By David De Laine, Regional Director - ANZ
JP Morgan’s recent data leak exposed 76 million households and seven million small businesses.
While none of this information was particularly sensitive, it’s ideal for hackers as they can leverage it to gain even more information. Names, addresses, emails, birthdays and location data are more than enough to create a perfectly tailored phishing email that hackers can use to help them obtain even more data such as credit card details and account numbers.
So what’s the impact of the breach?
A data breach exposes both the individual whose records have been acquired and also the businesses that have been compromised as targets. Other recent breaches include:
- The Dropbox fiasco where hackers threatened to release 7 million personal login credentials, unless donations to a bitcoin account were made.
- In May 2014, eBay revealed that hackers had managed to steal personal records of 233 million users.
- The State of Montana’s Health Department revealed that a data breach may have affected more than 1.3 million people, potentially exploiting and distributing a range of sensitive and confidential data.
A study into data leaks found there was an associated cost of $201.18 per lost or stolen customer record – which means a data breach involving 100,000 or more customer records would cost just over $20 million (“Cost of a Data Breach” study, Ponemon Institute, May 2014). It was also uncovered that it takes up to 2.6 years for a company to recover from a breach.
How do organisations mitigate these incidents and protect themselves?
It is important to start with the most valuable asset you have – people. You, your employees, and your stakeholders. Then address the organisation (infrastructure and information).
So why start with the people first? Humans are not infallible, we make mistakes, and we can be unpredictable. If organisations ensure that those responsible for the creation, amendment, containment, protection and collaboration of data understand their responsibilities and how their actions may benefit or negatively affect an organisation and its clients, then the path to ‘information protection’ will have a solid grounding to start with. Gartner call this People Centric Security (PCS).
So once you have started to focus on addressing a people centric security approach, raising awareness and self-responsibility for information protection, you need to reassess the technological elements of your organisation. Approach this with the need to understand ‘where are the threats coming from’?
Traditionally, the most significant threats came from outside the organisation’s perimeter, the ‘usual suspects’ such as cyber criminals and hackers. Today, the majority of breaches occur from within an organisation’s boundary. It’s worth keeping in mind that 44 per cent of data breaches come from employees, and the majority (85 per cent) of these are inadvertent, i.e. accidentally sending an email to the wrong person or publishing content that contains sensitive data. With tightening Privacy Laws, regulatory and compliance requirements, there is now a need to ensure the right systems are in place to protect information from inadvertent accidents and malicious behaviour from within, as well as threats from outside.
Companies can prevent both internal and external threats and protect their critical information with Adaptive Data Loss Prevention (A-DLP) technology. Many large organisations have a DLP solution in place, but they are often ineffective, because traditional DLP systems are based on a ‘stop and block’ approach which hinders ongoing collaboration. In a world where we need to collaborate at anytime and anywhere, next generation DLP solutions can adapt to technological and operational challenges, enable continuous collaboration, while also redacting sensitive data – based on the organisation’s policy – and deliver the remaining [authorised] information to the people who need it.
Be prepared and implement solutions and processes that will ensure the impact of a data breach is minimised in advance, because it’s not “if” you’re going to be breached, but “when”.