The Challenge Of Data Breaches – And Why SMEs Aren’t Exempt

INTRODUCTION

Cyber-attacks are now becoming more publicly reported, with greater widespread attention through mainstream media.  The most common attacks that tend to be reported are around data breaches and systems outages, since these have the greatest direct impact on public citizens, either from an inability to access targeted services, or an exposure of the sensitive data.

In this week’s blog we are going to focus on the former – data breaches, highlighting why this does not only affect larger corporations, and why SMEs and even start-ups should be equally as concerned and focused on their Information Security plans.

Not sure where to start? At DigiF9 we combine highly skilled and dedicated software developers with robust and comprehensive information security professionals to help safeguard your company operations. Get in touch today at sales@digif9.co.uk to let us know how we can help take your company to the next level.

WHY SMEs  ARE TARGETED

They won’t be interested in me, I am not big or rich enough.

This is probably one of the phrases I hear the most from companies and individuals alike in response to Information Security. Surely they will target someone else, someone more interesting, someone richer, not little old me right? The main issue here is that there are so many potential reasons why a criminal, or threat actor to use a better term, would wish to target a company or individual.

Whilst financial motivations are typically at the top of most lists, it is not always as simple as directly targeting finances, instead using indirect means to facilitate financial gain. This is where data breaches have become so prominent. Put yourselves in the shoes of an attacker for a second and rather than focusing on how they gain access to sensitive data, assume that they are there already and are now weighing up options to proceed with.

1. Direct Sale
   The quickest and most direct way to make financial gain – selling the exposed or breached data to another party, or parties that are prepared to pay for that kind of information. Often sensitive data will be traded on dark web forums and marketplaces to other threat actors, with their own intentions with it.
   
2. Extortion
   Another direct way to make financial gain – extort the affected party! With General Data Processing Regulations (GDPR) in the EU and Data Protection Act (DPA) in the UK, companies are all too aware of how damaging a data breach can be financially through fines imposed by these regulations. So often threat actors will blackmail the company by threatening to expose the data, in exchange for financial gain.
   
3. Reputational Damage
   Not all threat actors are financially motivated. They could be a competitor that wants your company out of the market, a disgruntled former customer or employee that wants your company to suffer, or even a hacktivist that takes issue with your company operations. These types of actors can simply expose this leaked data across as many platforms as possible, making it as widely known as possible to cause the greatest reputational damage, then sit back and watch the drama unfold.
   
4. Financial Damage
   Following on from the reputational damage angle, these types of threat actors can also seek to destabilase your company from a financial perspective. Not only can a damaged reputation affect revenue and customer loyalty, but the fines imposed by regulators for data protection can be highly damaging to an organisation – with GDPR enforcing a maximum fine of £17.5 million, or 4% of a company turnover if higher. The point is, if an attacker wants to do serious damage to your organisation, going after sensitive data is a key way to achieve it.
   
5. Attack A Member Of Your Supply Chain
   Possibly the most overlooked factor, something we are all guilty of in our lives – being too focused on ourselves. Why would they go after me, what do I have that is so interesting? When you should be looking at your associations and connections also. Often sophisticated threat actors will profile an organisation to find the most effective way to attack – and if that company is squeaky clean, they will then start looking into their supply chain. So organisations may find themselves attacked indirectly, as a means of compromising their primary target.

MAIN ATTACKERS / THREAT ACTORS

 

Depending on who you speak to in the cyber space there can be any number of threat actor groups targeting organisations. For the purposes of this article we will define the five primary groups that most commonly target companies below.

1. Organised Criminals
   The most common group of attackers, with the primary motivation of seeking money. Typically this will revolve around theft and sale of data, or preventing access to systems through ransomware.
   
2. Advanced Persistent Threats (APTs)
   Less commonly known groups, but perhaps more deadly. These are also known as Nation State Actors, with political, economic, military, and commercial infrastructure. Typically, their motivations revolve around destabilising another nation’s critical operations.
   
