Published Sep 29, 2022 by Xiph
The average cost of a data breach in Australia is $2.92 million per breach, according to the IBM Cost of a Data Breach Report (2022). Data breaches are costly to recover from financially and not to mention reputationally. That’s why it’s critical for businesses big and small to have a data breach prevention plan in place.
What’s a data breach?
A data breach also referred to as a 'data spill', is anytime sensitive, confidential, or otherwise protected data is stolen or accessed without authorisation. This can be by accident or because of a security breach involving the handy work of hackers or bad actors. The latter would be classified under the category of a cyber attack. Data breaches can affect individuals, small businesses, large organisations, and even governments. Basically, any person or entity that collects and stores valuable information can be at risk of a data spill.
What do hackers want from your business?
In an event of a cyber attack, hackers will look for information or data that will net them a big payday. That’s why the health sector remains the highest reporting industry for data breaches, followed by finance, according to the latest Notifiable Data Breaches report from the Office of the Australian Information Commissioner (OAIC). Contact information, identity information and financial details continue to be the most common types of personal information involved in data breaches.
Businesses both large and small should take all available precautions to mitigate the risk of data spills. Some common information hackers would be looking to target include:
- Employee personally identifiable information (PII) like birthdates, driver's licence numbers, phone numbers, etc.
- Client names, email addresses, phone numbers and passwords.
- Sensitive information including political or religious beliefs, sexual orientation, trade union membership or associations, criminal records, etc.
- Banking information including financial documents, past transactions, bank accounts, credit card numbers, tax file numbers (TFN), etc.
- Healthcare information including patient numbers, policy numbers, diagnosis codes, billing information, etc.
- Storage and data server infrastructure information.
- Digital infrastructure and network information.
How data breaches happen
Contrary to popular belief, data spills are not caused by sophisticated cyber threats. Data breaches are usually a result of human error, poor system faults or malicious attacks (or all three combined). Here’s a brief breakdown of each possible threat.
- Human error: Lost, stolen or cracked passwords, unintentional release or publication of personal information (i.e. phishing), emailing confidential information to the wrong recipient or loss of paperwork or data storage device.
- System faults: Technology process error, poor configuration management, inadequate encryption or data backup protocols, third-party data breaches, etc.
- Malicious/cyber attack: System or network infiltration either by phishing, using malware (i.e. spyware, ransomware), or business email compromise to steal data sources and confidential information.
Why are small businesses more at risk of a data breach?
Small businesses are more at risk of a data breach because they’re often an easier target than big corporations with better technology and security protocols in place. Large businesses are simply tougher to crack, so it’s more beneficial for hackers to seek the path of least resistance. Small businesses often lack the expertise and resources, including the time and money to implement robust security protocols – this makes them much easier to hack. They’re also often ill-equipped to detect data breaches in time and on what to do if one occurs. Lastly, small businesses tend to be more complacent in thinking they’re too small to be a target.
Best practices to prevent a data breach
While there's no one-size-fits-all solution to prevent a data breach, there are tried-and-tested strategies businesses can implement to reduce their risks. Here are some best practices to follow to best protect your business from a data breach.
1. Have a cyber security plan tailored to your business
Enlist the help of a cyber security expert to identify your main threat vectors and potential attack surfaces, prioritising assets and risks, and understanding the standards and regulations that govern your business and industry. Start with the big picture stuff and work down to the details. By the end, you should have a comprehensive roadmap to mitigate any cyber threat or data breach and a response plan.
2. Install a sophisticated anti-virus software
Robust anti-virus software can protect business systems from common malicious attacks, such as worms, phishing attempts, Trojans and other malware. Installing and maintaining the latest version of anti-virus software is a common sense, inexpensive best practice that should be followed on all of your business systems and access points.
3. Keep your security software and systems updated
Apply automatic security patching on all applications, browsers, and operating systems. Software providers are always upgrading their software to stay ahead of new and evolving security vulnerabilities and threats. Conducting routine updates on all business software and systems will ensure that you have the latest defences.
4. Use the 3-2-1 method of backup for business
Have a regular data backup routine to reduce your business’ vulnerability to data loss, whether that’s because of human error, hardware failure, or a ransomware attack. Businesses should use the 3-2-1 method of backup – this involves making three copies of your data, two local (on identical but separate hard drives) and one offsite in cloud storage. Have a comprehensive data backup and recovery plan to safeguard your business data and ensure its continuity in the event of a data loss.
5. Conduct regular security training for employees
Humans are the weakest link in your cyber security plan, which is why it’s essential to conduct simple, regular and easy-to-follow security training for all employees. This will include running phishing simulations, refreshers on IT security policies and processes, cyber security toolkits and checklists, etc.
6. Implement multi-factor authentication (MFA) for all system access
Strong passwords and password management practices are important as a minimum baseline, but even the best password management practices can be broken by determined attackers. That’s why MFA is essential, as it’s the single most effective security tool to prevent unauthorised access to online accounts and systems. In fact, an MFA can block 99% of account breaches or attacks online, according to a study conducted by Microsoft.
Read more: Your complete guide to password protection
7. Use a firewall, proxy & VPN
Use a combination of firewall, proxy server, and virtual private network (VPN) to filter all incoming and outgoing access requests to your local network. This is especially important if you’re using an open wireless network. Far too often, small businesses use unprotected wireless systems which are an open door to criminals.
8. Secure your physical business assets
Securing your data and digital assets like images, videos, and applications is just one part of the equation when it comes to cyber security. Ensure that all your physical assets are protected, including your business’ facility/location, and IT assets like computers, hard drives, routers, etc. Your business should have security measures in place to reduce the risk of harm to employees, data and physical assets.
How to check if your business data has been breached
If you suspect your business has been breached, you should initiate a security assessment immediately to determine possible vulnerabilities against zero-day attacks, malware, competitor attacks, and threats that could impact your business’ continuity, reputation or bottom line.
Details of publicly-known breaches may also be available at Have I Been Pwned. This free resource allows anyone (individuals and businesses) to search across multiple data breaches to see if any associated email address or phone number has been compromised. Input your email address or phone number to find out if you’ve been implicated in a known breach.
All private and public companies with a turnover of over $3 million must report any cyber breach to the Office of the Australian Information Commissioner (OAIC) and notify customers and stakeholders of the said breach in a reasonable time.
How to get started
The best way to mitigate the risk of a data breach or other cyber security incidents in your business is to have a cyber security plan that covers all your bases. Every business needs tailored security policies, procedures, and controls to protect themselves, their employees, and customers against cyber security breaches. For more information, contact us via email: [email protected].
Posted in: Security