Data breaches – and the often tremendously damaging consequences – are an unfortunate reality for every business operating today. Yet, South African companies aren’t taking the threat seriously.
The recent attack on the SAPS website which has publicly exposed the details of thousands of police whistle blowers is a case in point. But, not all data breaches are as dramatic, or as publicized, as those which involve the loss of large volumes of customer-related information such as banking details, medical data or contact information.
A data breach is a security incident where sensitive, protected, valuable or confidential information is copied, transmitted, viewed or stolen by someone who is unauthorized to do so. Data breaches can involve financial information such as credit card details, personal information, trade secrets, customer information, and intellectual property.
So, a data breach can amount to an employee stealing customer contact details or other important information from an employer before leaving to start their own business or moving to a competitor business.
Regularly, companies of all shapes and sizes are falling prey – smaller businesses with increasing frequency in fact. Statistics from a leading global IT security vendor show that breaches at small and medium sized businesses (with between one and 250 employees) increased from 18% of all breaches in 2011 to 31% in 2012.
One of the reasons why attackers are targeting smaller organizations could be that they are often less well-protected than larger companies.
“Data breaches, industrial espionage, identity theft and cyber warfare aren’t just the stuff that movies are made of anymore. They’re the scourge of our highly-connected times. Whether the work of hackers, insiders or by mistake, data breaches are more common than people think,” says Richard Broeke, sales manager at Securicom, a specialist provider of managed IT security services.
Broeke says even small breaches can be damaging to a business.
“The loss of sensitive or confidential information can lead to financial losses, penalties and reputational damage. If a data breach results in identity theft or a violation of government or industry compliance regulations, a business could face fines or other civil or criminal prosecution.
“Of course, any loss of critical or confidential business information is a significant concern for any business. A company’s intellectual property is extremely valuable, from customer information and trade secrets to processes and knowledge.”
In 2012, the vast majority of reported data breaches were due to attacks by outsiders – as was the case with the SAPS incident. Most deliberate data breaches by outsiders target customer and financial information because it can be used for fraud. In other instances, data breaches are for the purpose of stealing trade information or with the intention of placing an organization in disrepute.
However, human error and systems glitches caused nearly two thirds of data breaches globally (2013 Cost of a data Breach: Global Analysis, Ponemon Institute and Symantec June 2013).
Broeke says that the insider threat is one that companies shouldn’t underestimate.
“Stolen laptops, lost memory sticks, and deliberate data theft by disgruntled employees are a major concern for businesses. The risk of information landing in the wrong hands as a result of unprotected and unmanaged mobile devices is also high.
“The problem is that companies don’t believe a data breach can happen to them and they don’t understand the risks or the potential consequences. Companies that suffer data breaches can incur costs across the board, from the cost of containing the breach, to potential litigation, loss of customers, reputational damage and fines.
“All companies need to step up their data loss prevention and data protection strategies, particularly with Protection of Personal Information Bill soon to be implemented in South Africa. Companies face stiff fines, and board members could be held personally liable for not taking adequate steps to safeguard critical business and confidential information,” says Broeke.
He says companies can dramatically reduce the risk of data breaches with the implementation of effective data loss protection software on their networks and by encrypting data in transit, both online and via removable storage devices such as USBs and mobile devices.
“Security mechanisms must be built into all layers of infrastructure and, depending on the specific environment and business requirements, specialised software such as content filtering, web filtering, data loss prevention and intrusion protection technologies should be installed.
“To protect against intentional or erroneous data breaches by employees, companies should put in place measures to limit or control the use of peripheral devices on company computers, as well as mechanisms to control which applications and business information certain levels of employees are permitted to access.
“Employee education is also key. Employees should be educated on the risks of social engineering, and understand the consequences of a data breach,” advises Broeke.