3. Insider Threats
   A group of attackers that often go under the radar, but often one of the deadliest. Disgruntled and unhappy employees typically have a view internally of the organisation, access to confidential data and knowing key areas of weakness and methods of going undetected.
   
4. Hacktivists
   Similar to your traditional activists, essentially their aims are to bring attention to an issue, or negatively affect the reputation of an organisation that they disagree with. Most often you will see denial of service attacks, as well as exfiltration of data used to damage the reputation of their target.
   
5. Individuals
   The final group, or in this case a lack of a group. Individuals typically have their own motivations – some will be around financial gain, others the thrill and adventure to mounting a cyber-attack. Most of the time they will target access to sensitive data as the key challenge they aim to complete.

CONSEQUENCES

So what does this mean for me?

Whilst every organisation should endeavour to protect sensitive data for its employees and customers from an ethical perspective, this is not always the case. Whether it comes down to resourcing challenges, time or cost, organisations have repeatedly taken shortcuts with respect to sufficient data protection, which was a primary factor behind legislation like GDPR coming into place. In this section we will explore the main consequences for a modern organisation that suffers a data breach.

1. Financial Loss
   Let’s start with the most prevalent impact, particularly for an SME – financial cost. When an organisation suffers a data breach, there are a number of direct and indirect costs that are associated with it.
   This includes the incident response efforts to investigate the source of the breach and close it down, investment into new security measures to prevent the situation occurring again, legal fees as well as potential compensation for affected parties, as well as regulatory penalties for non-compliance with data protection standards. Take GDPR for example – a fine of up to 4% of annual global turnover or 20 million Euros (whichever is greater). For an SME this could be a point of no return.
   
2. Reputational Damage
   Another key impact on the affected organisation is to their reputation. Reputations often take a significant amount of time to develop but can be shattered with one fatal error. Reputations are a fundamental part of most organisations, when you consider the focus on retaining business and developing a presence within a market.
   Take pricing for example, one of the main reasons why certain brands can charge higher prices for similar items to other brands is because of their strong brand image and reputation within the market. Negative media attention and a reputation for being breached can encourage customers to take their business elsewhere, particularly if your organisation holds a significant amount of their personal data on file.
   
3. Operational Downtime
   As mentioned with financial loss, a data breach is not a flick of the switch process, where an organisation can simply get back to normal operations immediately. Typically an incident response process will be undertaken, with root cause analysis conducted to discover the case of the breach, and how to prevent it happening again. For larger organisations they may have a dedicated incident response team to handle this, however this presents a significant challenge for SMEs.
   As an SME, it is particularly challenging to have staff ‘on the bench’ so to speak, waiting for an incident to occur to then jump into action. Therefore, one of two situations typically occurs. Either the organisation outsources incident response to a third-party organisation, which can be costly, and will still require involvement from internal staff in the event of a breach. The alternate solution is to have multi-disciplined staff who double up as incident responders on top of their other roles, meaning that in the event of an incident, business operations will be affected.
   
4. Legal Action
   With data protection regulations coming into place in a number of regions, organisations face new challenges from a legal perspective. Under these regulations, organisations are legally bound to take the necessary steps to protect personal data, and this must be demonstrated, as affected parties can take legal action to claim compensation.
   There are two primary viewpoints of guilt for an organisation – malpractice and negligence. Malpractice would involve improper or illegal behaviour on the organisations part – using customer or employee data for illegitimate purposes. Negligent behaviour on the other hand does not have to be intentional, rather the organisation has not taken the sufficient steps to secure that sensitive data, and as such are still responsible in the case. Therefore, when an organisation suffers a data breach, unless they can conclusively demonstrate sufficient protective measures in place, they are deemed liable.
   
