Data Theft: Never too small to worry about vulnerabilities

Cyber Risk: Data Theft is on the Rise Globally

The global scale of cybercrime is frightening. Mercer’s 2023 Global Risks Report ranks threats to data as the 8^th most pressing risk to humanity, surpassed only by risks such as climate change, biodiversity loss, and mass migration. Big businesses are scared of cybercrime. They know that they are targets and spend a lot of money to protect themselves. Annual global cybersecurity spending is around $180B. This will only increase with our reliance on data and AI.

Small Business, Big Danger: Data Breaches Aren’t Just for Giants

A staggering 83% of organisations experienced at least one data breach in 2022. This doesn’t account for the many businesses that won’t ever know they have been breached. In fact, 61% of the 2022 breaches were in businesses with less than 1000 employees, with 60% of these SMBs out of business within 6 months. The average cost to recover from a data breach is around £20,000. But this excludes reputational damage attributable to a breach. Loss of customer trust, shareholder concerns and the lasting impact on brand reputation raise the average closer to a more concerning $5 million.

Data breaches are an all-pervasive and persistent threat. Businesses that have survived one breach find themselves 83% likely to encounter a repeat incident within a year.

“We’re Too Small to Have to Worry”: The Big Mistake SMEs Make About Data Theft

Data theft is a real risk. Asking “Is my business at risk from data theft?” is nonsensical. A better question is “What is the size of this risk?” Any business with proprietary data (customer data, intellectual property, or financial resources) is a target. If it is valuable to you, it’s valuable to someone else. It is a misnomer that smaller businesses are not targets. Bad actors target vulnerabilities, not business size. They know that smaller businesses are less secure than larger businesses. Whilst large businesses may yield large rewards, smaller businesses are easier.

The Hybrid Risk: Don’t Get Hacked Out of Business

The recent move to hybrid working has compounded a lot of data risks. Employees demand 24×7 access to data, from anywhere. Consequently, increasing volumes of our data resides in:

• • poorly secured environments, such as home networks or BYOD.
  • areas beyond our control, such as the cloud.
  • public network, such as the Internet.

Hybrid working has inadvertently widened the playing field for cyber adversaries. Remote working has been a catalyst in a 300% increase in attacks on accountancy firms. Financial Services institutes have seen the average cost of a breach jump by $1m when remote working is involved. Whilst 75% of law firms were breached.

Little cyber mitigations: make a big difference

There are simple, affordable techniques that all businesses should deploy as the first wave of data breach mitigation:

• • restrict user access to only the information they need, to limit damage should an account become compromised
  • multi-factor authentication overcomes the limitations of passwords for device and application logins.
  • encrypt all data – to the Internet (emails, files, application data, etc) and on laptops (e.g. with Microsoft’s BitLocker).
  • regular application updates remove vulnerabilities that attackers can utilise to compromise devices.
  • antivirus and firewalls remain crucial in mitigating incoming threats.
  • user education is paramount to explain why to use a VPN or how to recognise a phishing scam.

Organisations such as the Cyber Resilience Centres and the National Cyber Security Centre provide independent guidance on cyber best practise.

Eliminate Data Theft: Monitor outbound data

The above six steps reduce the risk of breach. For data theft, prevention is better than mitigation. Monitoring outbound data may eliminate the risk of theft. Larger businesses can afford Data Loss Prevention (DLP) such as Microsoft’s Purview. This focuses on examining email content for sensitive data leakage. But these solutions are beyond the budget of smaller businesses.  Neither do they tackle data theft from bad actors or disgruntled employees.

Instead, for both small and large businesses alike, tackling data theft requires monitoring all outbound data to block unauthorised exfiltration. Every data flow must be questioned as to:

• • has the data come from a known, trusted business application?
  • is it destined for a trusted endpoint?
  • Is it being sent via a trusted mechanism, such as a VPN?

Conclusion

Data breaches remain a potent threat. The costs to remediate are often a fraction of any long-term reputational impact. No business is immune to data theft – if your data is valuable to you, it is valuable to someone else.

Data loss prevention requires a holistic approach. Quick fixes like antivirus and firewalls must be combined with round-the-clock monitoring of outbound data to block unauthorised outgoing data before it becomes a breach.

Footnote

In this article, I use deliberate, distinct terminologies which I should clarify to avoid confusion:

• Data theft is the intentional extraction of data (mainly business proprietary Intellectual Property data, but could include PII) by a bad actor (hacker, malware, etc).
• Data leakage is the accidental exposure of data through user intervention, such as emailing PII data to the wrong person.
• Data breach is the exposure of sensitive data, either through accidental leakage or deliberate theft.

A more detailed explanation can be found here.