Preventing a Data Breach

Is your company data adequately protected? Is your Incident Response Plan up to scratch? NSF’s Information Security experts, together with the Principal of Cybersecurity at Plante Moran, share the most common causes of data breaches and some steps you can take to help protect your company’s data.

What steps have you implemented to prevent a data breach?

By Joseph Pelukas – Senior Director of Information Technology at NSF, Jenny Trotta – Principal of Cybersecurity at Plante Moran & Haley Glass - Digital Account Executive at NSF

Is your company data adequately protected? Is your Incident Response Plan up to scratch? If you are struggling to answer these questions, read on to discover the most common causes of data breaches, and some steps you can take to help protect your company’s data, including the importance of regularly reviewing and testing your Incident Response Plan.

Exposing the ‘B’ word – what is a data breach?

The formal definition of a data breach is any incident where your organization’s sensitive or protected information is accessed, disclosed, or obtained by an unauthorized person.

The word ‘breach’ is often overused though, and should not be used casually. In the world of cybersecurity we generally use the terms ‘events’ and ‘incidents’ until an official breach is confirmed. Usually it’s a company’s legal team who determines if a data breach has occurred, since where the company’s data is located will have a bearing on which laws and regulations are in force.

Phishing remains the most common cause of data breaches

Despite the vast amount of information available on phishing, it’s still the most common cause of data breaches.¹

Phishing attacks are becoming increasingly sophisticated. There are now far less spelling errors than we saw in phishing emails in the past, and with advancements in Artificial Intelligence (AI), emails look ever-more convincing. So, vigilance remains key, and we always advise clients to scrutinize the content of emails and the actions they’re being asked to take.

In addition to phishing, we’re also seeing a large number of ransomware attacks where devices are encrypted by hackers, who demand money in return for access to their systems. But of course hackers are not only seeking a ransom payment, they’re targeting the financial information of individuals whose identity they can steal in order to obtain credit cards and even take out mortgages.

Other types of data increasingly being targeted may surprise you. In recent times we’ve seen HIPAA data targeted as fraudsters look to obtain prescriptions, or even more expensive medical services, such as cosmetic surgeries.

The consequences of cyber-attacks are huge, not only financially but in terms of reputational damage too.

Between March 2022 and March 2023 the average total cost of a data breach for a U.S.-based organization was an eye-watering $9.5M.²

Steps to help prevent a data breach

With the stakes so high, what can organizations do to help protect their data?

There is a huge amount of information available online, including via AI applications, documenting various steps an organization can take to help safeguard their data. The key is operationalizing these steps!

There is no magic formula to prevent a data breach, but there are a lot of overlapping controls that can be put in place to help.

Here are our experts’ top tips for helping you protect your company’s data and assets.

Create an asset inventory – you need to know what systems, software, and data you have in order to protect them.
Conduct a risk assessment – utilizing the asset inventory, identify potential threats and vulnerabilities for each asset. Assess the impact of each identified threat and the likelihood. This can help with prioritizing risk mitigation efforts.
Conduct internal phishing campaigns – knowing that phishing is the biggest cause of cyber-attacks and that it relies on internal staff members being compromised, it’s critical that all organizations regularly train and test their team on spotting and reporting phishing emails.
Keep systems patched and up to date – this may sound simple, and it may not always be straightforward to execute without potential disruption to your systems, but it’s so important to make sure your systems are patched and up to date. Segment any system that can’t be updated and prioritize patch requests based on which systems hold the most critical data, or are the most vulnerable.
Secure your websites – users should always check for the padlock icon in the corner of their screen. Sites should use https, and if you’re transmitting any data you need to make sure it’s done in a secure manner.
Remember the internal risk - nobody likes to think about internal attacks, but they do happen. History tells us that rogue employees can pose a huge risk.
Encrypt laptops – although most corporate policies require files to be saved in designated server locations, the reality is that many employees still save documents to their desktop. It only takes a colleague to be travelling and lose their laptop, and anything saved on their desktop is vulnerable.
Segment and secure your network - ensure you have your network and your infrastructure properly secured and segmented.
Adopt a ‘zero trust’ approach – this means ensuring that you’re only allowing authorized people access to your network, and only enabling access to systems and servers they require for their specific role.
Remember physical security – physical security and information security go hand in hand. Don’t forget to secure your physical assets, such as your premises, too.
Check your cyber insurance coverage - make sure it meets your organization’s needs and will cover you in the event of a data breach.
Test your Incident Response Plan – this is critical preparation for your teams and should be tested on a regular basis.

Review your incident response plan annually

If you don’t have an Incident Response Plan or it’s been a while since you looked at it, now would be a good time to develop one or revisit your existing one. We advise clients to review their Incident Response Plan at least once annually. But having a plan is not enough. You need to test it with all responsible personnel, via either a tabletop exercise or a real-life simulation of an incident.

Can you confidently answer ‘yes’ to these questions?

Do you have a nominated incident response team?
Do they know what to do in the event of an incident?
Are they familiar with the team’s roles and responsibilities and communication protocols?
Do they know what procedures to follow if there is an incident or a breach?

Since time is of the essence in a real-life incident, and there may be regulatory procedures to follow, it’s crucial your teams know the role they play.

And of course after each test, its best practice to evaluate lessons learned so you can focus on areas of improvement and update your Incident Response Plan accordingly.

What if you rely on a third party to protect your data and systems?

If you work with a third party provider, you may be wondering how you can ensure your data is adequately secured.

You can ask your provider to demonstrate compliance to relevant standards or protocols, possibly via certification. Another option is to ask for a Service Organization Controls (SOC) report, which covers the security and availability of data. Review the reports to make sure your provider is covering the scope of services you have contracted them to provide. If they don’t have a SOC report, consider visiting the provider in person to ensure they’re meeting service level agreements and securing your data adequately. You can also issue them with a detailed security questionnaire. In this case, don’t forget to ask them about their teams’ access to your systems and data. Who has access and what do they specifically have access to?

If you rely on a third party to protect your data, ask to see evidence of compliance with relevant standards or protocols, request a SOC report, issue them with a detailed security questionnaire, or visit them in person.

Key takeaways

Our experts have summarized their top three tips to help protect your organization’s information security:

Be prepared
Conduct an inventory of data, systems and software
Train your teams and test your Incident Response Plan.

Remember, between March 2022 and March 2023 the average total cost of a data breach for a U.S.-based organization was $9.5M.²

So, what steps have you implemented to prevent a data breach? Whatever your organization’s cybersecurity posture, NSF is here to help.

About NSF CyberSecure

NSF CyberSecure, the policy builder, makes information security accessible. The platform provides the first step in your company’s information security journey, building a strong foundation based on the key elements of information security.

By implementing policies tailored to your organization, your teams have a solid foundation to work from when managing and mitigating the risk of data breaches. NSF CyberSecure also offers complimentary training to help equip your employees with some of the fundamentals covered in this article.

NSF CyberSecure Offers:

An intuitive platform that provides real time feedback on your existing policies using Artificial Intelligence (AI) technology
A policy builder function, which helps generate policies on demand
A repository for information security policies with robust version control
A cost-effective annual subscription, with the option of a free trial

Start your free NSF CyberSecure trial

NSF CyberSecure

Take your first steps on your Information Security journey with NSF CyberSecure, the policy builder.

Learn more

Please note that any suggestions made in this article do not constitute consulting and following any of these suggestions is not linked in any way to the granting of certification.