We hear about data breaches daily, or so it seems. But how many people actually know what the term means?
Here’s a no-nonsense definition you can use, courtesy of Israel Mazin, co-founder, CEO, and chairman of Memcyco: “A data breach is the unauthorized access and extraction of sensitive, confidential, or protected information.”
There’s a reason everyone seems to be talking about data breaches, by the way: They’ve been steadily on the rise, and 2023 brought a noticeable surge. Security professionals and other IT pros use a wide range of cybersecurity software and tools for everything from security risk assessments to mitigation in the event of an incident.
In this article, I’ll explain how and why data breaches happen and what CTOs and other technology leaders can do about them. Let’s get started.
What is a Data Breach?
Here are a couple more straightforward definitions of data breach:
- “A data breach occurs when confidential, protected, or sensitive data is accessed, disclosed, or taken without authorization,” says Will Teevan, CEO of Recast Software
- “A data breach is unauthorized access to and theft, altering, transfer or sale of private or sensitive data as a result of a security incident,” says Andrew Kraut, Senior Research Engineer at Permiso.
A pattern emerges in these definitions: a data breach entails unauthorized access to sensitive information and subsequent theft or other unauthorized use of that information.
Virtually any confidential information – i.e., not otherwise publicly available – could be considered sensitive these days, but some of the big categories here include:
- Personal information: This could include any personally identifiable information—also known as PII—that a company collects about its customers, such as addresses, phone numbers, driver’s license numbers, passport numbers, social security numbers, birth dates, etc.
- Financial information: This typically includes bank account numbers, credit card numbers, or other login credentials that hackers and cybercriminals could use to compromise or steal from an individual’s or organization’s financial accounts.
- Healthcare data: While this might be rightly considered “personal information,” health information is worth its own mention because the industry has become a massive target for cyber attackers and other bad actors looking to profit from ransomware and other threat vectors.
- Proprietary data: This includes a company’s private or proprietary information, from intellectual property to research and development plans to market strategies and more.
Why Data Breaches Happen
You don’t need to be a CISO or other security professional to understand that data breaches are bad. No individual or organization wants it to happen – yet they happen regularly. In a survey recently conducted by Teevan’s firm, in partnership with Ponemon Institute, 61% of respondents reported their organization had been breached in the previous 12 months.
This data underscores the pervasive nature of cybersecurity threats and the urgent need for businesses to reinforce their defenses.
Why are data breaches so common? Put simply: They work. Cyber attackers and other malicious actors have turned cybercrime into a lucrative industry unto itself, armed with an increasingly sophisticated array of attack tools and techniques for going after their targets. While financial gain is the most common motive, it’s not the only one. Data breaches also occur because of corporate and government espionage, reputational damage, service disruption, and other reasons.
The kicker is that cybercriminals can afford to fail – and plenty – whereas their targets typically cannot.
“Attackers only have to get it right once, but defenders have to get it right every time,” Kraut says.
How Data Breaches Happen
Another massive reason data breaches happen: There are more security risks and threat vectors in our increasingly digital age than ever. “The complexity and sophistication of cyber threats are continually evolving,” Teevan says.
Broadly speaking, those threats usually fit into one (or more) of the following categories:
- Human Error: This has long been one of the biggest root causes of data breaches: People make mistakes. In a security context, that could include everything from the use (and reuse) of weak passwords to the accidental mishandling of sensitive data to cloud account misconfigurations and more. Even something as “simple” as a lost phone or laptop could lead to a security incident. Moreover, it’s not always a mistake – various insider threats can lead to security breaches within the organization.
- Cyberattacks: This category has grown immensely in scale and complexity over time and includes a wide variety of malicious tools and methods that cyber attackers can use to gain unauthorized access to an organization’s data.
“Cyberattacks, such as phishing attacks, malware, or ransomware, exploit security gaps to gain unauthorized access to systems,” Teevan says.
Other cyberattacks include distributed denial-of-service or DDoS, attacks intended to disrupt or take down a company’s web applications, and cloud account hijacking
- System Vulnerabilities: Finally, there are tons of potential vulnerabilities – sometimes the result of initial human error – in a company’s IT and business systems. This includes things like unpatched or otherwise outdated software, misconfigured cloud or SaaS accounts, or inadequate tools, processes, and policies for minimizing security risks and responding to incidents.
Notable Data Breaches
Oh, where do we begin? Just from the last decade or so, you could fill a book with notable data breaches. Seriously, a Wikipedia list of data breaches reads like a who’s-who roster of major companies and government agencies, and it includes more than 460 references.
Here are some examples of notable breaches:
- In 2013, the web company Yahoo was hacked in what is now often cited as the biggest data breach ever. It was later revealed that all 3 billion of Yahoo’s user accounts were compromised in the attack.
- In 2009, Wired reported that the National Archives and Records Administration was investigating the potential breach of personal data for tens of millions of U.S. military veterans. The cause? A faulty hard drive that was shipped back to a vendor without having its data properly wiped first.
