According to a 2016 Ponemon Institute study sponsored by IBM regarding the costs of data breaches and loss, the average consolidated cost moved from $3.8 million to $4.0 million. On a granular level, the study also found the costs for each lost or stolen record containing sensitive and confidential information has decreased from $158 to $141. However, the stakes are indeed still high for companies to properly manage their data, as the average size of data breaches have increased by 1.8 percent, and loss and data exposure can effectively ruin a company’s reputation with customers and partners.
Here are seven ways individual employees and IT teams inadvertently cause companies to lose data, and some best practices for preventing a crippling data loss.
- Changing advanced settings. The advanced settings feature on computers is not there just for show. It’s a serious warning to the user that they better know what they are doing before they start making system changes. A frequent example of such a setting involves the Basic Input Output System (BIOS), which is the chip that instructs the computer on the next steps to take after power-on. Users can make changes to this setting with the best intentions, but they might expose the machine to data loss or theft. Advanced settings adjustments are best handled by the IT team in controlled environments to greatly reduce the chances of local data loss.
- Not managing ex-employees’ and vendors’ credentials. A common data-loss scenario involves an ex-employee or contractor who accesses information without proper authorization. In many cases, data breaches can occur years after employees leave an organization because it does not have in place access controls to revoke their login credentials. Outside IT vendors are also another culprit, as they employ staff members who might need temporary access to a company’s systems. Both of these sets of people are a considerable risk factor for unauthorized access.
- Downloading fake software. More than 1 million fake WhatsApp apps were downloaded via the Google PlayStore in November 2017, reflecting the ease in which rogue developers can create fake software. This problem is especially prevalent with antivirus software: Hackers build what looks like a legitimate antivirus tool and offer it for free, but in fact it’s a conduit for accessing systems.
- Falling for phishing schemes. A phishing scheme is an attempt by a hacker to create messaging that resembles communications from a legitimate company as a means of gathering personal or corporate information. For example, a well-known phishing scam involving Netflix attempts to trick subscribers by sending them an email that looks like an official Netflix email stating that their accounts have been suspended. The recipient is urged to click a landing page, which then asks for personal data, including credit card information and sometimes even Social Security numbers. The landing page also resembles Netflix-branded content and is set up to avoid most website- and spam-blocking tools. These phishing sites also frequently contain malware such as keyloggers that can create data-loss exposure to people who access the phishing site through their work computers.
- Exposing the company to ransomware. In light of some of this year’s cyber-incidents, most people should be aware that ransomware is a hacking scheme that involves taking over a person’s computer files, encrypting them so that they appear as garbled text or images, and then asking for a ransom to pay for the encryption key. Some people might not be aware, however, that hackers typically gain access through email attachments or by guessing passwords, which further reinforces the need for complex passwords and a companywide reminder to be very cautious when opening email attachments from non-colleagues and clients. Data loss comes when the hackers steal valuable information during the ransom period, or if the ransom isn’t paid, the hackers typically leave the data encrypted or destroy it beyond repair.
- Clicking hijacked ads. Cybercriminals often place banner ads on legitimate websites to entice business or personal users. After the link is clicked, the malware goes into the user’s system undetected, giving the criminal inside access to take data or hold the company hostage. Many banner ads are bought directly by hackers, or they hijack the ad server and redirect the ads. To combat this issue, companies should teach staff members to not click any banner ads. If employees want to learn more about a company or offer, they should simply search for and proceed to the company’s own verified URL.
- Using improper backup procedures. A very common reason for data loss (especially among smaller companies) is to store data locally, experience a failure event, and not have a data backup. It’s 2017, and data storage is very inexpensive – both for physical drives and cloud storage. Businesses should instill strict backup procedures for their corporate data, including processes for individual employees and departments. Moving data to the cloud is an ideal choice, as it removes content and potentially confidential files from laptops, thumb drives, or other more exposed storage methods.
Companies should also make “backups of the backups” due to cheap storage. Smaller organizations can move data to the cloud and also back up data to external hard drives and store them at a different secure location.
David Zimmerman is CEO of LC Technology International. He has been in the hardware/software industry for over 30 years, specifically in the data-recovery software market for 18 years. During this period, David has been involved in the creation, marketing and support of drive-recovery software products for the PC market both nationally and internationally. LC Technology is a global leader in data recovery, file-system utilities and data-security technology.