By Oliver Harvey, Global Head of Governance, Risk & Compliance Solutions, Nuix
Being the target of a data breach can be a harrowing personal and reputational experience for any business and its leadership. It can also in an instant, expose with graphic discomfort the shortcomings of an organisation’s risk management and data governance arrangements. In this digital age in which the insidious scale and frequency of data breaches are an escalating concern for the corporate and public sector, it’s critical that organisations understand how data breaches occur, their consequences and how to minimise their impact. Whilst this is essential for all businesses, from my previous role as Chief Supervisory Officer at the Australian Securities and Investments I experienced first hand how this is particularly important for large organisations that hold highly sensitive information like banks and other financial institutions, and their regulators.
What are the different kinds of data breaches?
Verizon’s 2021 Data Breach Investigations Report, showed that the number of data breaches has increased dramatically in the last year, up around 30% since 2020. While the execution of many of these attacks was highly technical in nature, the report highlights the large number that began with a simple social engineering campaign designed to trick people into giving up vital information.
Indeed, it is increasingly common for perpetrators to target particular people with spear and whale-phishing attacks. These attacks are often highly personalised, and are designed to appear as though they have come from an internal source. Known examples include cases where a bad actor has created an authentic-looking email from the business’ CFO directing a more junior internal staff member to urgently provide corporate data to the bad actor masquerading as a familiar third party supplier.
Verizon’s report highlights that in 2021, denial-of-service attacks were the most common, alongside a considerable spike in ransomware attacks.
The consequences of a data breach
Beyond the immediate impact of a data breach there are also a range of damaging long term consequences for targeted organisations. Research by Varonis shows these include loss of reputation and customer trust, with 80% of consumers saying that they will defect from a business if their information is compromised by a breach, and 85% saying they would tell others about their experience.
Beyond the loss of reputation and customer trust, the need to divert resources to deal with the destabilising impacts of a data breach often means the harm will extend to the de-prioritisation of normal business activities. Analysis from RSI Security shows that it takes an organisation 6 months on average to recover from a data breach and resume ‘business as usual’. This can be crippling for an organisation’s longer term commercial prospects as competitors use that same 6 months to focus on growth and attacking greater market share.
What’s more, regulators’ interest in the digital governance of organisations is gaining dramatic momentum and there is real regulatory risk if firms don’t get to grips with the challenge. Gartner reports that by 2024, more than 80% of organisations worldwide will face modern privacy and data protection requirements and by 2023, 65% of the world’s population will have its personal information covered under modern privacy regulations, up from 10% in 2020.
Foundational steps to prepare for any data breach
A key step for an organisation in preparing for the possibility of any data breach, is to first fully understand the data and information the organisation holds. This is so the organisation can apply the right risk controls to that information and includes first knowing what kind of data you have, who has access to it and where it is stored.
In addition to having the right people in place to answer these questions, it is often critical that organisations deploy the right technology. This will often require technology that is able to quickly search through hundreds of millions of documents to identify with forensic precision, critical Intellectual Property (IP) or other commercially sensitive information sitting in places like personal drives.
The same kind of technology is needed to locate customers’ Personal Identifiable Information (PII) that often sits within oceans of unstructured corporate data, and which needs to be properly managed to minimize the chance of data loss and regulatory action.
Knowing your data is the key
Having this detailed map of the sensitive data in the business also gives you a better starting point for any investigation in the event of a breach. The use of forensic tools can then allow you to drill down into the root cause of the incident, more quickly identify the scope and impact of the breach and enable the organisation to better recover. This will in turn provide learnings that inform the changes needed to be made to minimise the impact of future attacks.
A robust data audit program should be an ongoing process and doing so, will be one important factor in supporting organisations to continue to mature their risk management and information governance frameworks over time. Taking this kind of approach is also expected to offer wider commercial benefits. Studies have shown an increasing link between consumer expectations of how their data is treated and their loyalty to the organisations they provide it to. For the banking sector, research from Singapore’s Nanyang Technological University shows how consumers need to have faith in the security of their digital banking to stay loyal.
More broadly, Gartner estimates that over 40% of data projects will relate to customer experience in some way. So for any data-driven business, understanding your data is not just a critical risk management or regulatory requirement but should also position the business to better deal with customers’ commercial needs and opportunities.