Today, data security is top of mind for companies, consumers, and regulatory bodies. After years of unfettered participation in the data-driven digital age that was defined by an “anything goes” ethos and a “move fast and break things” mentality, this shifting sentiment is both drastic and welcome.
For businesses of every size operating in every sector, this has broad implications. Data breaches and privacy failures are both increasingly prevalent and incredibly expensive. A study by Risk Based Security found that data breaches are up more than 54% from the same period a year ago. Meanwhile, IBM’s annual Cost of a Data Breach Report found that the average total cost of a breach approaches $4 million.
Taken together, it’s clear that data security and privacy will be a bottom line issue heading into 2020 as a new era marked by privacy and security permeates the digital landscape.
To help your company prepare for this growing inevitability, here are 20 data security risks that your company could face in 2020.
Sometimes data breaches and privacy violations are the work of sophisticated hackers who take advantage of particular vulnerabilities to steal information. However, too often, data breaches are caused by accident.
For instance, a study by Shred-it found that 40% of senior executives and small business owners report that negligence and accidental loss was the foundational cause of their latest security incident.
This reality was underscored recently when an employee at an Australian government contractor accidentally emailed to the public an internal spreadsheet storing people’s personally identifiable information.
Today’s threat landscape can be exhausting. Just ask the IT admins responsible for protecting a company's most important data.
Hackers only have to be right once to inflict serious damage on a business's bottom-line, while IT admins are charged with perfectly repelling a constant barrage of attacks. That’s probably why nearly 2/3 of cybersecurity specialists have considered quitting their jobs or leaving the industry entirely.
This turnover – and the inevitable performance lag that accompanies overworked employees – leaves companies vulnerable to a data security or privacy failure.
In most cases, employees are a company’s greatest asset, facilitating the exchange of goods and services that allow businesses to flourish.
Of course, sometimes employees, either by accident or on purpose, can be a company’s greatest liability. Theft of company data by current and former employees is incredibly common, something that the Canadian credit union, Desjardins, learned the hard way.
In June 2019, a former employee stole personal data of nearly 3 million customers, marking one of the biggest data disasters in the country’s history.
Digital communication is a ubiquitous part of our daily lives, and it could also be a consequential vulnerability for companies striving to protect customer privacy.
Using personal devices or personal accounts to convey sensitive customer information is frighteningly common.
For instance, in the healthcare industry, nearly 30% of healthcare team members acknowledge using personal devices to communicate private patient details.
An analysis by Microsoft found that phishing scams are up 250% this year. What’s more, the techniques are becoming more sophisticated, making them both more difficult to identify and more successful in their implementation.
These emails can flood corporate inboxes at little expense to hackers. Meanwhile, a single employee click can compromise troves of company data.
There are a lot of ways for hackers to make money from stolen data. While the Dark Web offers a vast network of sales opportunities, increasingly cybercriminals are turning back to the source for their income.
Rather than selling stolen data online, thieves are exploiting companies for a ransom payment, creating a no-win scenario for businesses victimized by this approach.
Ransomware attacks have received a new lease on life, increasing by 500% year-over-year, while serving as a serious data security risk for businesses, government agencies, and beyond.
In the past few years, several high-profile companies have endured data breaches on the heels of employees who were bribed to leak company information.
In 2018, Amazon investigated several employees for their role in a bribery scheme that compromised company data. More recently, it was revealed that AT&T employees were receiving bribes to plant malware on the company network that provided insights into AT&T’s inner workings.
To be sure, bribing employees isn’t the most obvious way to perpetuate cybercrime, but it’s a vulnerability that companies need to be prepared to address.
In 2019, local municipalities across the U.S. have had their IT infrastructure disrupted by ransomware attacks. However, this threat isn’t just relegated to government institutions. SMBs and other businesses without the most recent cybersecurity capabilities are all exposed to this threat.
Unfortunately, the cost to recover data has more than doubled in 2019, and all signs indicate that this trend will continue well into next year.
Access to company or customer data should be a need-to-know arrangement that minimizes the opportunity for misuse or abuse. However, too many companies give all employees complete access to all the company's data all the time.
In doing so, they unnecessarily increase the likelihood that a security or privacy issue will emerge in the future.