- In late 2022, the video game maker Activision had some game and employee data stolen after an employee fell prey to a phishing scam.
- In late 2023, cyberattackers gained access to the personal data of around 6.9 million customers of the genealogy and ancestry site 23andMe—a much larger number than initially reported.
The Importance of Recognizing Data Breaches Early
If you review even a brief history of data breaches, a pattern emerges: While no data breach is ever “good” (at least not unless you’re the attacker), many turn out much worse than they need to be because they either went unnoticed or unreported for too long. Moreover, some organizations end up doing far greater harm than the initial breach simply by trying to sweep it under the rug instead of issuing an appropriate breach notification to affected parties in a timely manner.
Detecting and responding to breaches quickly is crucial to minimizing their impacts. This is a driving force between security mindsets such as “assume breach,” in which your security posture treats it as inevitable that incidents can and will happen. A similar mindset permeates multiple concepts and strategies in modern data security, such as zero trust and the principle of least privilege – security incidents are a given, so why ensure your detection, defense, and incident response capabilities are as strong as possible?
The Impact of Data Breaches on SaaS Companies
While this is true for companies of all shapes and sizes, it’s particularly important for SaaS companies, whose entire business is predicated on trust in the company’s digital products and services. SaaS data breaches bring multiple negative impacts when they go undetected or aren’t handled properly in their aftermath, including:
- Financial Losses
- Reputation Damage
- Legal and Regulatory Compliance Implications
While financial losses may seem most tangible, consequences such as reputation damage can last much longer, given the digital trust required for success in both B2B and B2C SaaS businesses.
Data Breach Prevention and Mitigation
The challenges here are as clear as they are numerous. Any organization that sticks its proverbial head in the sand regarding data security is essentially extending an invite for a breach.
So, what should we do about it? Experts recommend various best practices and tools for data security.
Best Practices for Data Security: 6 Principles
1. Assess and Strengthen Your Cybersecurity Posture: “Begin by evaluating your current cybersecurity measures,” Teevan says. “Take advantage of tools that help quantify potential risks, offering insights into system vulnerabilities and outdated applications.”
2. Patch, Patch, Patch: Rigorous patch management is one key to minimizing system vulnerabilities and reducing the number of known and unknown (aka “zero-day”) exploits available to attackers.
“Automating the patching process for operating systems and applications is crucial, as automation facilitates rapid patching, reducing the window of vulnerability significantly,” Teevan says.
3. Prioritize Visibility of and Control Over Your Environments: There’s a general truth in IT security that you can’t protect what you can’t see – malicious actors thrive in the dark, which in IT terms means those areas in an organization’s systems that are unknown or unseen to the organization itself.
“Achieving a comprehensive overview of your hardware and software landscape is essential for informed decision-making and effective risk assessment,” Teevan says. “This heightened visibility into IT environments allows organizations to identify vulnerabilities, monitor system health, and ensure that all assets are up to date and secured against potential threats.”
In addition to real-time visibility and monitoring, you’ll also want a “paper” trail to support audits and a granular understanding of security incidents whenever needed. Kraut from Permiso recommends logging data access: “Besides regulatory requirements, data access logging is a great way to validate that the right people are getting access (or being denied access) to the right data.”
4. Be Smart About User Permissions: Human error will always exist, but you can manage it simply by limiting people’s data and system access to what they need to do their jobs—nothing more.
“Excessive admin rights invite attacks,” Teevan says. “Limit user access to essential functionalities to reduce the risk of unauthorized actions that could compromise security.”
Kraut advises implementing such data protection strategies as early as possible: “Build in data protection strategies from the start: If you engineers can't access confidential data because of technological controls, it's a good bet attackers can't either. These controls are not easy to put in after the data exists."
Similarly, limiting human error as a root cause of data leaks requires and enforces strong passwords and tools like multi-factor authentication.
5. Adopt a Human-Centered Cybersecurity Approach: Don’t treat the human element as a weakness – people should be a key part of your strength.
“Develop a tailored cybersecurity training curriculum and conduct regular simulations to test employee readiness,” suggests Kraut. This proactive strategy helps mitigate the risk posed by human error, a significant factor in data breaches.
Kraut also suggests another people-centric practice here: “Check each other's work: Every industry can benefit from this practice,” he says. “Commercial airlines have two pilots to check each other. Rock climbers use multiple anchors. Security engineers can use code and architecture reviews to catch oversights before production.”
6. Conduct Regular Cyber Risk Assessments: Conducting formal risk assessments helps identify and prioritize vulnerabilities. Utilizing third-party expertise can offer an unbiased view, enhancing the effectiveness of your cybersecurity strategy.
The Bottom Line
Data breaches are a menace that is only getting worse. But the good news is that the right combination of technology tools, proactive strategies, and strong technology leadership can minimize risks and ensure a rapid response and resolution when security incidents occur.
What is your approach to data security? Be sure to join The CTO Club’s newsletter for more industry news and discussions!