Data Breaches: How they affect BUSINESSES
A data breach is the intentional or unintentional release of secure or private/confidential information to an untrusted environment. Other terms for this phenomenon include unintentional information disclosure, data leak and also data spill. Incidents range from concerted attack by black hats associated with organized crime, political activists or national Governments to careless disposal of used computer equipment or data storage media
Investor Relations & Strategy Department researched “Data Breaches: How They Affect Businesses”: We hope that you will find these very helpful; Happy Reading and Application into our business.
A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.
Cisco a worldwide leader in IT and networking, recently published its tenth annual data breach report, The firm’s 2017 edition of its annual cyber-security report entitled “Cyber-security Report: Chief Security Officers Reveal True Cost of Breaches And The Actions That Organizations Are Taking,” provides insights based on threat intelligence gathered by Cisco’s security experts, combined with input from nearly 3,000 Chief Security Officers (CSOs) and other security operations leaders from businesses in 13 countries.
Cisco noted that, according to its research, in 2016:
- More than 50 percent of organizations faced public scrutiny after a security breach. Operations and finance systems were the most affected, followed by brand reputation and customer retention.
- For organizations that suffered a breach, the effect was substantial: 22% of breached organizations lost customers — 40% of them lost more than a fifth of their customer base. 29% lost revenue, with 38% of that group losing more than a fifth of their revenue. 23% of breached organizations lost business opportunities, with 42% of them losing more than a fifth of such opportunities.
- CSOs cite budget constraints, poor compatibility of systems, and a lack of trained talent as the biggest barriers to advancing their security postures. Security leaders also reveal that their security departments are increasingly complex environments with nearly two thirds of organizations using six or more security products – some with even more than 50! – increasing the potential for security effectiveness gaps and mistakes.
- Criminals are leveraging “classic” attack mechanisms – such as adware and email spam – in an effort to easily exploit the gaps that such complexity can create.
- Spam is now at a level not seen since 2010, and accounts for nearly two-thirds of all email — with eight to 10 percent of it being outright malicious. Global spam volume is rising, often spread by large and thriving botnets.
- Old-fashioned adware (that is, software that downloads advertising without users’ permission, continues to prove successful, infecting 75 percent of organizations polled.
- Just 56 percent of security alerts are investigated and less than half of legitimate alerts actually lead to problems being corrected. Defenders, while confident in their tools, are undermined by complexity and manpower challenges; criminals are exploiting the inability of organizations to handle all important security matters in a timely fashion.
- Twenty-seven percent of employee-introduced, third-party cloud applications, intended to open up new business opportunities and increase efficiencies, were categorized as high risk and created significant security concerns.
- On the positive side, 90% of organizations that experienced a breach in 2016 are improving threat defence technologies and processes after attacks by separating IT and security functions (38 percent), increasing security awareness training for employees (38 percent), and implementing risk mitigation techniques (37 percent).
Discussing the report, John N. Stewart, Cisco’s Senior Vice President and Chief Security and Trust Officer, noted that “In 2017, cyber is business, and business is cyber -that requires a different conversation, and very different outcomes. Relentless improvement is required and that should be measured via efficacy, cost, and well managed risk. The 2017 Annual Cyber-Security Report demonstrates, and I hope justifies, answers to our struggles on budget, personnel, innovation and architecture.”
“This problem stems from the fact that businesses are keeping way too much information on public accessible networks. If the businesses would limit the available data to the outside world by not having it on a network that can be accessed from anywhere then they wouldn’t have to spend Millions on security and pay out Billions in lawsuits. Technology is great, but you have to weigh the benefits from the proportional losses, if you don’t then, you get what you deserve, until the technology can be managed safely putting your whole company online is just not a smart move. Think about it.”
When it comes to cyber security and ever-evolving threats, it’s not “if” but ‘when’—- threats will always be present and looking for soft targets in your organisation. There are consistently new “fake” sites or ‘spoofs’ designed to phish data from users and your organisation.
Last year was a watershed year which saw unprecedented levels of security breaches ranging from hacks to data leaks. Attacks such as spear phishing are now more sophisticated. Disguised as personalised emails, they target specific individuals or businesses to collect sensitive information.