Data privacy extends to everyone, including employees, and every company needs to ensure that someone is monitoring the monitors. Failing to provide accountability at every level of an organization creates the possibility that a data privacy event will occur next year.
Employees steal company data for many reasons, but one of the most obvious and tangible motivations is money. A study by Deep Secure found that 45% of employees would consider selling company data to outsiders, and, incredibly, this information is very affordable.
The study found that 15% of UK employees would sell information for $1,260, while 10% would sell data for as little as $315.
This data may be cheap for bad actors to attain, but it could be costly for companies in 2020.
SMBs are the most vulnerable to a cyberattack, and their executives are the least likely to prioritize cybersecurity initiatives. A study by Keep Security found that 66% of SMBs don’t believe they will incur a data breach, which is antithetical to evidence produced by the Ponemon Institute that found that 67% of SMBs endured a serious attack in the last year.
According to Verizon’s Data Breach Investigation Report, a surprising number of data breaches, nearly 24%, are motivated by employee boredom. The report found that “pure fun” was one of the top reasons for a cybersecurity or privacy-violating incident.
It underscores the blase attitude toward data security that still permeates many organizations, which holistically represents a profound threat heading into next year.
Phishing campaigns are obnoxious, but spear phishing campaigns are downright nasty. This particular brand of phishing attacks use previously stolen data to create authentic-looking emails that are difficult to stop and defend.
Recently, the City of Naples learned this lesson in an embarrassing and expensive episode that cost the city $700,000 when an employee was tricked into paying a fraudulent invoice received as part of a targeted spear phishing campaign.
As more and more data becomes available online, these attacks could only intensify in the future.
Often times, data breaches or privacy violations are just the first offense in a growing list of cybercrimes. For instance, a report by Risk Based Security found that email addresses and passwords are the most sought after data online, occurring in 70% of all data breaches. This information can be deployed in other, more nuanced cyber attacks.
Few people have unprecedented access to company data like an organization’s founders. This isn’t a problem until it becomes a huge problem when they decide to leave the company or are forced out by institutional or market dynamics.
Privileged users frequently present a vulnerability because they are implicitly trusted while oversight is often minimal or nonexistent, creating an unnecessary opportunity for data loss and privacy violations.
A surprising number of employees are willing to steal company data to gain an edge on the job market. For instance, two former Apple employees working on the company’s secret car project were charged with data theft after they stole more than 2,000 files related to the project.
Meanwhile, the perpetrators were in the application process at a China-based autonomous car company. Whether employees are looting intellectual property, customer data, or other valuable information, it can provide a leg up in a competitive job market, which presents a data security risk for companies operating in 2020.
A study by Google found that 1.5% of all login credentials used on the internet are vulnerable to credential stuffing attacks that deploy previously stolen information to inflict further damage to the company's IT infrastructure.
Interestingly, employees were reticent to change or improve these passwords when notified of their susceptibility. Failing to account for controllable elements, like following password best practices, exposes your organization to great risk now and in the year ahead.
In July, credit card company Capital One burst into the headlines for all the wrong reasons when they endured a data breach that compromised 100 million records.
The breach was orchestrated by a hacker who, by most accounts, was looking for bragging rights among various online communities.
For some, data theft isn’t about data or privacy, it’s about their own notoriety, and that’s a problem for businesses striving to protect their customers’ digital privacy.
Today’s dangerous digital landscape can be paralyzing. Discouraged by the notion that a security incident or privacy violation is an inevitability, too many companies will give up, taking their chances rather than fortifying their defenses.
In many ways, this might be the most significant vulnerabty of all. Rather than controlling the controllable, accounting for the risks, and implementing a security strategy that addresses holistic data security, they just do nothing.
Much like the years preceding it, 2020 will be replete with risks, and this presents every organization with an opportunity to differentiate themselves in how they manage this uncertainty and how they plan to protect their company and customer data going forward.
2020 is fast approaching. Don’t miss the opportunity to start getting ready now.
About the Author Bio: Isaac Kohen is CTO and Founder of Teramind, a leading, global provider of employee monitoring, insider threat detection, and data loss prevention solutions. He recently authored the e-book: #Privacy2020: Identifying, Managing and Preventing Insider Threats in a Privacy-First World. Follow on Twitter: @teramindco.
Photo credit: © gonin stock.adobe.com