In today’s business landscape, digital information has developed into an extremely valuable business commodity. From unlocking strategic insights to empowering better operational efficiency, data helps businesses perform at their very best, and as such, businesses today process a far greater quantity of it than ever before.
While data can reveal new opportunities for businesses, it also gives rise to new risks that organisations need to be able to recognise and mitigate against. Data is not only valuable to the businesses that handle it, but to cybercriminal actors who seek to exploit it for their malicious endeavours. Privacy risks also arise when businesses fail to govern the data in their control effectively, leading to sensitive information leaking out beyond organisational control. Taking action to minimise these risks is a tactical imperative for any businesses seeking to grow and maintain the confidence of its customers in today’s data-heavy business landscape.
Solution Consultants – IT Support, Cloud and Connectivity Solutions for Reading Businesses
Since 2009, Solution Consultants have been helping businesses across Reading, Berkshire and the wider region operate efficiently and securely using technology. As a security-first IT provider, our managed services are designed to help our clients defend their information assets against loss or destruction, with class-leading tools that combine to counter data risks wherever they are present.
In this short blog series, we want to explain the concept of data loss, explain why it’s something all businesses need to proactively guard against, and provide actionable steps you can use to defend against data risks. First, let’s start with the basics…
What is Data Loss?
Data loss refers to any form of data mishandling that results in information being lost, stolen, corrupted, made inaccessible, accidentally altered or deleted, or simply viewed by an unauthorised person or party.
It’s important to recognise that data loss can occur due to both external factors (threats or circumstances originating from outside an organisation) as well as internal factors (Risky practices, negligence and even threats, that emanate from within an organisation).
Why is Preventing Data Loss So Important?
Data loss incidents can have profound and far-reaching consequences for businesses. While it’s usually only breaches involving large enterprises that make front page news, the fallout from a data loss incident can be equally disastrous for SMEs, many of which lack robust policies and mechanisms to safeguard sensitive information. Here are just a few outcomes that can result from a careless approach to data loss prevention:
Legal and Regulatory Consequences
Under UK GDPR, businesses are legally obligated to take measures to ensure the integrity, confidentiality and availability of personal information within their control.
Sections of the GDPR that set forth these obligations include the following:
Article 5 – Principles relating to processing of personal data, 1, subsection f:
“personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
Article 32 – Security of Processing, 1:
“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”
GDPR advocates a proactive and risk-based approach to mitigate against risks to data, such as adopting a ‘privacy-by-design’ strategy when developing new data processes, and undertaking frequent risk assessments.
Organisations that fail to uphold these obligations can face fines of up to £17.5 million or 4% of global turnover, imposed by the Information Commissioner’s Office (ICO). Failure to prevent data loss can also result in severe legal consequences:
Civil Lawsuits. Aggrieved data subjects may take legal action against the offending company. This could involve seeking compensation against losses, or for emotional distress.
Breach of Contract. A data loss incident could represent a breach of contract, which could grant the affected data subject, grounds to pursue legal action for compensation.
Class Action Lawsuits. If a data loss incident affects a large group of people, a class action lawsuit may be mounted against the organisation liable. This can result in a severe financial impact on the organisation in question, due to the potential for multiple, high-value pay-outs.
Data loss incidents can erode the trust of all stakeholders in a business, including its customers, partners, suppliers, vendors and the wider community. Reputational damage can linger long after the event, resulting in loss of custom, and difficulties in generating new business.
Financial and Operational Impacts
A data breach itself can have immediate effects that are detrimental to a business both financially and operationally.
For instance, an incident may have an immediate financial impact, with costs incurred in conducting a post incident investigation, notifying and compensating affected parties, implementing corrective security measures, and managing public relations.
Depending on the nature of the breach, there may also be a significant operational impact, which in turn, could affect the organisation’s revenue streams. Ransomware for instance, could adversely affect service delivery if critical data is rendered inaccessible by encryption. The post-incident response could also divert staff away from their normal duties, resulting in reduced productivity and service delivery delays.
Loss of Intellectual Property (IP)
A data loss incident could result in valuable company secrets or IP falling into the hands of a cybercriminal actor or a rival company. This could place the affected company at a competitive disadvantage in the marketplace, and result in costs through time and effort spent recouping or recreating lost assets.
Identifying the Data Loss Vulnerabilities in Your Business
A range of factors can contribute to heightened data loss risks. Identifying where these factors exist within your business forms a vital first step in constructing a comprehensive data loss prevention strategy. Consider whether the following practices and circumstances could be putting information at risk in your business:
Insider threats refer to data risks that originate from persons within your business, or those granted access to your digital infrastructure, including employees, contractors or business partners. Insider threats can be intentional or unintentional.
