Open menu
Resources & insights

Is your organisation at risk of a data breach?

 

The cyber security landscape has changed dramatically in recent years. It used to be that cyber attackers deliberately targeted giant household-name organisations (like the CIA) for the glory of being able to tell other attackers about what they’d done. Then came the era of commercial hacking, where attackers targeted organisations with a lot of money, such as banks and financial institutions. At the same time, virtually unstoppable nation-state-sponsored attackers attack other countries’ infrastructure and businesses to gain an advantage over their enemies. We’re seeing this right now in Russia and Ukraine.

But now, things are changing again – and everyone is a target. Whoever you are, hackers are after your data. The question is, what can you do? How can you lower your risk of a data breach? Or, if you do get breached, how can you reduce its impact? In this article, we’ll try to help you.

Cyber risk is greater than ever

Today, cyber-attacks are cheaper and easier to mount than ever, thanks to developments such as:

  • AI-powered hacking-as-a-service available on the dark web
  • Remote/hybrid workers operating outside the historical ‘safety’ of an enterprise-grade firewall
  • Better, AI-created phishing emails and even deep fake videos that gain people’s confidence and lure them in
  • Business reliance on webs of third-party interactions, but if one is hacked, it can expose the whole network
  • Increased use of BYOD (bring your own devices) in come sectors
  • More stolen data available on the web to underpin sophisticated social engineering and phishing campaigns

Now, attackers can afford to be more indiscriminate, taking small gains where they can find them. Unfortunately, this means one thing: you’re a target. Whether you’re a giant multinational or a one-person microbusiness, you’re at risk of a cyber-attack resulting in a data breach. They only have to be lucky once; you have to be 100% effective in defence.

What’s your risk?

The first step to reducing the likelihood of a data breach in your organisation is to understand your risks and how big they are. Then, you can build controls around those risks.

At Doherty Associates, we promote the NIST framework for effective cyber security. NIST provides a structured, holistic, scalable way to assess and plan your organisation’s cyber security preparedness. You can read about NIST in more detail in this article.

The first pillar of NIST is ‘identify’, where you audit your assets, including the valuable customer data you hold, your current IT environment (hardware and software) and other risks that exist in your organisation. Let’s look at each of these.

From a data point of view, what are your ‘crown jewels’? How many customer records do you hold, and what do they consist of? Don’t forget the information you have on your employees. If you hold data such as passport and national insurance numbers, it would be devastating if that information was stolen. Is your sensitive data labelled and stored differently from non-sensitive data? Do you know if it gets copied or sent out of your network?

You also need to consider how you comply with regulations relevant to your organisation and industry. If you’re operating in highly-regulated sectors like finance or legal, where non-compliance can lead to severe consequences, this impacts your risk level.

Next, what technological safeguards do you have in place? For example, every organisation should run multi-factor authentication (MFA) for users to access their systems. If users can get onto your system without being texted a one-time password or something else to check they’re genuine, that’s a significant risk.

You should also check whether full disk encryption like BitLocker (on Windows) or FileVault (on Macs) is enabled on your organisation’s devices. Full disk encryption means that information stored on a laptop or desktop is not accessible if the hard disk is removed from the device. Importantly, a laptop being stolen doesn’t need to be reported to the ICO as a breach if you are sure that full disk encryption is enabled.

Finally, a thorough risk assessment should include third parties in your supply chain or contractors working with you independently. What access do they have to your information, and how do you control it? You should also consider your employees. How aware are they of the importance of cyber security? If you have people who struggle with IT, they’re probably more likely to click on a suspicious email attachment that lets an attacker into your system.

You can mitigate this risk with ongoing education. Focus the training on the people who need it the most and measure the results to gauge effectiveness. But before you can do anything, you need to know what the risk is.

Are you about to be breached?

Auditing your risks will help you know whether you’re likely to be breached, as well as the possible impact of a breach, such as the data you could lose. However, simply building a picture of the risk cannot prepare you for the most devastating impacts of a breach, particularly if you don’t have the technical knowledge.

When attackers get into your system through whatever means (someone clicking on a suspicious link, for example), they are able to collect all your data without you noticing, and can transfer it to the dark web for storage. They can encrypt all your data so you can’t access it, then contact you to ask you for a ransom (often in Bitcoin), saying that if you pay up, they won’t release your information publicly. They may also call up some of your clients whose details were stored in the data they stole, telling them they have their passport numbers, for example, trying to extort money from them in exchange for deleting the data.

