December 21, 2022

Sources of a Data Breach: Where are the Risks?

Data breaches are on the rise. According to Identity Theft Resource Center’s 2021 Annual Data Breach Report, last year had the highest number of reported data breaches at 1,862. Preparedness stems from understanding the potential sources of privacy and information breaches. According to the Shred-it® 2022 Data Protection Report (DPR), small business leaders (SBLs) say that there are four main origins of a data breach:

Malicious outsider: This is when someone outside the company breaches confidential data. For example, earlier this year, Microsoft’s Bing was one of the many victims of the digital extortion gang Lapsus$, which breached and leaked portions of source code from Microsoft's Bing search engine, Bing Maps, and Cortana virtual assistant software. Of those surveyed in the DPR, malicious outsiders caused 55% of the data breaches they experienced in 2021.

Employee error: An employee error could be as simple as throwing away a document that contains confidential information in the trash or recycling bin, as some criminals may use dumpster-diving to steal information. SBLs surveyed by Shred-it® in the 2021 DPR reported that employee error was the cause of 22% of the data breaches they experienced in 2020. The 2022 DPR reveals that 48% of SBLs surveyed said employee error was the cause of the breaches they experienced in 2021, an increase year over year.

Malicious insider: A malicious insider is someone working within an organization to exploit confidential data. According to the 2022 Ponemon Institute Cost of Insider Threats Global Report, malicious insiders caused 26% of the incidents studied, at an average cost of $648,062 per incident. The Ponemon report also found that malicious insiders are harder to detect than external attackers or hackers. SBLs surveyed for the 2022 DPR reported that malicious insiders were estimated to cause 31% of the data breaches they experienced in 2021.

External service provider/partner/supplier: A third-party attack happens when a hacker infiltrates your system via an outside partner or supplier with access to your systems and data. When a vendor is compromised, this shared pool of data can be breached. In the 2021 DPR, external clients or partners were reported to have caused 40% of the data breaches those surveyed experienced in 2020. In the 2022 DPR, the SBLs surveyed reported this to be the cause of 16% of breaches experienced in 2021 for those located in the United States and 30% for those located in Canada.

Protection Against Data Breaches

Regardless of the source of a data breach, there are steps businesses can take to help protect themselves.

Employee training. Regular employee training can help employees better understand their role in helping the organization remain secure and what to do if a data breach happens. More in-depth security training during employee onboarding should also be required. According to the Verizon 2022 Data Breach Investigation Report, most data breaches (82%) in 2022 involved a human element. Hackers know humans are susceptible to phishing and use accessible links connected to ransomware to steal confidential data. Strategic and ongoing training can help employees identify physical and digital security risk factors and teach ways to help prevent them in the future.

Digital security. As a continuation of employee training, there are several steps employees can take to promote digital cyber safety. These include using strong passwords and using a virtual private network (VPN), knowing how to spot dangerous emails, and installing two-factor authentication (2FA) or multi-factor authentication (MFA) to protect login information.

Use a shredding company to destroy old documents and hard drives. Throwing papers in the trash can or recycling bin will not prevent criminals from sorting through piles of paper to find private information. Physical risks to information security include paper, hard drives, phones, tablets and other electronic devices, which store confidential information.

Do not leave documents in unsecure areas. Do not leave papers on desks, at printer stations, in trash cans, or recycling bins. A clean desk policy helps ensure that physical documents are shredded or locked away and that all technological devices are password protected each time an employee leaves a workspace.

Properly vet external service providers. Ask several questions about a vendor's data security practices before trusting an external vendor with confidential data. Inquire about what data protection policies and procedures they have instituted, such as software testing and auditing, as well as what IT resources they have, and what is their incident response plan in case of a data breach.

Learn how Shred-it® can help you protect your business from physical data breaches.