In the face of an ever-evolving technological landscape, companies across industries are eagerly embracing digital transformation to drive growth, enhance efficiency, and stay competitive. This paradigm shift offers unprecedented opportunities to streamline processes, engage customers on a deeper level, and unlock new avenues of innovation. However, alongside these remarkable advantages come inherent risks key among them cybersecurity risks which come in many forms key among them data breaches.
Threat actors are going after organisations’ critical data in an evolving threat landscape and new breaches are reported every other time. In April 2023, Naivas, Kenya’s largest supermarket chain, announced it was a victim of a ransomware attack carried out by an online criminal organisation. There were two surprising things about this attack. One was the audacity, the other, the transparency. The ransomware attack did not only target Naivas but other corporates and organisations locally and beyond according to Willy Kimani, Naivas’ Chief Commercial Officer. Cybersecurity firm Kaspersky states that spyware attacks on organisations in South Africa, Kenya and Nigeria increased in Q1 2023. It recorded an increase of 18.8 per cent in South Africa, 12.9 per cent in Kenya, and 14.6 per cent in Nigeria from Q4 2022 to Q1 2023.
Let’s start from the basics. What is a data breach? A data breach occurs when information is unlawfully accessed or obtained and potentially shared from a system, without proper authorisation. The system may contain highly sensitive data such as bank account details, credit card information, names, addresses and customers’ personal identifying information (PII). If your organisation is breached, the consequences may include the leaking of confidential information, the theft of intellectual property, identity theft, financial fraud, a run-in with the law, and significant reputational damage. If you are a healthcare CIO, picture a scenario where confidential patient records have been pilfered and simultaneous publication revelation of such data.
From small businesses to government agencies, no entity is immune to the perils of data breaches. However, some are more prone to the activity than others based on the measures they put in place to prevent it from happening and how they react after it has happened.
Richard Muthua, Executive Head of Cloud and Cyber Security, Liquid Intelligent Technologies and Shalom Onyibe, Head of Cybersecurity Assurance Services, CYBER1 Solutions respectively help map out the causes of data breaches. Onyibe narrows it down to three main areas which he says are the lack of policies, lack of training and people behaviour.
Data breaches can occur thanks to various sources, including cyberattacks, insider threats, weak passwords, third-party vulnerabilities, physical security breaches, human error, malicious insiders, and phishing. Hackers, for example, can use the latter to get the credentials of database administrators which they then use to infiltrate the data. Database administrators may mistakenly expose their application programming interface (API) keys to threat actors which they then use to access the database.
Muthua attributes incidences of data breaches to a lack of understanding about the organisation’s important data assets, including their location and who should handle them. This lack of knowledge, according to him, makes it difficult to effectively protect the data. He also blames the lack of insufficient or nonexistent policies and controls governing data management, leaving vulnerabilities in the system. “When policies are in place, there is often a lack of enforcement, allowing for negligence and noncompliance,” he says.
He sees yet another contributing factor. The insufficiency of training across all levels of the organization, from the board to every employee. “When training staff on how to protect themselves against hackers, the activity should cover topics like social engineering, the purpose of policies and controls, and the potential consequences of breaches.” The training also needs to address people’s behaviour within the organisation which may heighten incidences of data breaches. Some of these highlighted risky behaviours include “Leaving laptops unlocked, clicking on unsafe links, connecting to unsecured Wi-Fi networks, or improperly disposing of sensitive documents.” Addressing these factors is crucial to mitigate the risk of data breaches.
Onyibe’s advice to CIOs is to configure the organisation’s threat landscape to understand the level and type of threats that they are facing. “You need to do a risk assessment of your business to hackers. If you are in the finance sector, your organisation is attractive to hackers because of money. In the energy sector, they may be interested in intellectual property. Hackers may be interested in the IP, so they sell for money.”
Organisations can also incorporate emerging technologies to improve their security measures. “Consider Machine Learning and AI-Based Security solutions – basically, a machine has no emotions, cannot be bribed, and does not get fatigued as opposed to humans who are susceptible to not only these but more things that are a gateway to security breaches.
Onyibe views automation and integration in the cybersecurity approach as critical. “When you integrate your cybersecurity solutions, you are better placed to respond to attacks. Automation will enable you to automatically respond to cybersecurity issues in a short time.”
To cap this, adopting the Zero-Trust approach which requires the authentication of all users, whether in or outside the organisation’s network, authorization, and continuous validation for security configuration and posture before being granted or keeping access to applications and data. The C-Suite is, surprisingly sometimes the weakest link to threat actors accessing critical organisation data.
These strategies are recommended:
- Be aware of your environment – how well do you know your personal assistant as an executive? How well do you know the reach of your social media casts?
- Personally ensure you are confident about policies and enforcement levels within your organisation.
- Always double or even triple-check before you act online. Be careful about the websites you visit and applications that you download.
- Keep your professional life separate from your personal life strictly.
- Carefully vet third parties be they suppliers or vendors.
With data becoming such an asset, information from customer information and financial records to intellectual property and trade secrets, critical data forms the foundation of a company’s operations, decision-making, to data offering an enterprise a competitive advantage, prioritising data protection is critical for the following reasons:
- Security breaches: The threat landscape is constantly evolving, with cybercriminals becoming increasingly sophisticated in their attacks. Data breaches can lead to significant financial losses, reputational damage, and legal consequences for organizations.
- Compliance and legal requirements: Quite a number of industries now have strict regulatory frameworks and compliance standards in place to safeguard sensitive data. Non-compliance with these regulations can result in severe penalties, fines, and legal actions. It is necessary to meet these legal requirements.
- Business continuity: Critical data loss or corruption can disrupt business operations and lead to substantial downtime. The financial losses, customer dissatisfaction, and damage to the organisation’s reputation cannot be overlooked. Strategies such as regular backups and disaster recovery plans reaffirm business continuity and minimise the impact of potential data incidents.
- Intellectual Property protection: Every self-respecting organisation will invest significant resources in research, development, and innovation. As such, critical data will often include intellectual property, proprietary algorithms, design plans, and trade secrets. Why? Competitive advantage and to preserve the organisation’s market position.
- Maintaining customer trust: Customers expect their personal and financial information to be handled with utmost care and confidentiality. A data breach can erode customer trust, leading to reputational damage and potential customer churn. An organisation invested in demonstrating its commitment to data protection will build and maintain customer trust, fostering long-term relationships and brand loyalty.
- Competitive advantage: If you prioritise data protection, you gain a competitive edge. With data breaches becoming more prevalent, customers and business partners become wary. A high degree of seriousness is warranted when it comes to handling data. Therefore, by implementing robust data protection measures, organisations can differentiate themselves in the marketplace, and attract exactly their kind of customers.
- Data-driven decision-making: Without accurate and reliable data, organisations could end up making flawed decisions with detrimental effects on their operations and outcomes.
It is undeniable that protecting your organisation’s data is inevitably good business.