Getting to know your data breaches
Written by Luke Peach on 12/04/2019
All the wrong ways
People make mistakes all the time, so it’s expected that someone in your business (or maybe even you) will be responsible for a breach eventually. Hopefully not on the same scale as those already mentioned, but a breach nonetheless.
Misusing data or not disposing of it correctly can lead to a breach. The latter effectively is a breach as, if it’s left the company, it could be in anyone’s hands. Losing data in any way is a data breach, even if there haven’t been any negative consequences.
Using data for a purpose it was not originally collected for raises a lot of issues. For starters, there’s the issue that you’re not being open and honest with your customers. Then there’s the fact you won’t have conducted any risk assessments for this usage. If there’s a data breach affecting data subjects, and an investigation shows your company has been misusing data, well, it certainly won’t work in your favour. You can expect a fine, and depending on the severity of your misuse, the fine might be a large one.
What do we mean by a data perimeter? Set a limit past which data should never leave. This should be physical and digital, and allows you to keep track of personal data at all times. Never email data to external contacts, for example. Never take financial or HR documents outside of their respective departments or folders. Put controls in place and train your staff. Limit or outright ban the use of USB sticks for example.
Data on the move
Data is forever on the move, both in the sense of hard copies and hardware (such as servers and data tapes) and digital copies. There are numerous risks that come with data in transit. Man-in-the-middle attacks are all too common. This is where a malicious actor manages to exploit an application vulnerability or intrude on a network to intercept data as it’s sent.
Physical documents can be at risk when on the move too. They can be misplaced or stolen or otherwise read by unauthorised people. If documents are posted, there’s the chance they could be delivered to the wrong address or lost somewhere along the way.
With more businesses giving staff mobile phones and laptops, data is essentially on the move at all times. If a staff member leaves a laptop containing sensitive and personal information on a train, then that’s a data breach. There’s no telling who might have access to it. Lost devices are a problem everywhere. In the span of four years, the government lost more than 600 devices (including laptops, phones and USBs).
Unauthorised use or losing access
People should only have access to the data they need to do their job. Sharing information accidentally, such as attaching the wrong document to an email, could lead to the wrong person reading confidential HR data.
So, to stop things like this from happening, make sure staff are trained and aware of their responsibilities when it comes to personal data. Always double check emails before hitting send and implement strict data access controls.
Even though you haven’t technically lost the data in the sense that physical documents have gone missing, losing access to it is on the same level. There’s no telling who could potentially be taking a peak at it. It could be that certain files are stored in a location that, due to a technical error, no one can get to. Alternatively, it could be that a ransomware outbreak is preventing anyone from being able to read the files.
Up-to-date virus protection and cyber awareness is key. Investing in basic cyber training for all staff is always recommended.
ISO 27001 and 9001 certified
Tigerscheme qualified testers
PCI DSS v3.2 Level 1
24/7 on-site Security
Get a quote today
If you’re interested in our services, get a free, no obligation quote today by filling out the form below.