In a 2021 study, researchers from Stanford University, along with cybersecurity firm, Tessian, found that approximately 88% of all data breaches are caused by employee error. The recent announcement of a major data breach by the Police Service of Northern Ireland (PSNI) in August 2023 has highlighted that human error is still a driving force behind a majority of cybersecurity issues.
It is believed that a member of the PSNI staff, while handling a routine Freedom of Information request to ascertain the distribution of officers and staff across different departments within the organisation, inadvertently made a straightforward error. Mistakenly, source data was included in the response. This resulted in the unintended disclosure of the surnames, initials, ranks or grades, work locations, and department affiliations of all serving officers and staff for a limited period of up to three hours. The full impact is still being ascertained.
Data breach costs are rising
A data breach can mean financial loss and reputational damage on a scale from which some businesses may not recover. In 2022, the global average cost of a data breach reached $4.35 billion.
It is vital for companies to invest in robust cybersecurity strategies such as security training for employees and well-defined protocols for managing incidents to safeguard their interests. Steps such as these will mitigate the risk.
For those who fail to do so, the consequences can be financially devastating:
The fines for breaching data legislation and regulation can be severe. In the UK, for example, the Information Commissioner’s Office (ICO) can impose fines under General Data Protection Regulation (GDPR) of up to £20 million or 4% of global annual revenue. In 2019, British Airways was fined £20 million by the ICO for a data breach that exposed the personal data of around 400,000 customers.
Data breach victims can sue companies for negligence and seek compensation for financial losses, emotional distress, and other damages. In the US, Equifax faced numerous class-action lawsuits and ended up settling for nearly $700 million after a massive data breach in 2017 exposed the personal data of around 147 million individuals.
Data breaches can result in significant reputational damage, leading to loss of customer trust and loyalty. This can have long-term financial implications as customers may choose to take their business elsewhere. Research has found that a third of customers in retail, finance and healthcare will stop doing business with organisations that have been breached. A breach can also affect share price and valuation. After a breach of Yahoo! was made public in 2016 – just before a takeover bid by telecoms company, Verizon – the original asking price fell by $350 million.
Containing a data breach can mean significant downtime, putting the business out of operation for days or weeks. Depending on the business, the cost could run into hundreds of thousands.
The best defence is a good offence
Fortunately, by developing a strong cybersecurity strategy, there is plenty companies can do to minimise the risk of a data breach and mitigate the consequences should one occur:
Risk assessment, patch management and testing
Review operations regularly to identify potential vulnerabilities within systems, networks, and processes and stay up to date on emerging threats and weaknesses.
While every business should have strong firewalls and intrusion detection/prevention systems in place, patch management is equally important. All operating systems, software and applications should be updated regularly to address new threats and vulnerabilities. More businesses are looking to a managed IT service for patch management to free their staff up to focus on business-critical IT projects. Time-consuming, but crucially important security audits, vulnerability assessments and penetration testing can also be outsourced for enhanced protection.
Teams should stay informed on data protection regulations relevant to your industry. Here too, a managed IT solution can help with compliance on regulations such as GDPR, HIPAA, etc.
Data encryption and minimisation
Employ encryption for sensitive data both during storage and transmission. This makes it more difficult for unauthorised parties to access data even if a breach occurs. Only retain data that is necessary for business operations. The less data stored, the lower the risk of a breach exposing sensitive information.
Establish stringent access controls and user authentication policies. Use multi-factor authentication (MFA) to add an extra layer of security. Establish guidelines for secure mobile device use, including personal device policies, unified endpoint management (UEM), encryption, and remote wiping capabilities.
Employee security awareness training
More companies are realising that their people are the biggest cause of data breaches. Research body, Cybersecurity Ventures, forecasts that global spend on awareness training will exceed $5.56 billion in 2023. Yet, 45% of employees feel they don’t need to worry about cybersecurity because they don’t work in the IT department. Security awareness training should be designed with a focus on social engineering to help system users understand, identify and avoid cyber threats. By educating employees to recognise risky situations, they can make choices that avoid disastrous outcomes and significantly prevent or mitigate the harm a data breach can cause to the organisation.
Incident Response Plan
Develop a robust incident response plan outlining procedures to follow in case of a data breach. This plan should encompass communication strategies, containment, recovery, and notification procedures. Make sure you have a disaster recovery plan in place. Service providers such as DigitalWell offer back-up (BUaaS) and disaster recovery (DRaaS) solutions that can ensure minimum disruption to your business should the worst happen.
Foster a strong culture on cybersecurity
While no system can be entirely impervious to breaches, instilling a culture that is focussed on cybersecurity can reduce the risk of cyber threats. Use messaging that encourages active participation, which is relevant to both the company as a whole and the employee as an individual in their function. Companies should aim to develop engaging content and measure its effectiveness with a risk scoring system that assesses the impact of training and can provide insights for fine-tuning.
Most importantly, training must be consistent with regular updates, as the threats out there are dynamic and constantly changing.
Protect your business from a data breach
Much like the spine provides crucial support to the body, employees serve as the backbone of any business. As witnessed in the PSNI incident, human error often forms the core of most cybersecurity incidents. When employees lack the knowledge and readiness to identify and effectively address potential breaches, the entire organisation’s stability is compromised. Cyber resilience is a collective responsibility, and it hinges on supporting and empowering the backbone of the business – its employees. Alongside robust technical safeguards, it is imperative that every employee receives comprehensive, up-to-date security awareness training and feels enabled to play a pivotal role in safeguarding the organisation.