Data Protection & Security
In 2018, the average cost of a data breach to a business in the U.S. was $7.91 million. That is near twice the average cost of a data breach in Canada, which is the country's second hardest hit by data breaches. In spite of a number of high-profile hacks, human error remains by far the #1 cause of most data breaches.
Sadly, the vast majority of multi-million dollar data breaches could actually be prevented by following some fairly simple protocols. Unfortunately, businesses often consider digital security to be the responsibility of the employee while employees consider it to be the responsibility of the business. In truth, it is the business' responsibility to not only establish proper security protocols but also to ensure they are actually being followed. Here are the top four causes of data breaches and how to prevent them.
- Physical loss or theft of devices: Laptops, tablets, and smartphones have become like skeleton keys that usher us smoothly past all manner of security features. In the right hands, they offer the perfect balance of convenience to the user and security to the many accounts they access. In the wrong hands, however, they become a massive threat to security. All devices have the ability to be at least password protected if not subject to a biometric scan, yet many people disable these basic security features because they find them annoying. Businesses have the ability to deny access to devices that do not use a password or biometric scan to unlock, but many do not enable these features.
- Insecure Passwords: Every year, Splashdata releases its top 100 list of the worst passwords culled from the dark web. In spite of countless warnings against such practices, the passwords "123456" and "password" continue to top the list the same way they have for most of the last decade. Unfortunately, businesses don't help much when they create long, complicated passwords for their employees that they change regularly. As a result, many employees write their passwords down and post them in some fairly conspicuous places such as on the bottom of their keyboard or pencil cup, in their top desk drawer or even worse, right on their monitor. Devices with biometric scanning are the best way to prevent the use of insecure passwords but only if the scan is actually activated.
- Social engineering and targeted phishing: A 2016 security report prepared by Checkpoint found that every hour, an average of 971 downloads of unknown malware occur. That means an employee is downloading unknown malware once every 4 seconds. Education is key, of course, but organizations also need to be using powerful filters to keep links to malware from ever reaching inboxes in the first place. While it occurs less often, some of the biggest data breaches have been the result of employees thinking they were sending files or sensitive data to their boss or other employees, only to realize they were actually responding to a cleverly disguised request from a complete outsider. While it may take a few extra seconds, employees should always check the entire email address of anyone they send files or information before sending it.
- Failure to update software or quickly apply security patches: Every time a software company releases an update, they are all-too-keenly aware of just how likely it is that there might be a security weakness that a hacker can exploit. Since most software manufacturers use beta-testers, that also means hackers have a chance to get their hands on early releases of the software to find those weaknesses. If they find one, then they know that as soon as the new version goes live publicly, they have an opportunity to exploit the vulnerability they found.
Zero-day threats are those that developers have either just been made aware of or they are already aware of but don't have a fix in place or a patch to offer. It basically means a threat that they have zero days to fix. The problem is, however, that once they do have a fix and release a patch or update, many businesses may wait days, weeks or even months to update their software and apply the patch. Every day that they wait is another day they are giving hackers to discover they have not yet applied the patch and exploit the weakness. One of the best ways to avoid this is to enable automatic updates. Then, as soon as a developer releases a security patch, you will know your system is protected.
While it may take an expert level hacker to break into the Pentagon, the truth is it takes significantly less skill to break into most business systems. In fact, more often than not, it is easier to simply obtain login credentials than to try and engage in a brute force attack. Multi-factor authentication is helping to thwart the use of stolen login credentials but only if it is enabled.
Ready for the next step?
Spot user behaviors and device information that’s suspicious, and stop those fraudsters in real time. We track billions of devices and our fraud analysts add evidence to make this intelligence even more effective.