How do data breaches happen? Understanding your organisation’s biggest threats

Data breaches are fast becoming a top priority for organisations. But it’s not only cyber criminals hacking your systems that you should be concerned about; there are many other ways your systems and information can be compromised.

Let’s go through the most common ways in which an organisation’s data can be breached and look at some examples of how it might happen.

1. Employee error

Employees are the weakest link in your data breach defences. Your organisation is just one click away from having its data and systems hijacked.

Incidents are often caused by forgetting to follow procedures and leaking information as a result. One example involves emails that are sent in bulk, with the recipients are listed in the Cc field instead of the Bcc field.

The recipients can therefore see the email address of everyone else who received the message. That’s bad enough when it exposes the email address of someone who signed up to, say, a newsletter, but it’s disastrous if the email reveals something sensitive about the recipients, like their medical status or political affiliations.

Employees might also be indirectly responsible for data breaches by committing mistakes that make it easier for miscreants to access sensitive information. Many security incidents are the result of employees failing to password-protect databases or install updates that fix known vulnerabilities.

2. Cyber attack

Criminals can target organisations in many ways, but their methods can be broadly broken down into three categories.

First, they can use exploits to access to sensitive information. This includes the examples above, as well as things like brute-force password hacks, in which hackers visit a log-in page and use a tool that generates millions of passwords to look for the correct credentials.

Unless the account holder has a strong password, the tool will be able to break into their account in a matter of seconds.

The second type of cyber attack uses malware to gather sensitive information or cause business disruptions.

There are several types of malware, each designed for a specific purpose. Some operate in the background, collecting information about the individual’s browsing habits or leveraging the computer’s CPU to perform tasks on behalf of the hacker.

Others are more explicit, like viruses, adware and ransomware, which can delete files and corrupt systems.

The third type of cyber attack is social engineering, which is different enough from the other techniques to warrant its own discussion.

3. Social engineering

Social engineering is a type of attack in which criminals masquerade as a legitimate person or organisation. Depending on the method of attack, the miscreant will attempt to trick the user into:

  • Handing over sensitive data;
  • Downloading a malicious attachment; or
  • Giving them access to a restricted space (either login details or physical access to the organisation’s premises).

The most common form of social engineering is phishing. These are typically emails from supposedly legitimate organisations that contain urgent requests, generally about a problem with the organisation’s service delivery or the user’s login details.

Some emails contain links that direct users to a facsimile of the legitimate site, enabling the crooks to log the individual’s username and password. Others contain malicious attachments that infect the recipient’s computer with malware.

Although most phishing attacks are email messages, similar tactics are also common on social media and in text messages.

4. Unauthorised access

Social engineering isn’t the only way a someone can steal information from inside your premises. For example, a not-so-ethical visitor to your office might be told to wait by someone’s desk, where they could view sensitive documents.

Although you should certainly be concerned about the public gaining unauthorised access to sensitive information, employees are far more likely to be responsible for such incidents.

Organisations store all manner of sensitive information, and much of it is only meant for select employees. Take payroll information for example, which should only be accessible to those who need it for their job (typically HR and relevant line managers).

But if the organisation doesn’t implement appropriate security controls, anyone in the organisation will be able to view that information. Even though the data didn’t leave the organisation, it’s still considered a data breach.

5. Ransomware

Ransomware is one of the fastest-growing cyber security threats, with almost 2.8 billion known unique forms. It’s a type of malware that encrypts files and blackmails the infected organisation into handing over money to receive the decryption key.

The threat of ransomware is so severe in part because almost every organisation is vulnerable. Even if networks are resilient, the malware is frequently planted in attachments in phishing emails, which often sneak past security mechanisms unnoticed.

More to the point, continual access to computer files is essential in many industries, so productivity grinds to a halt if employees can no longer view this information.

As such, many organisations feel compelled to give in to the criminals’ demands. However, this is rarely a good idea, because you can never trust that the fraudsters will keep their word and provide the decryption key. Even if they do, you’ve made yourself a target for future attacks.

You should instead make sure you regularly back up your data. If your systems are infected, you can wipe them and restore your systems.

The process can take anywhere from a few hours to a few days, but if you act fast, the delays won’t be any worse than if you were waiting for your files to be decrypted.

6. Malicious insider

As we’ve explained throughout this article, employees are a major security vulnerability. This doesn’t only include making mistakes that help fraudsters access sensitive information; they might actually be the crooks themselves.

Malicious insiders tend to be motivated by the same reasons as any other type of criminal:

  • Revenge: An employee who feels unappreciated or who has been laid off might hit back by sabotaging the organisation.
  • Financial gain: An employee desperate for money might email copies of databases to themselves to sell on the dark web.

7. Physical theft

Not all data breaches relate to digital information. Organisations also need to be concerned about physical theft – namely paper records and devices that provide access to sensitive information.

If paper records aren’t properly disposed of, they can easily end up in the wrong hands. A crook might catch on that you’re throwing documents away without shredding them and loiter by the bins.

Alternatively, records might fall out of the bin for anyone to see or sit in landfills waiting to be found.

Similarly, organisations need to take care when disposing of devices like computers and USB sticks. Unless everything is completely wiped, fraudsters and dumpster divers could stumble onto a wealth of sensitive data.

Physical theft can also occur when employees leave records and devices unattended in a public place. For example, they might turn their back on their bag while on a train or in a café, giving an opportunist crook the chance to swipe its contents.

Win the war against cyber crime

If you want to learn how to defend against each of these risks, enlist in Operation Cyber Secure. This five-week boot camp drills you on the essential steps you must take to prevent cyber attacks and data breaches.

By signing up, you’ll receive a free copy of the Cyber Security Combat Plan, which outlines the defences measures you should take to protect your organisation from cyber attacks.

You’ll also receive weekly emails that provide more information on the direction you should take to meet those steps.

Enlist now >>


A version of this blog was published on 17 October 2018.