What is a data breach?
A data breach is the unauthorized access of sensitive or confidential information—viewing, manipulating, or stealing. In most cases, a data breach occurs when an outside threat actor targets and compromises corporate data sources, such as IT systems (e.g., computers, servers, networks, databases) or software and cloud systems. This can be done by phishing, malware, ransomware, spyware, or stolen credentials. Malicious insiders can also compromise these data systems using their internal credentials to access sensitive information.
With the number of threat attacks on the rise, data breach prevention should be top of mind for everyone. Regardless of the target, the damage can be widespread and result in cybercriminals gaining access to other adjacent systems (e.g. email contacts, third-party servers, etc.) or gaining higher privileges on the same systems.
Cybercriminals are motivated mainly by their ability to profit. They often aim to steal names, email addresses, usernames, passwords, credit card information, and other financial information they may use to access a system or sell on the dark web. They also may look for corporate trade secrets, customer data, and information relative to national security.
In ransomware attacks, critical data isn’t stolen but encrypted by malware and held for ransom. Sensitive information from operational systems and critical infrastructure is also vulnerable to nation-state threat actors who may use political motivation to target and disrupt energy, transportation, or financial infrastructure and systems. Any information that is sensitive, private, proprietary, financial, or confidential (e.g., personal health information or PHI, personally identifiable information, or PII) warrants extra protection to prevent data breaches.
Efforts to prevent data breaches have expanded as the loss from such events has mounted. Data breach prevention programs are critical for adhering to internal security requirements and global compliance standards. Failure to prevent data breaches has many consequences that stem from the exposure and release of sensitive data, including fines, litigation, damage to reputation, loss of sales and customers, and revocations of licenses and services required to run a business.
How does a data breach happen?
Understanding how data breaches happen is essential to establishing the right approach to prevent them. Data breach prevention efforts should focus on four main avenues threat actors use to conduct a cyber attack—software vulnerabilities or misconfigurations in network systems that threat actors exploit, stolen credentials and phishing. These leading causes of how data breaches can occur are summarized below.
Vulnerabilities in Network Systems
Unpatched software vulnerabilities are a significant driver of data breaches. When new vulnerabilities are discovered and publicized, cybercriminals know that it takes time for organizations to implement a new patch given the sheer number of assets at risk. There can be hundreds and even thousands of valuable assets that require a patch. Threat actors know they can quickly take advantage of unpatched systems by leveraging malware variants and gaining access to networks that have not applied critical updates. As a result, organizations that act slowly, postpone patches, or don’t fully deploy patches across their entire network are more prone to a data breach.
Organizations need visibility of their entire infrastructure to improve their patch management efforts to understand and quantify their highest-risk vulnerabilities, determine what patches are required, and prioritize risky vulnerabilities for remediation as quickly as possible. Having an efficient (and maximally automated) patch management process is crucial for fixing vulnerabilities promptly and ensuring that software and applications are kept up-to-date, running smoothly, and shielded from a potential data breach.
Misconfigurations in Network Systems
Misconfigurations, anything incorrectly set up in a system or network environment, are another major category of issues leading to data breaches. Incorrect or sub-optimal configuration of information systems, environments, applications, and connected devices are prone to exploitation. Misconfigurations happen when system administrators fail to configure security controls when deploying applications, websites, desktops, or servers, making them easy targets. Cloud misconfigurations, in particular, are common due to complexities associated with cloud environments and a lack of familiarity with some of the tools available to administrators for securing their cloud environments. Many misconfiguration issues can also happen when default configurations, a set of pre-built controls or specifications, are accepted without being properly reviewed or modified, leading to dangerous security risks in an environment.
Organizations must implement strict compliance policies to prevent misconfigurations, such as enforcing strong access controls, disabling default accounts, changing default settings, encrypting data, and setting processes to perform continuous checks and validation of configuration settings.
