How Safe Is Your Data?

It may not be as safe as you think. Here are simple steps you can take to help keep your data more secure.

August 4, 2016

Overview Your data might not be as safe as you think it is — and it could cost you dearly. Part of the threat comes, unwittingly, from your employees — and, possibly, even yourself. A significant proportion of cyber breaches (as many as 30%) are caused by “negligence or mistakes,” caused by individuals failing to act responsibly or follow procedure. Two decades after the launch of the web, digital has become so ingrained in our lives that it’s easy to assume you know the best security practices to keep you and your organization safe from a data breach. But as technology continues to drive changes in the way we live and work and as the Internet of Things becomes more omnipresent, the digital risks we all face are only going to increase as more and more devices share data around the world. Read on for some simple steps you can take to help keep your data more secure. In-Depth A growing threat, but an inadequate response The number and potential severity of cyber breaches is increasing. A recent PwC survey found that nearly 90% of large organizations suffered a cyber security breach in 2015, up from 81% in 2014; the average cost of these breaches more than doubled year-on-year. With more connected devices than ever before — and the total expected to reach 50 billion by 2020 — there are more potential targets for attackers, as well as more potential for accidental breaches. What’s more, as of late 2015, companies are, for the first time, listing their information assets as nearly as valuable as their physical assets, according to the2015 Ponemon Global Cyber Impact Report survey, sponsored by Aon. So how do you keep your organization’s data — and that of your clients and customers — safe? According to Aon cyber insurance expert Stephanie Snyder Tomlinson, it’s not just a matter of investing in better technology and more robust systems. “A lot of companies find that the weakest link is their employees,” Snyder Tomlinson says. “You need to train employees to make sure that if they get a phishing email, they’re not going to click on the link; that they don’t have a Post-it note right next to their monitor with all of their passwords on it. It’s the human error factor that companies really need to take a good hard look at.” From intern to CEO: Simple steps everyone can take It’s easy for individuals to become complacent about data security, says Brad Bryant, Aon’s global chief privacy officer. But with cyber threats increasing, it’s more important than ever to be aware of the seemingly innocent individual actions that can potentially lead to serious cost and reputational consequences for your organization. According to Bryant, there are four key things everyone can do to help protect themselves and their organizations from the rising cyber threat:

Be alert to impersonators— Hackers are becoming increasingly sophisticated at tricking people into giving away sensitive information, from phishing to social engineering fraud. You need to be more vigilant than ever when transmitting information. Are you certain they are who they say they are?
Don’t overshare— If you give out details about your personal life, hackers may be able to use the data to build a profile to access your or your company’s information. From birthdays to addresses, small details build up.
Safely dispose of personal information— A surprising amount of information can be retained by devices even after wiping hard drives or performing factory resets. To be certain your information is destroyed, you may need to seek expert advice or device-specific instructions.
Encrypt your data— Keeping your software up-to-date and password protecting your devices may not be enough to stop hackers should those devices fall into the wrong hands. The more security the better, and, with the growing threat, encryption should be regarded as essential.

Key approaches for organizations to better protect data To protect your and your customers’ and clients’ information, investing in better cyber security is only one element. But data breaches don’t just happen through hacks, or even employee errors. At least 35% of cyber breaches happen because of system or business process failures, so it’s vital to get the basics right. Prevention is key, says Tom Fitzgerald, CEO of Aon Risk Solutions’ U.S. retail operations. There are four key strategies he recommends all organizations should pursue to limit the risk and make sure they’re getting the basics right:

Build awareness— Educate employees on what social engineering fraud is, especially in your financial department. Remind employees to be careful about what they post on social media and to be discreet at all times with respect to business-related information.
Be cautious— Always verify the authenticity of requests for changes in money-related instructions and double-check with the client or customer. Do not click on random hyperlinks without confirming their origin or destination.
Be organized— Develop a list of pre-approved vendors, and ensure employees are aware. Review and customize crime insurance. When it comes to coverage or denial, the devil is in the details.
Develop a system— Institute a password procedure to verify the authenticity of any wire transfer requests and always verify the validity of an incoming email/phone call from a purported senior officer. Consider sending sample phishing emails to employees to test their awareness and measure improvements over time.

Much of this advice is not new — but the scale of the threat is increasing, making following it more important than ever. “Social engineering fraud is one of the greatest security threats companies can encounter today,” Fitzgerald warns. “This is when hackers trick an employee into breaking an organization’s normal digital and physical security procedures to access money or sensitive information. It can take many forms, from phishing for passwords with deceptive emails or websites to impersonating an IT engineer, to baiting with a USB drive.” How governments are driving data protection The potential consequences of inadequate data security are becoming more serious as courts and regulators are focusing on this issue globally. The EU is considering a data protection directive to replace previous regulations implemented in 1995. The expected result will be a measure that focuses on protection of customer data. Similarly, an October 2015 ruling by the European Court of Justice highlighted the transfer of customer data between the E.U. and the U.S. “Regardless of where a company is located, the provision of services to E.U. customers and the collection or mere receipt of personal data from European citizens may potentially subject companies to E.U. jurisdiction,” Bryant warns. “Failure to comply could present unprecedented risk for companies, including fines of up to 4% of a company’s total global income.” It’s not just changing E.U. rules that could affect your business. Internet jurisdictions and organizational operations are increasingly becoming cross-border. This global patchwork of internet rules and regulations is why only 24% of cyber and enterprise risk professionals are fully aware of the possible consequences of a data breach or security exploit in countries outside their home base of operations. Why getting the basics right is critical As the Internet of Things continues to grow, the number and range of potential targets for cyber attack is only going to increase. While eliminating all cyber risk may be impossible, getting the basics right is becoming more important than ever. “Given the large scope and impact of the various changes in data protection law, coupled with the drastic increase in fines, becoming educated on how to protect our data is more business-critical now than ever before,” Bryant says. Talking Points “The average cost per user of a data breach is now $240… The costs are costly, but the current model of privacy will not make sense going forward.… The Snowden revelations advanced hope that there would be this really excited response that would get government to impose really strict regulations. There was some posturing made, and it seemed like we were heading in that direction, but I don’t think we are going there.” – Lawrence Lessig, Roy L. Furman Professor of Law, Harvard Law School “A step change in sanctions will make privacy a board-level issue. Some businesses will need to start taking these issues a lot more seriously.” – Tanguy Van Overstraeten, Linklaters “The digital future of Europe can only be built on trust. With solid common standards for data protection, people can be sure they are in control of their personal information.” – Andrus Ansip, Vice President for the E.U. Digital Single Market Further Reading