The theft or loss of important data on the part of companies and public sector organisations isn’t new or shocking any more.
It’s an all-too-regular occurrence, which typically only makes the headlines if it’s a big organisation or public body that’s affected.
Yet smaller businesses are equally at risk, and though they may not be on the prime target list for criminal hackers, they still risk significant loss, fines or damage to their business if they are targeted and get hacked.
Why do these ‘data breach’ incidents continue to the happen?
There are many reasons that many organisations do not take data loss or data theft seriously enough.
A top reason is a simple lack of appreciation of risk. Corporate data is just numbers and words stored on a computer system, so attaching a real contextual meaning to it can be difficult. If backup processes are in place, the assumption may be that data is ‘safe in the event it gets lost’.
A second reason for the lack of action may be that there’s a temptation to see data security risks as ‘something that won’t happen to us’. Reality however is that attacks are typically random and mass-targeted – meaning that the same links or attachments may be sent to hundreds, thousands or tens of thousands of potential victims. Only a tiny fraction of successful breaches may be needed to achieve the hackers’ goal.
Thirdly, awareness may be high among executives of the risks – but for reasons such as perceived cost or lack of urgency, action to rectify network security risks may not be a high priority.
What sort of data are we talking about?
Company data is anything that is stored on computers or servers, and that is or may be critical to the operational or strategic management of the business.
The amount of data you hold and how you store it may depend on the sector you operate in or the nature of your business, but may include any of the following:
- Personal contact details (e.g. customers, suppliers)
- Personal records and history e.g. health, financial status, employment record
- Financial details such as bank accounts
- Intellectual property e.g. plans, blueprints, computer code, formulae
- Passwords and login details for email or web servers and accounts
What are the likely impacts of data loss or theft?
Clearly, if lost or stolen, these types of data in the wrong hands could potentially have a critical or catastrophic effect on the business, both immediately and further down the line.
Putting things right: once the source of the data breach is known, there is likely to be immediate and considerable disruption to ‘business as usual’.
Communicating any impacts with customers and suppliers is a key requirement, but inside the business, significant focus is likely to be drawn away from operational matters and on to “fixing the problem”.
Such defocusing from normal business has the potential to take the company off course, with operations such as customer service being diverted from their usual tasks. Inevitably, productivity maybe affected while these activities are in progress.
Longer term impacts
For many organisations, trust is a key factor for customers in remaining loyal. Trust as well in public sector organisations such as healthcare and local government is vital – so the degree to which “brand image” can suffer as a result of a publicised data breach should not be understated.
Whether or the trust factor filters down to a negative impact on sales – from either new or repeat customers – will to a large extent be determined by the severity of the breach and how it is dealt with by the organisation affected.
The common reasons company data is at risk
The most common factors putting the security of company data at risk are the following:
1. Out-of-date software
Software that is ‘unpatched’ with updates and upgrades – which are designed to fix known vulnerability issues as well as provide functional improvements – is one of the most common causes of data breaches. Software and operating systems such as Microsoft XP are targeted by hackers once they stop being supported by the vendor.
Best practice is to ensure that your software is always up to date with the latest version.
2. Lack of employee awareness
Email spam is a common way to get malware into an organisation. The unwitting email user who clicks on a link to go to an infected website, or who opens an innocent-looking attachment is one of the most common targets and a good way into a business for a hacker.
Our advice is to ensure your employees are vigilant, aware of their responsibilities for guarding against taking malware on board, and know of the potential consequences.
3. Freeware security software
There are plenty of free and low quality security software applications, particularly anti-virus software. Many of these are simply not up to the job of protecting a professional organisation.
Always ensure that you implement the best security software that your organisation can afford.
4. Head in the sand mentality
As mentioned above, it’s not uncommon for even the most senior managers in an organisation to adopt an attitude that ‘it won’t happen to us’. Often this is because senior management do not always fully understand data risks or find network security technology intimidating or confusing.
As a result, they may sometimes not engage with security issues as a key priority – and because of this the network may be vulnerable.
Ideally, network security policy should be led – or at least sponsored – by the top-level management in the organisation.
5. Growing use of unsecured, employee-owned portable devices
Most business WiFi networks are designed to provide access to certain types of ‘permitted’ device such as laptops, whilst also allowing access for other devices e.g. those owned by visitors.
With employees commonly bringing in and using their own smartphones, tablets and laptops, the question facing business executives with IT responsibility is “how do we know what devices are on our network, and moreover how can we know that they are malware-free?
It’s worth talking to an IT specialist to ensure your WiFi network is set up to allow the ‘good’ devices on to the network, whilst also keeping the ‘bad’ devices and their onboard viruses out.
6. Use of unencrypted mobile storage
For very good business reasons (or just because it’s easy and convenient), data records may need to be stored in spreadsheets (or downloaded onto spreadsheets from a CRM database) and then transferred to a portable drive of some kind such as a USB stick.
In many organisations these portable data storage devices are not encrypted, which means if they are lost or stolen, the data they hold is compromised.
It may seem like an extra step to go through, but as any organisation that has suffered a data breach will tell you, it’s a small price to pay.
For more information about network security, or to discuss any aspect of your IT systems, contact Alliance Solutions on 0800 292 2100 or email firstname.lastname@example.org and ask us for a for a free IT Systems Audit.