5. Data Loss
   When a data breach occurs, depending on the threat actor involved and their motivations, the data may either be exposed to the general public, or inaccessible to the organisation anymore. This could be through the deployment of Ransomware, which encrypts files on a system making them inaccessible, or through simple deletion.
   In both scenarios, an organisation can potentially lose access to mission critical data. Without this data, they may not be able to operate as effectively, and may potentially lose customers, as they do not have their data on file anymore, and these customers may take their business elsewhere.

PREVENTATIVE ACTIONS

Whilst there is no silver bullet to preventing data breaches occurring, the following is a list of best practices that every organisation should follow to safeguard sensitive data. By doing so, they can demonstrate sufficient protective methods in place, and so in the event that a data breach does occur, an organisation can demonstrate that they have not acted negligently.

1. Educate & Train Staff
   It is critical to ensure all staff are regularly kept up to date with information security best practices, as well as made aware of their specific responsibilities in the domain. This involves security awareness training such as regular phishing training, social engineering awareness and other mechanisms to ensure that staff are not an indirect cause of a data breach.
   
2. Create & Update Policies
   Policies can be a tricky domain, firstly to ensure that they are regularly kept up-to-date and secondly that staff are fully aware of their contents and the requirements. That is why the most effective information security programs match up education and training with policy workshops. Interactive content is typically more effective, and key policies should be focussed on – such as clean desk policies, disposal and destruction of sensitive documents, as well as access controls to systems containing sensitive data.
   
3. Effective Monitoring
   The first two areas are effective at reducing the chances of staff being indirectly responsible for a data breach. But what about another scenario, where there is a malicious insider, or an attacker targeting an organisation? This is where monitoring comes into place, and organisations should implement security technology such as Firewalls, WAFs and SIEMs, that provide holistic coverage over the organisation’s digital estate.
   
4. Data Backup
   Some threat actors wish to cause damage to an organisation without financial gain, and may wish to deny access to critical data for an organisation, rather than gain from it directly. In order to prevent this situation arising, an organisation should ensure that a robust and periodic backup procedure is in place for critical data. This period should be determined based off a key indicator – Recovery Point Objective (RPO) and Recovery Time Objective (RTO) – essentially how long an organisation can be non-operational, and how much data loss is acceptable before it becomes mission critical.
   
5. Retention Policies
   With different regional restrictions as well as industry specific requirements, there are a number of different retention periods to be aware of. Each organisation should define these retention periods to comply with regulations, and implement technology to put this into practice. For example, emails and documents to be retained for the specified time period, then automatically archived and deleted when no longer required. This helps to reduce the blast radius in the event of a data breach.
   
6. Destructive Processes
   When documents, systems and devices are to be disposed of, an organisation should take suitable methods to ensure that sensitive data is not exposed. This includes suitably shredding physical documents, crypto-shredding or degaussing physical systems and physically destroying devices no longer in use. This way you reduce the chances of inadvertently disclosing sensitive details through negligent practices.
   
7. Data Protection
   This can typically be broken down into the following categories – Data in Transit (In Motion) and Data at Rest (In Storage). Securing data in transit can be done through Transport Layer Security (TLS), and communications should be conducted at the most up to date version. Similarly, with data at rest, sufficient protection should be in place with stored data. This includes encryption, anonymisation and tokenisation, which are all methods of protecting stored data. Without sufficient data protection in place, it is extremely difficult for an organisation to demonstrate that they have not been negligent.

Summary

Whilst not an exhaustive list, this article highlights why data breaches are such a significant challenge for organisations of any size, and why SMEs can in fact suffer just as extreme, or even worse side effects than a larger outfit. Through the discussions around the primary threat actors and their motivations, as well as the key impacts and remediation strategies, we hope that this blog is not only informative, but can form a key part of an information security strategy moving forward.

Not sure where to start? At DigiF9 we combine highly skilled and dedicated software developers with robust and comprehensive information security professionals to help safeguard your company operations. Get in touch today at sales@digif9.co.uk to let us know how we can help take your company to the next level.