Oct 13, 2021
5 min read

What are the consequences of not addressing data exposure?

Poorly trained staff or just simple human errors can lead to your company’s valuable data being exposed.

Poorly trained staff or just simple human errors can lead to your company’s valuable data being exposed. This can be compounded further when the data exposed is customer personal data which can lead to fines from regulators and loss of business. Let’s explore what the consequences of not addressing data exposure can lead to for your company.

We’ve all heard the stories of company’s unwittingly exposing sensitive data by neglecting to configure systems and applications properly online. If we are talking strictly about personal data, this would be termed as a data breach and could land your company with a fine of up to 4% of your global annual turnover if you are subject to the GDPR.

The thing is, the law stipulates that even if you discover this before it goes public and there is a chance that the data has been accessed by third parties, then you must notify the regulator. This may well eventually lead to the news going public and lead to a loss of revenue. In fact,  Business Insider Intelligence found that a data breach cost businesses in 38% of cases 20% or more in lost revenue; a figure much higher than the GDPR’s 4% fine.

What is most interesting, though, is where the threat of data breach comes from and you don’t have to look far.

Danger from within

77% of company data breaches are caused by internal threats

A 2019 report from the European Union Agency For Network and Information Security highlighted the importance of threats from within your organization with the above statistic. It’s worth noting that, while the majority of threats come from simple human error, there are also statistics out there which attest to employees intentionally causing data breaches. For example, the 2019 Insider Data Breach survey noted that 32% of employees would consider taking company information to a new job.

Obviously, this makes monitoring data flows a priority for IT. 

The rise in the amount of data shared in the cloud and the fact that employees are likely to exfiltrate masses of data related to their work to the cloud before departing the company make cloud services a good starting point. Monitoring cloud services is made difficult by the fact that 97% of cloud apps are shadow IT which are usually unmanaged and freely adopted. Pair this with statistics showing that sharing of sensitive data in the cloud has increased 53% year-over-year and we have a potential recipe for a data-exposure disaster.

The problem is that 75% of organizations don’t have consistent visibility into data movements across their environments and don’t have the tools they need to uncover details and context about their exposure. Since data exposure events can have a whopping 20% impact on your annual revenue, considering a data monitoring and analytics tool for your business becomes critical.

Take personal data records, for example. IBM’s latest report on data breaches places a $180 dollar cost on every record of personal data lost or stolen and this data is the most common type of data to be exposed. The report shows that lost business accounts for 38% of this cost, so this is a massive indicator that you should be doing what you can to protect personal data.

When it goes wrong

So IBM’s report tells us that 23% of breaches take place on part of human error, but just how wrong can things go? Let’s take a look at a recent example from a Dutch retailer.

Hackers both white and black hat are constantly trawling the internet looking for vulnerabilities and a team of white hat hackers stumbled across an unsecured cloud server belonging to a Dutch fishing retailer. The server contained an estimated 450,000 customer personal data records totaling 18GB.

The data breach at this retailer exposed not just order details, such as customer IDs, shipping fees, and payments, but also direct personal data, such as full names, addresses, etc.

Now the consequences here are pretty unfortunate for a company that retails fishing equipment and their customers whose data and purchase history is exposed, but what about when it is a firearms retailer whose customer data exposes the locations of gun owners’ home addresses?

In terms of fines we are yet to see the outcome. In terms of lost business and perhaps even we can imagine the losses will be large.

What you can do to protect personal data

Soveren’s CISO gives his ten recommendations on what you can do to shore up your security practices to help protect against data breaches:

  • Split personal data into two camps technical and personal and give it different protection
  • Document your practices to make sure you are not unwittingly enriching personal data
  • Define your data flows across your organization and apply controls over access/usage
  • Limit controls to set personnel who need to access/use the data as part of their job
  • Monitor data to detect anomalous use and prevent unlawful access
  • Adhere to the strongest data protection regulation that applies
  • Employ additional verification requirements (e.g. 2FA) or login via social media
  • Encrypt local databases and employ additional security measures to access them
  • Use a push model when sharing data with third parties
  • Anonymize data rather than delete it at the end of retention periods
Read the full CISO story on how to protect personal data

So, while the headline-grabbing stories talk about external hackers breaking systems and stealing data, we see that the biggest threat comes from within. In both cases, if you don’t address data exposure issues in your organization, fines will be the least of your worries.

Employ a free personal data monitoring tool for real-time visibility into personal data types and sensitivity.


Author
Soveren

Receive helpful tips, practical content, and updates

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.