You can invest in tools to tell you if you’re about to be breached, or tools that alert you as soon as something suspicious is detected in your network. However, the way many organisations find out they’ve been breached is when they try to open a file and it’s disappeared, receive a ransom message or get a call from an irate customer whose details have leaked onto the dark web. That sinking feeling that you’ve been hacked is one of the most powerful reasons to do everything you can to prevent cyber-attacks and limit their impact.

How to prevent and limit data breaches

There are so many ways you can protect your organisation, so many different tools available, that it can be difficult to know where to start. It’s essential to take preventive and limiting measures that are appropriate to your organisation and your risk exposure. Not going deep enough could leave you with too much risk, but trying to manage risks you don’t need to is inefficient.

Cyber Essentials – the industry standard cyber security framework from the UK’s National Cyber Security Centre – recommends a range of measures. All of these should be implemented in your organisation immediately as a base, which you can then build on with bespoke cyber security measures:

  • Updating all software applications to the latest versions – Out-of-date software often contains vulnerabilities that attackers can exploit
  • Protecting user logins – Erasing lapsed accounts, implementing multi-factor authentication
  • Ensuring all company devices meet a minimum baseline security configuration – This should be done during the initial setup
  • Malware protection:
    • Endpoint Detection and Response (EDR) – Monitors all activity at your organisation’s endpoints, detects and alerts your security team to anomalies, helping them to respond more effectively
    • Managed Detection and Response (MDR) – Monitoring, detection and response delivered by an external organisation, removing the burden from your security team
    • Extended Detection and Response (XDR) – Streamlined, data-driven monitoring, threat detection and response across your entire organisation
  • Firewalls and web filtering – Can potentially block access to suspicious sites
  • Labelling sensitive data – Tagging data with insights into its content and context. Once data is labelled, you can create rules for specific groups, such as ensuring you most business-sensitive information cannot leave your organisation
  • Cyber security training for your employees
  • Managing your devices in the cloud – The cloud allows you to move away from on-premise solutions, increasing your cyber agility and resilience. Once you’re on the cloud, you can push out policies such as BitLocker

However, there is no silver bullet in cyber security. While you can take a range of preventive measures that can keep potential attackers at bay, there’s no 100% guarantee that a hacker won’t breach your defences and get to your data.

Part of your cyber security approach should be to limit the ‘blast radius’ of any attack. A good place to start is with access controls. If someone has access to your network, they should automatically only have minimum access privileges to files. Everyone in your organisation should have access to the solutions and files they need to do their job, but nothing more. Ensuring only the people who need to can access your most sensitive data means that an attacker can only move so far, even if they get inside your network.

Get cyber smarter with Doherty Associates

50% of businesses in the UK reported experiencing a cyber security breach or attack in 2023 (2). Not all of these were successful, but they still cost money to fix (remedying a cyber breach in a small to mid-size company can cost between £50-£200K in cash terms, as well as reputational damage), not to mention the stress on staff members. 

Breaches happen. That’s a fact. But there’s a lot you can do to reduce your risk and lessen the impact of a breach. Why learn about a breach the hard way when you can take control of your cyber security posture and thrive?

At Doherty Associates, we help organisations with both the big picture and the practical aspects of cyber security. We can help you develop a security strategy based on the NIST framework that can govern everything you do, but we can also help with:

  • Setting up conditional access and detective controls
  • Ensuring you’re supported 24/7/365
  • Assisting with day-to-day governance, compliance, and regulatory matters relating to your cyber and information security

For guidance in developing a broader and more robust cyber strategy, contact Doherty Associates.

Sources:

1 – https://newsroom.ibm.com/2024-07-30-IBM-Report-Escalating-Data-Breach-Disruption-Pushes-Costs-to-New-High

2 – https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2024/cyber-security-breaches-survey-2024

Topics: Cyber security

Written by: Caleb Mills

Posted: 21 August 2024

Related content

Cyber security priorities for the legal industry

Resources

Cyber security priorities for the legal industry

Download
Cyber security priorities for investment firms

Resources

Cyber Security priorities for investment firms

Download

Blogs

Why MFA isn’t the cyber security silver bullet you think it is

Read more
Back to resources & insights

We’re here to help

If you want to achieve better outcomes for your business through a more intelligent use of technology, talk to us.

Contact us