Companies operate with millions of rows of user data for their services. This data is a tidbit for cybercriminals, because it can be used for their own purposes in a large number of ways. Therefore, the number of cyberattacks and data leaks is constantly growing. And this, in turn, causes more and more damage to companies.

How can user data be leaked to the network, what can this mean for the company, and how can the risk of leakage be minimized? Falcongaze’s research department has sorted out this problem.

How user data leaks to the web

In fact, there are many reasons for data leaks. But they can be divided into two conditional groups:

  • External;
  • Internal.

External causes are anything that does not apply to the company’s systems and its people. Typically, these are actions of cybercriminals such as phishing attacks, attempts to brute-force login credentials, exploitation of vulnerabilities in programs used by the company, or even physical penetration attempts.

Everything that can allow information to leak out, and is located within the company, can be classified as internal. For example, it can be an employee (insider) bribed by cybercriminals or an incorrectly configured server that is accidentally indexed by search engines and gives access to the databases stored on it.

In fact, it is not uncommon for a leak to be caused by both external and internal leaks. For example, cybercriminals carried out a phishing email with a malicious attachment to company employees and employees who were careless or untrained in digital hygiene opened the email and downloaded the malware onto their work computer.

What consequences for the company can a data breach have?

Data leaks can cause serious damage to a company in two ways:

  • Reputational. When users find out that a company has leaked information, they will in a large proportion of cases stop using its services. In addition, information about a leak can seriously reduce the flow of new customers. A 2019 Security Magazine survey showed that 78% of respondents will stop using the services of the leaked company online, and 36% will stop interacting both online and offline. Moreover, 49% of those surveyed say they will not use a service or application that has recently had a data breach.
  • The economic damage will also be added to the reputation damage. First of all, the churn of users and a decrease in the influx of new ones will clearly affect the company’s profit. In addition, in many countries, data breaches can result in fines and compensation for users affected by the breach. And these amounts can be enormous. For example, Equifax paid at least $ 575 million in 2019. In addition, information security will have to be upgraded, which is also expensive.

How companies can minimize the risk of data breaches

There are many ways to improve the protection of information in a company. Among them are:

  • Data encryption. Even if attackers get the data, it will be much more difficult to exploit it;
  • Use of security software (antiviruses, firewalls). Such programs will help protect against outside attacks;
  • Using DLP systems. This type of programs can be distinguished separately, since they specialize specifically in protection against leaks;
  • Digital hygiene training for employees. This will help employees not to fall for phishing emails and, in principle, secure the transmission of important data over the Internet;
  • It is a good idea to check your systems for vulnerabilities. This can be done by ordering a penetration test, security audit or security analysis of systems:
    • Pentest. The essence of this security study is that specialists purposefully attack the systems of a company, simulating an attack by hackers. As a result, the customer receives a report on the probability with which the ordered attack will be successful, as well as what vulnerabilities were discovered during the attack. Of the minuses, it can be noted that in this case, the very fact of the success of a particular attack is more important than the complete collection of information about vulnerabilities. That is, if in some specific way the pentesters were unable to penetrate the company’s infrastructure or somehow disrupt its performance, this does not mean that there is no loophole hidden somewhere that will be used by someone else;
    • Analysis of the security of systems. This research is somewhat similar to a penetration test, only if the goal of a penetration test is a successful attack, then the task here is to find the maximum number of vulnerabilities that can be exploited.
    • Security audit. The audit checks the compliance of the information system and related processes with the requirements and recommendations of regulatory documents, as well as equipment and software manufacturers;
  • And if a company produces its own software product and it may also contain vulnerabilities, through which, in theory, you can get unauthorized access to confidential data, you can also try running the bug bounty program. This can draw the attention of enthusiasts to the product. As a result, the company will receive information about bugs and vulnerabilities and will be able to quickly fix them;
  • Formation of a healthy climate within the company. If the employee likes everything, then even if they try to bribe him in order to leak information, the chances of success for attackers will be much lower. For example, in August 2020, cybercriminals were unable to carry out a ransomware attack on Tesla, even offering an employee $ 500,000.

But individually, all these measures are ineffective. They must be used together to achieve maximum effect. For example, a security analysis or a penetration test will reveal the weakest points in information protection, and based on the reports and recommendations received from specialists, other methods can be applied, whether it be a transition to more reliable software or training employees in digital hygiene and the basics of information security.

Of course, all this is not cheap (for example, a simple penetration test using social engineering by email can cost from 150 thousand rubles, but in the end, if a company works with a large amount of confidential data, it is highly likely that it will still cost less than losses in the event of a leak of this data.