When people think of data breaches, they often imagine a tech-savvy criminal launching a sophisticated cyberattack from a dark room. However, the majority of breaches and other information security incidents are far less high-tech. Instead, they result from lost or stolen devices, lack of secure file sharing solutions, human error and practices that leave organizations fairly vulnerable to far simpler attacks.
Cybercriminals have strong incentive to steal sensitive information. There's a lucrative black market for identification data, where criminals are willing to pay big bucks to gain the resources they need to steal identities. Even without malignant intent and thieves taking advantage of stolen data, breaches are incredibly costly for companies. When sensitive information is exposed, businesses must take appropriate steps to assess the situation, inform the affected parties and handle the PR and financial fallout. Therefore, it behooves them to guard against such situations as well as they can.
Data breaches continue to add up
Unfortunately, many companies are falling victim to breaches. A recent eSecurity Planet report highlighted a number of attacks just in January, 2014, including:
- The city council in Burlington, Vt., accidentally published residents' Social Security numbers online.
- The U.S. Department of Veterans Affairs eBenefits site experienced a software defect that gave visitors access to other users' personal information.
- Orient-Express Hotels exposed customers' identification and credit card information when a hacker accessed email accounts.
- A laptop at Barry University's Foot and Ankle Institute was infected with malware, giving criminals access to protected health information.
- A temporary employee for the City of Sumner, Wash., forwarded sensitive information on her personal email account.
- An unencrypted laptop was stolen from Barnabas Health, potentially exposing patients' health information.
- Coca-Cola also had unencrypted laptops stolen, compromising 74,000 employees' information.
- An unencrypted computer was wrongly discarded at the Phoebe Putney Memorial Hospital in Georgia, making nearly 7,000 patients' personal information vulnerable.
As this list reveals, sensitive information is vulnerable to exposure from a great variety of means. Often, it happens when portable devices go missing or employees fail to follow best practices for secure file sharing or maintaining protection on their devices and accounts.
Implementing stronger security
No security plan is a 100 percent guarantee against data breaches, but there's a lot that companies can do to protect themselves against accidents and criminal activity. In terms of infrastructure, basic network upkeep is crucial, including antivirus and malware protection on company machines. It's also important to train employees about the dangers of data breaches, hold them to best practices and provide them with secure file transfer and collaboration tools to make it easier for them to work within secure environments.
According to the Ponemon Institute's Patient Privacy and Data Security Study, human error and negligence continue to serve as the biggest sources of healthcare breaches. The problem cuts across industries and is often rooted in ignorance and in human nature's inclination to take shortcuts for the sake of convenience even at a higher risk.
"People don't realize how having a person's device, even a cell phone, can really break the security of a whole company," Giovanni Vigna, CTO of Lastline, told eSecurity Planet. "You have to understand that if somebody is NSA-level motivated to break into your company, they will… but you can do a lot to prevent the generic, opportunistic attack of the guy who just steals a laptop."
In order for any secure file sharing program to be effective, it has to provide both comprehensive security and the ease of use necessary to gain employee adoption. In other words, organizations should consider solutions that remove many of the manual steps for good data practices, allowing employees to easily complete their workflows without tempting them to slack on security or use consumer-grade shortcuts.