Stolen credentials are one of the most commonly used tactics leading to data breach attacks. Once a cybercriminal has authorized credentials in hand, they can physically access a computer or network or bypass an organization’s network security measures. Cybercriminals use many different methods to steal credentials, including phishing scams, malware, and even computer algorithms that can guess weak or ordinary passwords individuals may use. They also might take advantage of organizations that transmit data using non-secure protocols or don’t properly employ data breach prevention tactics to protect lost or stolen devices. Insider threats, referred to as malicious users with internal access to critical data, can also be a source of data breach attacks since they can easily cause a data leak. Additionally, failing to comply with security protocols or posting sensitive data to an unsecured location on a website or public repositories can make it easier for cybercriminals to access sensitive information.
To protect from credential theft, organizations can employ security measures like password managers and adaptive authentication, such as two-factor authentication (2FA) and multi-factor authentication (MFA), as well as continuous authentication practices and next-gen firewalls (NGFW).
Phishing is the leading cause of data breaches. Phishing attacks are counterfeit communications that appear to come from a trustworthy source but which can compromise your data sources. Phishing starts with a fraudulent email or other communication designed to lure an unsuspecting victim into providing confidential information, downloading a malicious application or visiting a malicious website. The goal of the attack is to obtain confidential information which is then used to access important accounts and can result in identity theft and financial loss. Attackers may also seek to obtain permissions to modify and compromise connected systems, or in some cases hijack an entire network.
To prevent phishing attacks, organizations need to keep a pulse on the current phishing strategies and ensure their systems are current with the latest security patches and updates. Spam filters and monitoring systems should be set up to block malicious emails and websites. Also, organizations need to educate employees and conduct training sessions so they understand the types of phishing attacks they may encounter, the risks, and how to avoid them.
How is data at risk?
Once sensitive data is accessed, cybercriminals leverage it in several nefarious ways. The scale and gravity of these data leaks highlight the need to prevent data breaches.
Organizations need to establish data breach prevention processes that enable them to prioritize risks aligned to their business impact and commonly targeted by cybercriminals, including:
- Financial information—credit card numbers, bank accounts, investment details, and insurance information
- Intellectual property—product roadmaps, design specifications, formulas, sales plans, and source code
- Legal information—merger and acquisition details, litigation strategies, depositions, and contracts
- Personally identifiable information (PII)—Social Security numbers, contact information, birth dates, and driver’s license numbers
- Protected health information (PHI)—diagnoses, prescriptions, and medical records
- Technical security information—users’ credentials, encryption keys, security protocols and systems, and network architectures
How to prevent data breaches due to vulnerability exploits
Commonly used data breach prevention solutions due to vulnerability exploits are:
- IT Asset Inventory tools – to automatically discover and inventory all IT assets to recognize what needs to be protected and monitored.
- Risk-based vulnerability management tools – to quantify risk across the business, analyze different remediation scenarios and calculate the risk reduction results to recommend highly tuned patch instructions.
- Highly automated patch management and remediation workflows – to accelerate remediation of critical vulnerabilities with insights that ensure the best remediation approach.
How to prevent data breaches due to misconfiguration exploits
Commonly used data breach prevention solutions due to misconfigurations are:
- Strong password policies and multi-factor authentication (MFA) – to prevent unauthorized access.
- Limited or privileged access controls – to prevent overly permissive access
- Disable default settings on servers, laptops, desktops, and other connected devices – to prevent hackers from having easy access
- IT Asset Inventory tools combined with Risk-based Vulnerability tools – to account for all assets with a repeatable patching process in place that ensures software and configurations are up to date
How to prevent data breaches due to credential theft
Commonly used data breach prevention solutions due to credential theft are:
- Multi-factor authentication (MFA), CAPTCHA, Device Fingerprinting and IP Blacklisting – to prevent the injection of pre-collected login credentials (i.e. usernames, emails, passwords) to break into user accounts, also known as credential stuffing.
