According to a recent study, 74% of data breaches happen without affected parties knowing about them. In the first known study to ask participants about data breaches that impacted them, conducted by the University of Michigan School of Information, researchers found most people remained unaware that their email addresses and other personal information had been compromised in five data breaches on average.
This makes us think, how many data breaches have gone unnoticed? What if your business was exposed either directly or through a third party vendor and you didn’t notice? If it can happen to consumers, it can happen to your business… So how to get ahead of a data breach?
The problem with data breaches
LinkedIn, Adobe, Home Depot, Target and Equifax, among others, made headlines over the last decade for exposing private information of millions of people. To make matters worse, they had to pay million-dollar settlements and face financial and reputational damage. No leader wants their organization to be the next headline, and yet there’s still a lot of work to be done.
Breach notification requirements are insufficient, accountability is blurred, and consequences are often underestimated. In fact, most participants of the study expressed moderate concern after being notified that they had been victims of a breach. They were most worried about the leak of physical addresses, passwords, and phone numbers.
The problem is some consumers and businesses are not aware of how leaked personal information could potentially be misused to harm them. Identity theft is the biggest risk that comes to mind, considering attackers often get access to a victim’s full name, address, phone number, and other sensitive data. These could be used for different types of fraud, such as opening accounts, filing taxes, or making purchases on your behalf. There’s also the risk of credential stuffing, as noted by the researchers: using a leaked email address and password to gain access to other accounts of the victim.
How to stay ahead of a data breach
Companies usually keep sensitive information about customers and employees in their files or on their network. This is often necessary for payroll, orders and other necessary business functions. If we add third party vendors to the equation, which are also necessary for business operation and have access to different kinds of information, safeguarding critical information is just plain good business.
Here are some tips for organizations that want to minimize the risk of suffering from a data breach —be it in their own network or through a third party vendor:
- Develop a procedure to collect only the data you need to operate, keep it safe, and dispose of it securely once it’s no longer needed.
- Consider local, regional or federal laws that require your company to keep sensitive data secure. In the United States, statutes like the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and the Federal Trade Commission Act may require you to provide reasonable security for sensitive information.
- Make an inventory of types of personal information you have and where it lives – consider all computers, mobile devices, flash drives, etc.
- Understand how personal information moves into, through, and out of your business. This may require a conversation with Sales, HR, IT Support and any other area that exchanges information with customers or employees. The channels and methods used to handle this information (email, web forms, phone calls, etc.) will lead the way to the appropriate security measures.
- Identify who has (or could have) access to the data. It could be employees, business partners, or third party vendors who need it to perform an outsourced service.
- Secure the information that you keep. This includes general cybersecurity measures such as encryption, multi-factor authentication, firewalls, antivirus, cybersecurity awareness training, remote work policies, etc. Consider physical security measures if there’s any physical storage or delivery of information.
- For third party vendors with outsourced business functions, perform due diligence to assess their inherent risk to your organization and their data security practices. If their security posture does not meet your standards, avoid engaging with them. If you do, put your security expectations in writing in your contract and verify compliance periodically. Read our third party risk management guide to learn how to start assessing your vendor population.
Some breaches never make the news, and some involve little or no notification to the victims. If people (or businesses) don’t know that their information was exposed, they cannot protect themselves against the implications. Fortunately, technology is on your side to stay ahead and be proactive with your security approach.