Most data breaches you read about focus on big organisations, but a new report claims that the majority of incidents occur at small and medium-sized enterprises (SMEs). The latest European Union Agency for Network and Information Security (ENISA) Threat Landscape Report found that 61% of breaches affected organisations with fewer than 1,000 employees.
The sectors most likely to be targeted are:
- Medical and health care (35.4%)
- Government and military (8.1%)
- Education (7.4%)
The report claims that there has been a 25% increase over the past year in reported data breaches. This supports other reports and anecdotal evidence from cyber security experts that cyber criminals are
becoming much more prolific. ENISA points to three attack methods that organisations need to pay attention to:
- SQL injection, in which attackers insert malicious code into web applications. This allows them to spoof people’s identify, tamper with existing data, void transactions, change balances, become administrators of the database server, or disclose or destroy data.
- Phishing, in which attackers impersonate a legitimate organisation by email or other form of communication (such as text or social media). These messages typically contain a link or an attachment, which the attacker uses to steal the recipient’s personal data or infect their system with malware.
- Insider threats and privilege misuse, which includes any unauthorised use of organisational resources – whether accidental or malicious. In either instance, sensitive information is exposed and is classed as a data breach.
The report also highlights the threat of physical data being lost or stolen. As with insider threats, such incidents are classed as data breaches even if no one outside the organisation accesses the information.
Organisations will no doubt be frustrated that, amid the growing rise of cyber crime, their own employees are among their biggest weaknesses. Phishing relies on employees not having the ability or time to identify an email as fraudulent. Similarly, accidental breaches, privilege misuse and data loss are all the result of employees not understanding their obligations to keep data secure. Insider threats are the result of employees being given too much freedom to access data and/or a lack of organisational oversight to monitor suspicious activity.
Educating staff on the ways they potentially expose data helps organisations turn one of their biggest vulnerabilities into an area of strength. You can find everything you need to teach your employees in our Information Security Staff Awareness E-Learning Course.
This course aims to reduce the likelihood of human error in your organisation by familiarising non-technical staff with security awareness policies and procedures. It ensures that information assets are better protected, and increases customer and employee confidence in your organisation.