An organization’s weakest link is most often human, not technological. Moss Adams’ Francis Tam explains why, when it comes to cybersecurity, anomalies like daily logins, users and infrastructure changes should be an organization’s main concerns.
In today’s technology-driven world, information can be a company’s most valuable – yet vulnerable – asset. Data breaches continue to become more frequent and costly in recent years, with many high-profile cases like the Equifax breach in 2017 making headlines. It’s crucial, then, for companies to properly utilize data monitoring and cybersecurity audits to avoid breaches or having information stolen.
Breaches can cost companies an average of $3.9 million and an alarming 54 percent of companies will experience a cyberattack at some point. Full IT assessments can be time-consuming and costly, so companies often skip this crucial process or don’t make it a priority, leaving them vulnerable. Implementing data monitoring for your company’s cybersecurity can help prevent major breaches.
Risks of a Data Breach
Data breaches can put not just a company and its employees at risk, but also its customers. The aftereffects of a data breach can be just as costly as the loss of the information itself. Depending on the scale of the breach, a company’s reputation could become significantly damaged, driving down profits and jeopardizing customer and client relationships, leading to future loss of business.
There are also damage control costs associated with the response to a breach, such as:
- Forensic investigation
- Remediating systems-related vulnerabilities
- System downtime or other actions taken to recover stolen information
- Setting up new accounts and help desks for affected customers
- Planning internal and external communications about the breach
- Preparing for additional safeguards and monitoring
Companies may even face legal or regulatory fines and lawsuits following breaches.
Causes of Data Breaches
Data breaches frequently happen without a company even realizing and can often take a significant amount of time for a company to become aware the breach occurred. Most data breaches are caused by intentional criminal attacks, but they can also be the result of simple technology malfunctions and human error.
Limited System Controls
Companies often have inadequate or primitive systems controls – firewalls, intrusion prevention systems, etc. – that don’t effectively block remote and unauthorized access to data.
Ineffective Detection Controls
How data is monitored can also lead to vulnerabilities. Companies often don’t address the level or quality of their detection controls, or the ways in which they continuously monitor abnormal activities, whether they’re coming from inside or outside the organization. This can allow hackers or other unauthorized parties to slip by and access data undetected.
Lack of Training
When attacks happen from outside the organization, they’re difficult to detect. It can often take even longer for a breach that happens from within an organization to be discovered, and a breach may not even be viewed as an anomaly by employees. This may happen because the company didn’t provide adequate security awareness training for its employees. Employees may make data vulnerable during their day-to-day activities without even realizing. They may not know the correct protocol if asked to upload, download or divulge sensitive information.
How to Prevent a Data Breach
There are many steps companies can take to protect their data. Here are some basic steps to follow:
Classify Data and Assess IT Risks
Each company has data unique to its operations or business model, ranging from personally identifiable information (PII) to more abstract information. Common types of data at risk can include:
- Social security numbers
- Driver’s license numbers
- Credit card numbers
- Health care information
- Financial statements
- Trade secrets
- Business leads
The first step to protecting data is simply to identify the type of data a company touches by taking inventory and categorizing data. While every company has a lot of data, not all data is necessarily sensitive information.
By classifying data in different sets from most sensitive to least, companies can identify their weaknesses, develop an IT risk heat map and prioritize their most urgent needs and resources to safeguard the data.
Evaluate IT Controls and Security Awareness
Various types of tests can be performed to determine the safety of data. These can include phishing attempts, in which fraudulent attempts are made to obtain data by posing as a trustworthy source, as well as firewall monitoring to determine how strongly the flow of traffic into and out of a company’s network is being tracked.
Penetration assessments, in which simulated hacking attempts are made within a controlled environment, should also be made and tailored to a company’s specific needs. This will help test their unique combination of systems, controls and processes and counter insufficient software updating, improper system configuration, inherent software flaws or operational process weaknesses.
Monitor Data Flow
With many companies operating nationally or internationally and technology allowing data to be accessed remotely, a company’s data can potentially be accessed from anywhere. However, businesses likely have high traffic times and locations for when and where their data is accessed – for example, during business hours or in locations where the company has offices and workers.
If information appears to be accessed in ways not adherent to these standards, or other abnormal activities seem to have taken place, that may be a red flag that information has been breached.
Provide Security Awareness Training
Company employees who have access or high power rights to sensitive information should be trained to spot suspicious requests to disclose information or move assets, even if they appear to come from legitimate sources or within the organization.
Companies should also have an action plan in place in the event of a breach so employees know how to appropriately question, challenge and respond to these abnormal requests.
Monitor Service Providers
Companies should continually monitor the activities of third-party service providers, such as cloud and SaaS operators, who come into contact with their sensitive data and information. Companies can’t necessarily perform scans on an outside organization, but options for performing due diligence can include providing these groups with questionnaires relating to how they handled data or reviewing system and organization controls (SOC) and network penetration vulnerability reports.
Cybersecurity Advisors
While there are many steps companies can take to prevent data breaches, having a trusted advisor with expertise on how to monitor and prevent attacks can be very beneficial.
Depending on the type of company, the frequency in which monitoring should take place is increasing quickly with some organizations, such as ecommerce groups, potentially needing daily overview. This can become burdensome and time-consuming, but the presence of a trusted advisor can make the process smooth and efficient. Advisors can also provide in-depth security awareness training for employees to keep an eye out for risks that could lead to future breaches and help create a company action plan should a breach occur.
Cybersecurity is a continuing exercise, and as technologies change, there will only be more cases for companies to be at risk.
Francis Tam is Information Security and Infrastructure Practice partner at 