It’s time for businesses to adapt with the increasingly complex threat landscape, and go from passive security mechanisms to proactive processes. Start empowering your employees with enhanced security awareness for timely detection and response to potential security breaches.
What you need to know is that a data breach occurs when one or more individuals are allowed to read data that they are not authorized to access. Once they can read the data, they can steal it and often make changes to it. Depending on the type of data involved, the consequences can include destruction or corruption of databases, the leaking of confidential information, the theft of intellectual property and regulatory requirements to notify and possibly compensate those affected.
According to Bloomberg, data breaches in 2016 increased by 40 percent over 2015. The costs associated with such incidents can be very high and in some cases may threaten the ability of a company to continue in business. As a result, it becomes extremely important for businesses to identify the threats and reduce their exposure.
Data Breach Targets
Business data only becomes a target when it is of value to a third party. Different kinds of data are more or less valuable to third parties and represent different levels of risk to a business. The different types of data include the following:
Personally Identifiable Information. This includes data such as social security numbers, contact information, birth dates, education and other personal information.
Financial Information. This includes charge card numbers and expiry dates, bank accounts, investment details and similar data.
Health Information. This includes details on health conditions, prescription drugs, treatments and medical records.
Intellectual Property. This includes product drawings and manuals, specifications, scientific formulas, marketing texts and symbols, proprietary software and other material that the business has developed.
Competition Information. This includes data on competitors, market studies, pricing information and business plans.
Legal Information. This includes documentation on court cases the company may be pursuing, legal opinions on business practices, merger and acquisition details and regulatory rulings.
IT Security Data. This includes lists of user names and passwords, encryption keys, security strategies and network structure.
These types of information attract the attention of third parties for whom the data has value. Personal, financial and health information can be sold and used for marketing, fraud and identity theft. Intellectual property can be sold and used to develop products and services similar to those of your business. Competitive information can be sold and used by your competitors to block your plans and leaked legal information may damage your legal position. Data on IT security is a valuable target in itself because it lets the unauthorized parties gain access to all the other types of information on your system.
Data Breach Threats
Threats targeting the different types of data can come from your own employees, from suppliers and consultants who have access to your network and from individuals outside your organization. They can gain access to your data from inside your network, through external email accounts, through mobile devices and through the cloud if your business stores data there. Traditional perimeter protection is no longer enough to keep your data safe from these threats.
Data protection can fail against insiders. Disgruntled employees may decide to leak sensitive information. External individuals can use emails or malicious websites to install malware on employee computers and get user names and passwords that way. Employees of your cloud services supplier often have access to cloud data and email accounts and mobile devices can be lost, hacked or compromised. In the face of such threats, companies have to identify the consequences of corresponding data breaches and find solutions that reduce their risks.
Data Breach Consequences
The consequences for businesses that experience data breaches are severe and increasing. This is mainly due to the increased regulatory burden for notification of the individuals whose data has been compromised. Notification requirements and penalties for businesses suffering a data breach differ with the jurisdiction internationally.
Companies that experience a data breach involving customers have to establish where their customers reside and which regulatory authority has jurisdiction. Regulations define the type of data for which notification is required after a breach and they define who has to be notified, how the notification has to be carried out and whether specific authorities have to be notified. Typically breaches involving personal, financial and health data are subject to notification requirements but exact definitions vary for different jurisdictions. Companies doing business internationally may have customers in many jurisdictions and may have to comply with a variety of requirements. The costs of such a process together with legal penalties, possible compensation for damages and any resulting lawsuits can be high enough to constitute an existential threat to some companies.
Data breaches involving the other types of data can severely impact the reputation and business situation of a company. In addition to contractual obligations that may be impacted, the planned sale of a company could be put in question by a data breach, as recently happened with the Yahoo purchase by Verizon. If your competitors become familiar with your business strategies and are able to market products similar to yours at a lower price, your business might not survive.
The Dangerous Side of Data
Let’s look below at the twelve worst case scenarios that businesses could face from poor data management.
