What are the most common causes, and risks, for a data breach?
published by James Olsen. 21:05:26GMT+10 Friday, February 14
Data breaches are almost a fact of life currently. In the 2023-24 financial year across Australia alone there were roughly 47 million instances of someone's data being leaked to the wider world [1]. These are only those that are known about too. The Australian government is continuing to invest record amounts and update existing laws to change this, but organisations have to be proactive too if they wish to stay ahead of cybercrime.
That is why data breaches don't have to be a fact of life. In this article we will touch upon the changing legislative landscape, and the improving technologies and standards to protect you. We will also explain how CyberDefence Advisory can help protect your organisation. From preparing ISO 27001 certification to implementing the recommendations of the Australian Signal Directorate's Essential Eight, there is plenty that can be done to manage the causes and risks of data breaches [2][3].
Why are data breaches so common?
Unfortunately, cybercrime is currently perhaps the easiest and most risk-free crime to conduct against an individual or organisation. Governments have been slow to enforce new laws or standards, and many organisations have decided that it is easier to try and ignore cybercrime's prevalence. The combination of these 2 factors have caught many other organisations, especially small and medium enterprises caught in the middle, unprepared and unaware of what tools are available to assist them. Many are also caught unaware of the many ways data breaches can occur.
How do data breaches occur?
We've covered the 'why', but what about the 'how'? Whole textbooks can be, and have been, written about the myriad of vulnerabilities that cybercriminals look for when attacking an organisation. Many of these textbooks however tend to focus on the theory rather than the practicalities of our everyday cyber ecosystem.
Likely by far and away the biggest reason for data breaches every passing day is 'social engineering' [4]. This is when a criminal is able to gain the trust of someone that works in your organisation and convinces them to provide access to confidential information. Ranging from calling operatives at call centres with convincing stories all the way to sending a professional looking email to a subordinate, directing a now stressed employee to click on a link or provide data to their supposed "boss".
But this is not the only avenue. Someone bringing their laptop from home to work might be bringing a virus onto the network that can log all data typed on any computers, gaining access to passwords [5]. Similarly, it often isn't too hard to simply just guess (brute-force) the password of an individual who has sufficient access to an organisation's data - 123456 still remains one of the most common passwords across the world [6].
One also can't forget the case of the mysterious USB left out on someone's table, being plugged into their laptop by a well intended individual looking to eventually reunite it with its owner [7]. Or the developer accidentally leaving an API key pushed to a public database after a tiring shift [8]. The number of possibilities are almost impossible to imagine.
Can data breaches be avoided?
We've so far concluded that governments and many organisations have been slow to act on the threat of data breaches, and that there are seemingly too many possible attack vectors to possibly account for them all. All the while the average cybercrime incident deals between $50,000 and $60,000 worth of damages to a small or medium organisation - not counting any damages to reputation or confidence [1].
While this conclusion is true, it is far from even implying that mitigating data breaches is a lost cause... or even difficult for that matter in most cases. Every individual and organisation, small and large, has access to the tools it needs to make data breaches a nearly negligible risk to their operations. CyberDefence Advisory can consult you on these tools and implement them such that the risk to you and your customers becomes a greatly diminished concern.
What are some of the ways we can help? Perhaps you would have noticed when we were covering the common causes of data breaches that there are 3 themes that popped up:
- Access rights: not every employee needs readily available access to their network's router or their organisation's databases, and by having these access rights each email link or file they download is a risk.
- Training: the lack of training that exists is a symptom of a lack of attention and investment in cybersecurity by governments and larger organisations - few truly know the possible risks.
- Organisational plans: the well-intended employee returning the 'misplaced' USB or the fatigued developer can't be expected to carry the burden of maintaining minimum cybersecurity standards; the organisation needs systems in place and well-rehearsed strategies to prepare for likely risks such as these.
What can CyberDefence Advisory do?
Access rights, training and organisational plans. CyberDefence Advisory is able to consult with your organisation to assist with and provide all 3.
We can update and upgrade your organisation's access rights to retain a balance of security and access. We can provide organisation-wide training and onboarding for all new and existing employees of your organisation. We can also implement organisational plans, drafting up ISO 27001 certifications and implementing the Australian Signal Directorate's Essential Eight [2][3].
These are not the only cybersecurity risks though, and we are always able to provide a wider risk assessment of any organisation. If you are interested in any of these services, want consulting for any other cybersecurity needs or wish to contact us for any reason, contact us here or click here.