An intentional insider threat could take the form of a resentful employee exacting revenge by conducting sabotage, a malicious insider selling sensitive information to a third party, or an unscrupulous employee using information for their own personal gain.
Unintentional insider threats typically arise from carelessness, negligence, or poor cyber security awareness. An unintentional threat might include sensitive information being shared with a competitor, an employee unknowingly downloading malicious software from an untrusted source, or falling victim to a phishing attack.
Phishing is the single most common form of cyber threat UK businesses face, with a 2023 UK government study discovering that 89% of businesses identified an attempted phishing attack in the preceding 12 month period.
Phishing attacks employ deception and manipulation, with scammers using a range of tactics to convince their victim to either share sensitive information, execute a direct payment, or download a malware payload onto their system. Phishing attacks can escalate into data loss incidents through a number of mechanisms:
Credential Theft. Phishing attackers often dupe users into disclosing account login credentials by impersonating trusted individuals or parties. Alternatively, a phishing email will direct users to a rogue website where attackers harvest user credentials via fake login pages. Once divulged, these credentials can grant attackers unrestricted access to accounts and sensitive data.
Data Exfiltration. A cybercriminal may send emails to a target containing a direct appeal for sensitive information. Once obtained, the attacker may use the information to launch a future cyber-attack against the business or sell it on the dark web.
Malware Injection. Malware-laden email attachments contained within phishing emails can be used as the delivery mechanism for harmful code. Malware programmes such as keyloggers, can track user inputs in order to steal sensitive information such as account logins, banking details and compromising company secrets.
Ransomware. Phishing emails containing ransomware have the ability to paralyse business systems and encrypt vital information, making it inaccessible and unusable. Attackers promise to restore access upon receiving a payment, but this is no guarantee that files will be decrypted.
Business Email Compromise (BEC). Business email compromise is a potent and sophisticated form of phishing attack, whereby a fraudster will infiltrate a corporate email service and impersonate either a senior executive, trusted person, or entity with close ties to the business. The attacker may make an appeal for sensitive information, intellectual property or make a request for payment.
Weak Identity and Access Management Practices
Poor access management and weak user authentication practices can significantly amplify data loss risks. Here’s how:
Weak User Authentication.
Relying solely on the use of passwords for authentication can make accounts vulnerable to hacking via ‘brute force’ methods. Using readily available hacking tools, criminals can force their way into accounts and steal the sensitive information held within.
Excessive Permissions and Privileges
Affording users unnecessary administrative privileges or excessive access to information that goes beyond what’s required for them to do their job, can result in unauthorised access to sensitive data. Additionally, such an account could be leveraged to a damaging effect if it were to fall into the hands of a bad actor.
The inability to monitor access attempts and user behaviours can make it difficult to spot and investigate illicit access activity in a timely manner. Without adequate checks and balances, unauthorised activity may not be detected until it’s too late and the damage already done.
Short, easily guessable passwords make accounts vulnerable to malicious takeover by criminals, who are often armed with effective password cracking tools. Password reuse can also increase the risk of account compromise, as a cybercriminal is able to gain access to multiple accounts using just a single set of hacked credentials.
Errors in the configurations of software and operating systems can lead to vulnerabilities and weaknesses that increase the risk of data compromise. Here are some of the ways IT misconfigurations can serve as pathways to data loss incidents:
Misconfigured access controls, privileges and authentication mechanisms can expose sensitive information to unauthorised individuals or parties. Insufficient use of encryption, or the inconsistent application of sharing restrictions, can expose data to malicious interception and allow it to be distributed to and downloaded by those it’s not intended for.
Data Integrity Issues
The accuracy and consistency of data can come under threat if databases and other systems are not configured correctly. Such systems should be configured to prevent data replication and other risks to data integrity.
Accidental Deletion or Alteration
Absent or poorly configured backup and recovery systems can make it impossible or challenging to recover data following unintentional deletion. Poorly configured storage management settings can result in unsanctioned editing, which can compromise the accuracy of information, and subsequently its value.
From litigation and regulatory penalties, to reputational harm and revenue loss, data loss incidents can adversely impact businesses, with consequences that can be challenging to recover from. Building an effective strategy to counter data threats starts by assessing the lie of the land, identifying the greatest security weaknesses in your environment and the most acute vulnerabilities in your data handling activities.
Stay tuned for our next blog, where we’ll showcase the steps businesses can take to ensure robust information governance, and effectively mitigate against both internal and external data threats.
Solution Consultants – Superlative IT Services for Reading and Berkshire Businesses
Based in Reading, Solutions Consultants offers tailored IT services and futureproof solutions to help businesses overcome their greatest obstacles to operational success. We work closely with our clients to understand their IT pain points, and support them in their digital journey with solutions that deliver a tangible business value. Get in touch with us today for a friendly, no obligation chat about your tech challenges, and together, we can make IT propel the success of your business.