The data loss that will hurt your business the most
January 28 is Data Privacy Day — known as Data Protection Day in Europe. Data privacy is about deciding who may have access to what information, while data protection is about safeguarding that information. A data breach blows both out of the water.
Data breaches can happen in any organisation. Our latest research, undertaken with Ponemon Institute, shows that just under half, 48%, of the organisations surveyed in five countries around the world experienced a data breach incident in the last year involving the loss or theft of sensitive information about customers, prospects, or employees. This rises to 54% among financial services organisations.
We'll look at the main causes of data breaches later. But first, let's talk about risk.
For cybersecurity to be fully effective, it needs senior executive-level support. And risk is the language all business leaders understand. When it comes to ensuring a robust, compliant approach to data privacy and protection, business leaders need to know "what would happen if …" they lost valuable data.
What does a data breach mean for your business?
The research reveals that not all data loss carries the same level of business risk. This matters because it enables organisations to focus their security resources accordingly.
Not altogether surprisingly, financial data tops the list of information that, if lost or stolen, would have the greatest financial or operational impact on the organisation. Overall, 43% of respondents named this as one their two highest impact data losses.
Other interesting insights include:
- The loss of employee records has the second highest impact (37%) overall. The margin between second and third place (customers' personally identifiable information, PII, at 36%) is slim, but it is higher for the largest organisations surveyed (40%). This could reflect the fact that organisations often hold more, and more detailed, sensitive, and confidential information about their employees than about their customers. This could be abused by attackers for extortion, to recruit malicious insiders, to leave the business exposed to costly lawsuits and compliance breaches, and more.
- The loss of intellectual property has a greater impact on smaller (30%) than larger companies (21%), possibly because smaller businesses rely heavily on IP for competitive advantage and are less likely to have a broader range of assets.
- The loss of emails and informal chats/texts has the greatest impact on larger companies (32%). This could reflect the risk of advanced email threats such as business email compromise and the need to keep such records for legal disclosure and compliance.
The main causes of data breaches
Respondents were asked about the root causes of data breaches. The findings show how broad digital attack surfaces have become, with numerous points of weakness that can expose networks and data.
The root causes appear to fall into four categories — people, cyber threats, supply chain, or system fault/misconfiguration.
They include:
- Employee/contractor activity, whether through negligence (a root cause in 42% of breaches) or malicious act (39%)
- IT security oversights — including unpatched vulnerabilities (34%), errors in the system or operating process (41%)
- Third-party mistakes (45%)
- External adversary — hacking (34%), phishing (39%), and viruses or other malware (49%).
Elsewhere in the study, the findings show that one in six (17%) successful phishing attacks resulted in the loss of sensitive and confidential information, rising to more than one in five for organisations in manufacturing (22%), the public sector (21%), and for respondents from the UK (23%) and France (21%).
Many of these potential breakpoints can be addressed through effective security technologies and policies.
Protecting your data
If around one in every two businesses experienced a data breach in the last year, it is not a big leap to assume that over time, every organisation will experience a data breach. If nothing else, every organisation should approach its data security and compliance as if that were the case.
Regardless of the size of your organisation, you can't go wrong by getting the basics right. These include a robust approach to authentication and access, with multifactor authentication as standard and ideally moving towards a Zero Trust approach.
Your IT infrastructure should feature defence-in-depth, AI-powered security technologies that cover and provide full visibility into your entire attack surface and every entry point, from devices to APIs, cloud assets, and more.
Ideally, this should be backed by 24/7 security operations and monitoring so that you are ready to respond to, mitigate and neutralise any threat before it moves further along the cyber kill chain.
Alongside this, you need to continuously back up your data. Ensure that all backup data is encrypted, both while at rest and in motion. Apply the gold standard of 3:2:1 — three backup copies, using two different media, one of which is kept offline.
Employee engagement and training are critical. All employees should understand why cybersecurity matters, the latest threats and scams to look out for, and what to do if they spot something suspicious.
Know your obligations
Last, but not least, make sure you know and abide by the data privacy and protection regulations for any market you do business in.
Information on data privacy is available in the U.S. from the Cybersecurity & Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), the Federal Trade Commission (FTC), and many more public, private, and educational institutions.
The same applies to EMEA and Asia Pacific. Alongside key regional sites, such as the GDPR Compliance Checklist and more, Deloitte's Europe Data Guidance and Asia Pacific Data Guidance include up-to-date information on data protection and privacy laws and developments across the regions.
Barracuda commissioned international research from the Ponemon Institute into the security challenges and financial consequences of compromises faced by organisations with between 100 and 5,000 employees. Ponemon surveyed 1,917 IT security practitioners in the United States (522), the United Kingdom (372), France (329), Germany (425), and Australia (269) in September 2023. A report on the findings, Cybernomics 101, is available.