6 Steps to Prevent Data Breaches
As we enter a new year, it’s traditional to look back at the successes and failures of the last twelve months. The information security world is no different, and as the year draws to a close, information security writers publish a flurry of articles with titles like The Top Data Breaches of 2021 and The Top 5 Scariest Data Breaches in 2021. They are sobering reading: each listicle entry represents hundreds of millions of people hurt by data breaches that expose their private details to criminals and the wider world.
However, these articles don’t mention the thousands of smaller businesses targeted by cyber-criminals. The headline-grabbing data breaches are the tip of the iceberg. While most of the corporations featured will weather the storm, smaller businesses are less able to bounce back from a catastrophic exposure of sensitive data. Over half of small companies go out of business within six months of a data breach or cyber attack.
Data breaches are avoidable, but any business can significantly reduce the risk that a data breach will hurt its employees and customers, not to mention its reputation, bank balance, and regulatory compliance.
What Causes Data Breaches?
Data breaches occur when bad actors exploit weak security and privacy controls. In a secure system, sensitive data is only accessible to authorized and authenticated users. To build a secure system, businesses should implement controls that allow access to authorized users and deny it to everyone else.
Data breaches are more likely when essential controls are missing or improperly implemented. A weak password is an example of a poorly implemented access control. If a user with administrative privileges on a sensitive system chooses a password such as “123456,” an attacker can easily guess it and gain access.
Weak credentials are among the most common causes of data leaks, but there are many more, including:
- Stolen credentials: shared or stolen passwords and authentication keys are a leading cause of data breaches.
- Phishing attacks: attackers use email to trick employees into disclosing credentials or installing malware.
- Software vulnerabilities: vulnerabilities in network-connected software allow attackers to access sensitive systems.
- Insider threats: employees or ex-employees work with criminals or steal data for their own purposes.
- Physical attacks: people who have direct physical access to servers and networks can bypass security controls.
- Configuration mistakes: incorrectly configuring software or hardware may give an attacker access to sensitive data. This is a common cause of data breaches from cloud platforms, as we discussed in 10 Top Tips For Better AWS Security Today.
What Happens During a Data Breach?
There are many potential techniques an attacker might use to compromise a business’s network and exfiltrate sensitive data. But, at a high level, most data breaches follow a predictable course.
- Target identification and surveillance: The attacker probes your network and organization for weaknesses. This stage may be automated: many attackers use bots to probe thousands of networks for specific security weaknesses. However, an attacker may manually probe and investigate a high-value target.
- Social engineering: In addition to probing networks and software, the attacker may contact employees and managers, usually misrepresenting their purpose with a spurious pretext. Their aim may be to learn more about the organization and its systems, steal authentication credentials, or influence an insider to install malware.
- Compromise: The attacker uses the information they have gathered to gain entry to the network. For example, they may have discovered a misconfigured database, which they now access over the internet. Once the attacker has compromised one network component, they may use that access to “island hop” to more sensitive systems.
- Exfiltration: The data is copied from the business’s network to servers under the attacker’s control.
Once the attacker has the data, they can release it to the public, sell it to third-party data brokers, use it for identity theft, or extort the businesses.
How to Prevent Data Breaches
We’ve looked at some of the most widely used techniques to compromise business networks and steal data. To prevent data breaches, businesses should focus on implementing processes and controls that render those techniques ineffective.
Regularly Update Software to Apply Security Patches
Older software often contains bugs that create security vulnerabilities. The recent Apache log4J vulnerability is a perfect example. Log4j is a logging tool for the Java programming language ecosystem. It is included in over 35,000 Java packages used by thousands of businesses.
Log4J contained a security vulnerability an attacker could exploit to execute code remotely. Remote code execution vulnerabilities are severe, and the log4J vulnerability could allow an attacker to break into systems, steal data, and upload malware.
Once the vulnerability was discovered, developers quickly fixed it. But, to get the non-vulnerable version, users have to update any software that uses log4J. Although the log4J vulnerability is particularly serious, software vulnerabilities are common, and the best way to fix them is to update all business software regularly.
Encrypt Data and Store Encryption Keys Securely
Businesses should not entirely rely on their ability to keep bad actors out of their networks. It’s always possible that an attacker will find a vulnerability or an employee will make a configuration mistake. It’s best to assume that an attacker will find their way in and implement additional layers of security to deal with that contingency.
If a business ensures that all data is encrypted, an attacker who penetrates network security cannot access the original data. However, a sophisticated attacker may discover encryption keys if they are not also stored securely. The details of secure key storage differ depending on the business’s platforms, but we discussed how to store access securely and encryption keys on Amazon Web Service in How to Keep AWS Access Keys and Other Secrets Safe.
Implement Least-Privilege Access Policies
Employees, contractors, and service providers should have the least access consistent with their role within an organization. They should be able to access only the data they need and have only essential privileges. For example, an employee who needs to download data to generate a report does not need write permissions to edit that data.
Implementing least-privilege access policies limits the risk of leaked or stolen access credentials. It also helps to reduce insider threats by limiting the data assets a malicious insider can access.
Follow Cloud and Physical Infrastructure Configuration Best Practices
Many data breaches are the result of improperly configured software and hardware. To mention just four examples:
- AWS S3 buckets that are accidentally configured to be publicly accessible.
- MySQL databases deployed without password authentication.
- Improperly assigned access permissions that allow users to access information they should not be authorized to see.
- Inadequate firewall rules or a failure to use a firewall.
Configuration errors have two leading causes. First, the business doesn’t invest the time and resources necessary to secure its infrastructure adequately. Second, the business lacks the knowledge and expertise to configure its infrastructure securely. Both scenarios introduce significant compliance and financial risks.
If a business does not have the knowledge or resources to secure its infrastructure or understand the risks, it should consider employing a third-party information security specialist to assess its security and suggest opportunities for improvement.
Carry Out Regular Security Risk Assessments
A security risk assessment can help your business identify and remediate potential vulnerabilities. A comprehensive risk assessment begins with a survey of your infrastructure before identifying risks, assessing their importance, and creating a risk management plan, which can be implemented to remove identified risks.
A third-party risk assessment by qualified information security auditors may help businesses significantly reduce the risk of a damaging data breach.
Conduct Security Awareness Training
Employees have privileged access to sensitive data, but they may not understand their part in keeping that data safe. Phishing attacks and other forms of social engineering deliberately target non-technical employees who may not understand the security implications of clicking a link in an email or sharing their password with someone who claims to be a manager or executive.
Security awareness training helps employees understand the threats their business faces and what they can do to limit exposure. It can be tailored to the company’s specific needs and relevant security frameworks, including HIPAA and PCI.
Prevent Data Breaches with KirkpatrickPrice
As a licensed CPA firm, KirkpatrickPrice specializes in information security audits and security assessments that can help protect your organization from being vulnerable to data breaches. Contact an information security specialist to learn more about our risk assessment services, security awareness training, and compliance audit services.