then need to understand the data that they have, and where it’s stored. Who has access to that data? Suppliers? Customers? Staff? Regulators? All can have different permissions and ownership, and it’s crucial to understand, even if determining ownership can be challenging.
You will then need to profile and classify your data before you can begin to decide on a strategy to minimize your risk of a data breach.
A recent paper suggests you can use one of three distinct strategies:
- Securing – the first strategy revolves around ensuring your sensitive data is secured. Whilst encryption can increase security, it can reduce productivity.
- Devaluing – a second strategy is to devalue your data by actively choosing not to hold sensitive information. For instance, you might choose not to hold credit card information to make themselves less of a target.
- Outsourcing – a third strategy would involve outsourcing your security to others. For instance, you might store your data in the cloud or hire a security specialist. This can be viable for smaller organizations with minimal resources.
Suffice to say, these steps are by no means a fail-safe way of securing your data, but they would help to minimize the threat posed by insider attack. This will be especially important as with regulations such as GDPR looming on the horizon, data security will increasingly be a regulatory issue.
“Data security is on the mind of most businesses but it is on the mind of regulators too,” added Jonathan Armstrong at compliance law firm Cordery. “From May 2018 under new data protection law, the GDPR, the penalties and the obligation to tell regulators and victims get tougher too. Businesses need to find a way of making sure that their data is secure to comply with GDPR.”