When you think of data breaches, you may well picture hackers infecting an organisation’s systems and stealing files. But that’s only one of six common ways a data breach can occur.
The ICO (Information Commissioner’s Office) defines a breach as the “accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.”
This blog explains each of these scenarios, offers examples and provides advice for managing them.
Let’s get the obvious one out of the way. Crooks can attack organisations in multiple ways, but they rarely target specific companies, instead exploiting vulnerabilities wherever they can. The most common techniques are malware infection, ransomware and phishing.
Cyber criminals do occasionally target specific organisations. This is usually because the attack is more sophisticated, such as whaling, or politically motivated, as is often the case with DoS (denial-of-service) attacks.
Not all data breaches involve computer systems being compromised. Crooks are also liable to steal whatever the data is held on. This could be as simple as grabbing someone’s bag when they’re not looking, or as complex as blagging their way into your premises and accessing paper records or a company computer.
Staff often need to access huge amounts of information in order to do their job, and it’s all too easy for that information to be misused – either deliberately or accidentally.
Employees are liable to breach data if they are disgruntled. Perhaps they were passed up for a promotion or were recently fired and still have access to the organisation’s systems. Maybe they simply need money and think the answer is to sell data on the dark web.
Technically, you can suffer a data breaches even if information isn’t misused. That’s because information is considered breached when its confidentiality is compromised – in other words, when someone who shouldn’t see it does.
To use our example of a criminal breaking into an organisation to access paper records, a breach has still occurred even if someone walks in and stops the miscreant as they’re rifling through your files. However, this scenario is rare. Unauthorised access is much more likely to occur when an employee has been given inappropriate access rights, allowing them to view information that isn’t necessary for their job.
Accidental destruction or disclosure
Organisations can also compromise data by accidentally destroying or disclosing it.
Destruction can happen in one of two ways. The first involves technological problems: for example, systems could die before the organisation has had a chance to save data, or files could be corrupted with no backups available.
The second involves human error: an employee tasked with removing information that the organisation no longer needs – as required by the EU GDPR (General Data Protection Regulation) – might delete a file only to realise that it should have been kept.
Accidental disclosure is also the result of human error. It usually occurs when organisations misconfigure databases that are stored on the Cloud, making them available for anyone to view.
Finally, we come to the most insidious form of data breach: alteration. This is where someone changes information on an organisation’s system – such as editing someone’s email address or name.
This could happen accidentally or deliberately, but both are rare. An accidental alteration will likely involve an employee updating a file and grabbing the wrong record or entering information incorrectly.
Deliberate alteration will only happen when someone is trying to sabotage an organisation. There is unlikely to be any personal gain to be had from altering information, but it could lead to embarrassing mix-ups that could compound a data breach.
Are you prepared for a data breach?
We wish there were some product or piece of advice we could give you to eradicate each of these threats, but unfortunately data breaches are inevitable. You can certainly mitigate the risk with the help of ISO 27001, the international standard for information security, but you also need to be prepared to react when even the best defences aren’t good enough.
Take our free quiz to find out whether you’re prepared for a data breach and receive a free personalised report on how #BreachReady you are. We’ll give you a detailed summary of your answers and offer information and advice on the next steps to take to make sure you’re prepared.