- Duplicate Password Detection – to warn users if they are using a duplicate or weak password.
- Passwordless Authentication – to allow users to gain access to an application or IT system without entering a password which eliminates the opportunity for an attack by password spraying.
- Two-factor authentication (2FA) – to counter weak passwords and users by requiring increased identity verification to gain access.
- Password Manager tools – to store, manage and generate passwords in a safe and encrypted database.
- User authentication tools – to verify that only authorized users can access cloud and company accounts.
- Default password detection – to help identify default credentials so they can be changed or disabled immediately.
- Next-gen firewalls (NGFW) – to detect and block data breach attacks by enforcing security policies and the application, port, and protocol levels.
How to prevent data breaches due to phishing
Commonly used data breach prevention solutions due to phishing are:
- Web filters – to restrict the content that an internet user is able to access.
- Spam filters – to identify unsolicited, unwanted and virus-infected emails.
- Intrusion detection systems (IDS) and intrusion prevention systems (IPS) – to provide real-time protection against network attacks, exploits, and exposures.
- Data loss protection (DLP) – to detect and prevent data breaches by blocking the extraction of sensitive information.
- Data encryption solutions – to render data inaccessible and unusable in a data breach attack.
- Employee training programs – to educate employees on the types of attacks they may face and how to avoid them.
Data Breach Prevention Best Practices
In addition to having a robust, overarching security strategy to prevent data breaches, organizations should also implement the following best practices.
- Educate employees about data breach prevention tactics and enforce data security protocols that defend against data leaks.
- Install updates and patches as they are available to prevent data breaches caused by cybercriminals exploiting vulnerabilities in unpatched or outdated software.
- Limit access to your most valuable data with data governance tools to protect sensitive data and prevent content sprawl.
- Limit third parties access to only the information they need by enforcing the principle of least privilege access.
- Use unique and strong passwords to prevent unauthorized access to systems that can lead to a data leak.
- Implement zero trust security that requires all users, whether in or outside the organization’s network, to be continuously verified and authorized for security configuration before being granted access to applications and data.
- Adopt security technologies for added protection such as Endpoint Detection and Response (EDR), Web Application Firewall (WAF), Next-gen Firewalls (NGFW), and verification controls like MFA and 2FA.
No matter how good your security program is, your organization is never fully protected. Therefore it is important to know what to do when you discover a data breach and how to restore your systems that were impaired due to the threat incident. Organizations can use a set of guidelines and best practices known as the NIST Cybersecurity Framework to help them detect the occurrence of a cybersecurity event in a timely manner and respond with appropriate activities to contain the impact and restore resilience.
Frequently Asked Questions
- What causes a data breach?
Five of the most common causes of a data breach are:
- Credentials that are weak or stolen
- Malicious insiders
- Software vulnerabilities
- What is the impact of a data breach?
The consequences of a data breach vary in scale and scope but can include:
- Loss of licenses
- Financial loss
- Sanctions by industry or government agencies
- Damage to reputation
- Customer attrition
- Business shut down
- How to recover from a data breach?
If data breach prevention measures fail, the time to recovery should be as fast as possible to minimize damage. Several data breach recovery steps are:
- Neutralize the threat
- Use backup and recovery systems to restore operations and data
- Identify and reinforce the point of entry
- Determine if the threat has spread beyond the area identified
- Report the data breach to authorities and other agencies according to compliance requirements
- What are some examples of information commonly stolen through data breaches?
The types of information commonly stolen through data breach attacks include:
- Banking records
- Credit card information
- Legal documents
- Personally identifiable information (PII)
- Protected health information (PHI)
- Trade secrets and other proprietary product information
- Product source code
- Customer lists
- Users’ credentials
- What is the difference between a data breach and a data leak?
A data breach is the unauthorized access of sensitive or confidential information, while a data leak refers to the information exposed, accessed, or taken resulting from a data breach attack.