Poorly trained staff or just simple human errors can lead to your company’s valuable data being exposed. This can be compounded further when the data exposed is customer personal data which can lead to fines from regulators and loss of business. Let’s explore what the consequences of not addressing data exposure can lead to for your company.
We’ve all heard the stories of company’s unwittingly exposing sensitive data by neglecting to configure systems and applications properly online. If we are talking strictly about personal data, this would be termed as a data breach and could land your company with a fine of up to 4% of your global annual turnover if you are subject to the GDPR.
The thing is, the law stipulates that even if you discover this before it goes public and there is a chance that the data has been accessed by third parties, then you must notify the regulator. This may well eventually lead to the news going public and lead to a loss of revenue. In fact, Business Insider Intelligence found that a data breach cost businesses in 38% of cases 20% or more in lost revenue; a figure much higher than the GDPR’s 4% fine.
What is most interesting, though, is where the threat of data breach comes from and you don’t have to look far.
77% of company data breaches are caused by internal threats
A 2019 report from the European Union Agency For Network and Information Security highlighted the importance of threats from within your organization with the above statistic. It’s worth noting that, while the majority of threats come from simple human error, there are also statistics out there which attest to employees intentionally causing data breaches. For example, the 2019 Insider Data Breach survey noted that 32% of employees would consider taking company information to a new job.
Obviously, this makes monitoring data flows a priority for IT.
The rise in the amount of data shared in the cloud and the fact that employees are likely to exfiltrate masses of data related to their work to the cloud before departing the company make cloud services a good starting point. Monitoring cloud services is made difficult by the fact that 97% of cloud apps are shadow IT which are usually unmanaged and freely adopted. Pair this with statistics showing that sharing of sensitive data in the cloud has increased 53% year-over-year and we have a potential recipe for a data-exposure disaster.
The problem is that 75% of organizations don’t have consistent visibility into data movements across their environments and don’t have the tools they need to uncover details and context about their exposure. Since data exposure events can have a whopping 20% impact on your annual revenue, considering a data monitoring and analytics tool for your business becomes critical.
Take personal data records, for example. IBM’s latest report on data breaches places a $180 dollar cost on every record of personal data lost or stolen and this data is the most common type of data to be exposed. The report shows that lost business accounts for 38% of this cost, so this is a massive indicator that you should be doing what you can to protect personal data.
So IBM’s report tells us that 23% of breaches take place on part of human error, but just how wrong can things go? Let’s take a look at a recent example from a Dutch retailer.
Hackers both white and black hat are constantly trawling the internet looking for vulnerabilities and a team of white hat hackers stumbled across an unsecured cloud server belonging to a Dutch fishing retailer. The server contained an estimated 450,000 customer personal data records totaling 18GB.
The data breach at this retailer exposed not just order details, such as customer IDs, shipping fees, and payments, but also direct personal data, such as full names, addresses, etc.
Now the consequences here are pretty unfortunate for a company that retails fishing equipment and their customers whose data and purchase history is exposed, but what about when it is a firearms retailer whose customer data exposes the locations of gun owners’ home addresses?
In terms of fines we are yet to see the outcome. In terms of lost business and perhaps even we can imagine the losses will be large.
Soveren’s CISO gives his ten recommendations on what you can do to shore up your security practices to help protect against data breaches:
Read the full CISO story on how to protect personal data
So, while the headline-grabbing stories talk about external hackers breaking systems and stealing data, we see that the biggest threat comes from within. In both cases, if you don’t address data exposure issues in your organization, fines will be the least of your worries.
Employ a free personal data monitoring tool for real-time visibility into personal data types and sensitivity.