How to prevent a data breach, and what to do if it happens to you

It shouldn't be news that data breaches are bad, but perhaps you don't know just how bad they are. It can be tricky to pinpoint the cost of a data breach; the term itself can refer to a wide range of incidents. However, according to a 2020 report from IBM and the Ponemon Institute, the average cost of a data breach worldwide is £2.89 million.

We believe prevention is better than a cure in our line of work. So, your best bet is to migrate the risk of a data breach from happening in the first place. That being said, you should always have a backup plan, too. After all, it's better to be safe than sorry.

So, where should you start? Before diving in, you first need to understand what a breach is.

Understanding data breaches

A data breach is moving secure or private information into an untrusted environment. It could be intentional or unintentional. For example, it could be a for-profit hacker or an employee leaking sensitive information. It could be anything from releasing personal records such as credit card information to leaked internal company emails.

When it comes to understanding the threats, there are a few common vulnerabilities malicious criminals like to focus on:

• Weak credentials: Stolen or weak credentials cause most data breaches. If malicious criminals have your username and password combination, they have an open door into your network. Because most people reuse passwords, cybercriminals can use brute force attacks to access email, websites, bank accounts, or financial information sources.
• Stolen credentials: Breaches caused by phishing are a significant security issue. If cybercriminals get hold of this Personal information, they can use it to access things like your bank and online accounts.
• Compromised assets: Various malware attacks negate regular authentication steps that usually protect a computer.
• Third-party access: You could do everything possible to keep your network and data secure, but malicious criminals could use third-party vendors to enter your system.
• Mobile devices: When employees can bring their own devices (BYOD) into the workplace, it's easy for unsecured devices to download malware-infested apps that give hackers to data stored on the device. That often includes work email and files and the owner's PII.

Because data breaches take many forms and can happen in many ways, you need to be on your guard. This means building a variety of different strategies to protect yourself.

Seven Ways to Prevent a data breach

How can you reduce the risk of this happening to your company? Below are seven proven ways to prevent cyber security breaches from occurring at your company.

1. Conduct employee security awareness training

Most data breaches aren't the result of a dedicated hacker brute-forcing their way past your best defences. Instead, about 88% of breaches are due to human errors. All it takes is a single successful phishing email or social engineering ploy to access your entire system.

So one of the most important things you can do is train your employees on best practices for data security.

• Teaching employees to follow best practices: Simple best practices can defend against data breaches. For example, training your employees to use strong passwords and never share them with anyone is easy. Yet, so many companies fail to do so.
• Establishing protocols and hierarchies: It's important to develop protocols and hierarchies for security. For example, what steps must be taken by each individual working for you? Who's responsible for whom? And limit access to certain information and actions.
• Educating employees on common threats: Inform employees of common cybersecurity threats and how to avoid them.

2. Create a password policy

Passwords have a limited ability to protect your data and systems. Even when implemented correctly, passwords are limited in helping prevent unauthorised access. If attackers discover or guess the password, they can impersonate a user. And every new password has an associated burden on the person using it.

Having said this, you should still set rules that govern password creation to help prevent sensitive data from being stolen. You can do this by creating an effective Password policy; some best practices include:

• Use an encrypted database to manage passwords: Since complex passwords are almost impossible to remember, most people reuse passwords for all accounts. Using a password manager will not only generate strong passwords for each new account, but they'll securely store them. Some will even notify you if your password was exposed in a breach.
• Set a maximum password age: Users should regularly change passwords to help ensure network security. Depending on your security needs, you should require password changes every 30 - 90 days. But set up notifications before password expiration to notify users when to change their passwords.
• Implement Multi-factorMulti-factor Authentication: Authentication is a process that verifies a user's identity before granting access.

3. Enforce a lockout policy

In addition to setting password policies, you can lock user accounts after a certain number of incorrect login attempts. This can be a soft lockout, where the account will be re-enabled after a specified period. Or, it can be a hard lockout that requires the manual intervention of an administrator to re-enable user accounts.

4. Develop a BYOD policy

BYOD (Bring Your Own Device) allows employees to use their personal mobiles, tablets and laptops for work. While this opens up money-saving and productivity opportunities, it also increases risk:

• Loss of control - can't control updates and patch for vulnerabilities.
• Loss of visibility of essential data.
• Possibility of accidental or deliberate data leakage.
• Physical loss or theft of devices - leading to costly data audits.
• Compromised integrity.

A good BYOD policy will create a robust set of rules and regulations for staff to follow.

5. Turn on Multi-factorMulti-factor authentication 

As I've already mentioned, turning on Multi-factor authentication (MFA) adds a layer of protection to the sign-in process. Users must provide additional identity verification when accessing accounts or apps, such as scanning and entering a code received by phone. 

Implementing MFA across all users, applications, VPN, server login, and privilege elevation helps protect against unauthorised access, data breaches and password-based cyber-attacks.

6. Encrypt your data

Encryption is a difficult concept to grasp, but it's necessary to protect your business's sensitive data. At a basic level, encryption is the process of scrambling text (called ciphertext) to render it unreadable to unauthorised users. You can encrypt individual files, folders, files stored in the cloud and more.

Strong encryption is built into modern Windows and OS X operating system versions. It's also available for some Linux distributions.

7. Audit and reevaluate

There isn't a top-to-bottom data security strategy you can design to protect you against all threats permanently. That's because everything is constantly changing. You're hiring new people; your organisation is growing; you're handling new and different data types and using new systems.

As a result, old best practices become obsolete. And most importantly, hackers and cybercriminals continue finding new techniques to exploit vulnerable systems.

If you want to keep preventing data breaches, you'll need to audit and reevaluate both your technology and your efforts regularly.

Are there new security practices you need to be following? Does your technology need updating? Have your employees drifted from specific protocols? Audit your processes and infrastructure regularly.

Data breaches can be expensive, time-consuming, and have a permanent mark on your company's reputation. But the vast majority of data breaches can be avoided. If you work proactively and train your team well, you have the best chance of preventing most data breaches. You'll also set yourself up for a better defence if you experience one.

What to do if you suffer a data breach

My advice depends on your internal IT setup, knowledge, skills and preparation. 

If you have no internal IT team, the worst thing you can do is try and deal with the incident yourself. You need to call the experts if you want your business to stand a chance.

Get in touch with a cybersecurity company that specialises in incident response. While this may sound like an expensive path to take, you risk losing your business altogether if you don't. Not to mention all the other costs that come with a breach.

You should be okay if your business has an internal team with a robust incident response plan. However, I suggest calling an expert if your team doesn't have a plan. After a data breach, you can mitigate the damage by acting quickly, containing the breach and beginning the recovery process. However, your team's lack of preparation could cause reputable damage.

As a small business, managing IT alone can be tricky; you might consider outsourcing to help manage the load. Most good IT partners provide 24/7 monitoring, incident response, and more.

If your team lacks the skills, knowledge, or time needed to effectively manage your business security, co-managed services can help. Co-managed support becomes an extension of your team and covers the bases you need help with.