You could suffer a security breach or attack: Nearly half of all businesses in the US have reported at least one data breach or data breach attempt in the last year. The bigger your organization or company, the more data you will hold. Therefore, there is a higher risk that you may be targeted by cybercriminals attempting to compromise your data security. The possibility increases to 66% for medium-sized firms and 68% for large firms.
You could lose or compromise your customers’ data: In the infamous Equifax data breach, which most likely occurred between mid-May and July 2017, personally identifiable information belonging to around 800,000 UK consumers is believed to have been accessed by cyber-thieves. The scale and consequences of the Equifax security faux pas is enough to scare any business into dealing with sensitive information correctly.
You could put your employees’ data at risk: You’ve been warned over and over again that your employees’ behaviour can have a big impact on data security in your organization. Social engineering is one of the most common and effective ways of gaining unauthorized access to classified information. Suffice to say, recently, a 15-year-old British teenager was able to gain access to intelligence information about operations in Afghanistan and Iran. How? By pretending to be the head of the CIA. Yet it’s worth remembering that security is a two-way street. Sensitive information about people in your company is just as valuable as your customers’ data, therefore security procedures and processes should be just as stringent for both employees’ and customers’ information.
You could suffer a DDoS attack: DDoS attacks are a distinctive type of a malicious attack that takes down machines or whole network resources. It’s done by temporarily or indefinitely disrupting services of a host connected to the internet with an avalanche of superfluous requests. This, of course, has foreseeable financial consequences.
You could lose a lot of money: The majority of cyber-attacks concentrate on the insides of your wallet. It is forecast that by 2021, cybercrime damages will cost the world $6 Billion.
You could be operating against laws and regulations: Depending on the country, regulations or directives outline how companies and organizations should comply with data protection. Following these rules is crucial to help successfully avoid cyber-attacks and fines. In 2016, UK businesses were fined £3.2 Million in total for breaching data protection laws.
You could be putting your intellectual property or trade secrets at risk: When we talk about cybercrime, we usually picture huge financial loss and personal identity theft. However, anyone familiar with espionage will know that intellectual property is also under threat. In the UK, 20% of businesses admit they have experienced a breach resulting in material loss.
You could be hit with a virus: Wanna-Cry, Storm-Worm and My-Doom are just a few examples of weapons of software mass destruction that made it onto the list of vicious malware. According to research conducted by the UK Government’s National Cyber Security Program, 33% of all data breaches originate from intrusive or harmful software.
You could be targeted by hackers: Having the same or similar passwords for every email account and website may make things easier for you. However, weak passwords make you extremely vulnerable to attackers. It’s advisable to use a random password generator that will incorporate both upper and lower-case letters, as well as special characters, to increase your password security.
You could suffer damaging downtime: Businesses and organizations spend a lot of their time and money ensuring they remain visible and have a positive perception online. Unfortunately, once they are targeted by cybercriminals who use sophisticated systems to execute data attacks, that time and effort is worthless. It’s reported that an unplanned outage costs a business £6,000 per minute on average.
You could hurt your reputation: Most downturns for firms and organizations are usually caused by data breaches and cyber-attacks that could have been prevented. According to 90% of CEOs, striving to rebuild commercial trust among stakeholders after a breach is one of the most difficult tasks to achieve for any company – regardless of their revenue.
You could risk physical data loss: Over 70% of businesses involved in a major incident either do not reopen or fail within three years of an incident occurring. Remember to keep your infrastructure safe at all times to avoid being forced out of business by cyber-thieves.
Solutions to Reduce Risk
While you can keep your perimeter security and other protective measures in place, what you need in addition is a data-centric solution that allows you to tightly control who can read specific files and data sets. Encryption offers this kind of control but it has to be the right kind of encryption. If a specific file or email is encrypted properly, you can control who can read it at all times. Even if there is a data breach of your IT system and unauthorized individuals gain access to the data, they will not be able to read it and a data breach with respect to that data is avoided. Such an application can reduce your data breach risks to acceptable levels and protect your business from ruinously high data breach costs.