7 ways your organisation can suffer a data breach

Organisations of all sizes are waking up to the threat of data breaches. But don’t be fooled into focusing on the prospect of a hacker breaking into your systems. There are many other ways that your organisation can be compromised. 

Let’s take a look at seven of the biggest cyber security threats you should be concerned about.

 

1. Employee error

Data breaches aren’t always malicious attacks. Sometimes incidents are caused by the people you put in charge of using that data. 

Employees are one of the leading causes of breaches, because they routinely make mistakes that expose sensitive information to the public. 

This often happens when they send emails to the wrong people or copy recipients in the Cc field instead of the Bcc field, meaning that everyone can see who else received the message.

 

2. Cyber attack

Criminals target organisations in many ways, but their methods can be broadly broken down into three categories. 

First, they can use exploits to access to sensitive information. This includes things like brute-force password hacks, in which hackers visit a log-in page and use a tool that generates millions of passwords to look for the correct credentials. 

The second type of cyber attack uses malware to gather sensitive information or cause business disruptions. 

The third type of cyber attack is social engineering, which is different enough from the other techniques to warrant its own discussion.

 

3. Social engineering

Social engineering is a type of attack in which criminals imitate a legitimate person or organisation. Depending on the method of attack, they’ll attempt to trick the user into: 

  • Handing over sensitive data; 
  • Downloading a malicious attachment; or 
  • Giving them access to a restricted space (either login details or physical access to the organisation’s premises). 

The most common form of social engineering is phishing. These are spam messages – typically emails  that contain urgent requests, generally about a problem with the organisation’s service delivery or the user’s login details. 

Some phishing scams contain links that direct users to a facsimile of the legitimate site, enabling the crooks to log the individual’s username and password. Others contain malicious attachments that infect the recipient’s computer with malware. 

Although most phishing attacks are email messages, similar tactics are also common on social media and in text messages. 


Free PDF download

Cyber Security 101 – A guide for SMEs

Download a copy

 


4. Unauthorised access

Social engineering isn’t the only way a someone can steal information from inside your premises. Another example involves someone visiting your office and being told to wait by someone’s desk, where they could view sensitive data. 

Although you should certainly be concerned about the public gaining unauthorised access to sensitive information, employees are far more likely to be responsible for such incidents. 

Organisations store all manner of sensitive information, and much of it is only meant for select employees. Take payroll information for example, which should only be accessible to those who need it for their job (typically HR and relevant line managers). 

But if the organisation doesn’t implement appropriate security controls, anyone in the organisation will be able to view that information. They might do so by seeing physical documents or stumbling across it on your online portals.

 

5. Ransomware

Ransomware is one of the fastest-growing cyber security threats, with almost 2.8 billion known unique forms. It’s a type of malware that encrypts files and blackmails the victim into handing over money to receive the decryption key. 

The threat of ransomware is so severe in part because almost every organisation is vulnerable. Even if your network is resilient, the malware can be planted in phishing emails, ambushing victims when they click the attached file. 

Ransomware victims often feel compelled to give in to the criminals’ demands. However, this is rarely a good idea, because you can never trust that the fraudsters will keep their word and provide the decryption key. Even if they do, you’ve made yourself a target for future attacks. 

You should instead make sure you have a plan for when your organisation is infected.

 

6. Malicious insider

As we’ve explained throughout this article, employees are a major security vulnerability. This doesn’t only include making mistakes that help fraudsters access sensitive information; they might actually be the crooks themselves. 

Malicious insiders tend to be motivated by the same reasons as any other type of criminal: 

  • Revenge: An employee who feels unappreciated or who has been laid off might hit back by sabotaging the organisation. 
  • Financial gain: An employee desperate for money might email copies of databases to themselves to sell on the dark web.

 

7. Physical theft

Not all data breaches relate to digital information. Organisations should also be concerned about physical theft – namely paper records and devices that provide access to sensitive information. 

If paper records aren’t properly disposed of, they can easily end up in the wrong hands. A crook might catch on that you’re throwing documents away without shredding them and loiter by the bins. 

Alternatively, records might fall out of the bin for anyone to see or sit in landfills waiting to be found. 

Similarly, organisations need to take care when disposing of devices like computers and USB sticks. Unless everything is completely wiped, fraudsters and dumpster divers could stumble onto a wealth of sensitive data. 

Physical theft can also occur when employees leave records and devices unattended in a public place. For example, they might turn their back on their bag while on a train or in a café, giving an opportunist thief the chance to swipe its contents. 

 

Take control of your cyber security

Hopefully this blog has made it clear that cyber threats affect every part of your organisation. That’s why investments in the likes of antivirus software aren’t enough to keep you secure. 

You should instead be thinking of your overall practices and how compliance can be effectively achieved. 

Certified Cyber Security Foundation Live Online Training CourseOur one-day Certified Cyber Security Foundation Live Online Training Course equips you with the knowledge and skills to help you keep your organisation safe and secure against threats.  

Get started>>

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.