Getting to know your data breaches
People make mistakes all the time, but the worst one I've ever seen was bad access control, which meant that anybody could find anything on any employee. Obviously that information should only be available to HR. Losing data or not disposing of it correctly is also a data breach, even if it hasn’t led to any negative consequences.
One data breach I see on a regular basis is where someone accidentally uses the CC field instead of the BCC field when they're sending an email. That means basically if you email 100 people at once using the CC field, all the other people in that email thread are going to get the same email and of course the same email addresses will be on show.
Another common data breach is where databases are migrated to new system software, but the data in that database wasn’t originally collected for that purpose. These ‘technological’ data breaches usually go unnoticed until someone in GDPR or compliance starts asking questions.
Data being used for a purpose it was not originally collected for will also not be risk assessed and can raise trust issues with clients. If there’s a data breach affecting data subjects, and an investigation shows your company has been misusing data, well, it certainly won’t work in your favour. You can expect a fine, and depending on the severity of your misuse, the fine might be a large one.
What do we mean by a data perimeter? Set a limit past which data should never leave. This should be physical and digital, and allows you to keep track of personal data at all times. Never email data to external contacts, for example. Never take financial or HR documents outside of their respective departments or folders. Put controls in place and train your staff. Limit or outright ban the use of USB sticks for example.
Data on the move
Data is forever on the move, both in the sense of hard copies and hardware (such as servers and data tapes) and digital copies. There are numerous risks that come with data in transit. Man-in-the-middle attacks are all too common. This is where a malicious actor manages to exploit an application vulnerability or intrude on a network to intercept data as it’s sent.
Physical documents can be at risk when on the move too. They can be misplaced or stolen or otherwise read by unauthorised people. If documents are posted, there’s the chance they could be delivered to the wrong address or lost somewhere along the way.
With more businesses giving staff mobile phones and laptops, data is essentially on the move at all times. If a staff member leaves a laptop containing sensitive and personal information on a train, then that’s a data breach. There’s no telling who might have access to it. Lost devices are a problem everywhere. In the span of four years, the government lost more than 600 devices (including laptops, phones and USBs).
Unauthorised use or losing access
People should only have access to the data they need to do their job. Sharing information accidentally, such as attaching the wrong document to an email, could lead to the wrong person reading confidential HR data.
So, to stop things like this from happening, make sure staff are trained and aware of their responsibilities when it comes to personal data. Always double check emails before hitting send and implement strict data access controls.
Even though you haven’t technically lost the data in the sense that physical documents have gone missing, losing access to it is on the same level. There’s no telling who could potentially be taking a peak at it. It could be that certain files are stored in a location that, due to a technical error, no one can get to. Alternatively, it could be that a ransomware outbreak is preventing anyone from being able to read the files.
Up-to-date virus protection and cyber awareness is key. Investing in basic cyber training for all staff is always recommended.
Trusted cyber security & compliance services from a certified provider
Get a quote today
If you are interested in our services, get a free, no obligation quote today by filling out the form below.