No company wants to suffer a data breach, but as the headlines prove, it can and does happen to businesses on a regular basis. Data breaches not only bring a potential dollar loss to your business, they also damage its reputation by shaking your customers’ trust. There are also a variety of factors that leave certain businesses more vulnerable to breaches than others.
We asked 14 Forbes Technology Council members to share some data security risks that could make a breach more likely. Here are the top risks your business should be addressing as soon as possible.
1. Social Engineering Vulnerabilities
A very common vector for data breaches is tricking employees into divulging credentials or installing malware. Recognizing phishing, malware and other social engineering vulnerabilities is an essential education for every employee. IT needs to stay aware of the latest trends, be on the lookout for targeted attacks and make sure employees know what to look for and what to do. – Seth Noble, Data Expedition, Inc.
2. Unmanaged IoT Devices
By 2020 the number of unmanaged IoT devices will likely bypass the number of managed devices within a typical organization. These unmanaged devices don’t have typical policies/endpoint controls, which makes it extremely difficult to understand how they communicate with the network. This lack of visibility makes it virtually impossible to understand what an organization’s true threat landscape is. – Rahul Kashyap, Awake Security Inc.
3. Lack Of Awareness
The biggest security risk businesses need to address are “people” and their inability to properly detect frauds, scams, phishing emails and infected links on emails bringing malware in. Strong security awareness training will be a crucial step in protecting our data and systems by showing them the risks that poor cybersecurity practices present to the business. – Elaine Montilla, The Graduate Center, CUNY
4. Data Loss
To match the speed of innovation, data democratization and compliance scrutiny, businesses must take a data-centric approach coupled with data loss prevention. Applying a data loss prevention (DLP) approach to data security ensures security teams and data owners can confidently attest to the safety and privacy of businesses’ most cherished asset: consumer data. – Yu Lee, Kasasa
5. Personal Data Accessibility
Like it or not, hundreds of companies are storing data about you like your personal contact information, date of birth, address, income level, geolocation at any given time and more. Businesses must remember that customers have entrusted them with this information, so they must ensure that only the right people at the right time have access to it via proper security protocols. – Marc Fischer, Dogtown Media LLC
6. Managing The Increasingly Complex Digital Business Environment
Data breaches happen because it’s hard to do anything consistently at scale. Our top risk is failing to follow basic rules 100% of the time in a growing, changing, increasingly complex digital business environment. Attackers are like ants in a house—no matter what you do, they always find another way in. We need to manage complexity and apply basic security standards everywhere, all the time. – Mike Lloyd, RedSeal
7. Insider Threats
Guarding the perimeter isn’t enough anymore because the real threat may be hiding inside your network. Businesses need to pay special attention to their insiders: employees, partners, third-parties, anyone else with access to their corporate data. These people know your business secrets, and they can affect your operations, so it’s vital to make sure they won’t misuse their access privileges. – Dennis Turpitka, Apriorit
8. Insecure Applications
Applications continually store and transmit sensitive data, often through APIs and third-party channels, significantly increasing their attack surface. Insecure applications are the culprit of the majority of attacks, yet significantly more budget is spent on securing the network. Threat model your enterprise applications and ensure the most critical data risks are mitigated first. – Ed Adams, Security Innovation
9. Untrained End Users
The biggest security risks are employees. Phishing emails, downloading malware, setting weak passwords and mishandling confidential data in applications are all huge risks for businesses. That’s why it’s important to invest in ongoing training. You can have the most expensive and most effective security tools, but they won’t matter if the end user is the weakest link. – Eric Christopher, Zylo
10. Consumer Trust In Data Repositories
Data breaches are confidence vampires: They imbibe on misplaced-trust that consumers place in unsecured data repositories. With a more scientific approach, such threats can be thwarted with a complete and current asset audit and robust segmentation. Without knowing what your core assets are, or constraining the risk and scope of potential compromise, you’re defending in the dark from all sides. – Philip Quade, Fortinet
11. Third-Party Risk
A top data security issue businesses need to address is a third-party risk. Organizations are becoming more reliant on third-party relationships, and many third parties contract with outside vendors of their own. As a result, a company’s data can be spread wider than they realize. Evaluating and securing these third-party relationships on an annual basis is one step toward successfully mitigating risk. – Matt Kunkel, LogicGate
12. Overestimating The Ability Of Network Defenses
Data must be protected by applications that use it, irrespective of the networks they traverse. Only by encrypting data within the application, only by strongly authenticating users before they see data and only by protecting cryptographic keys with purposed hardware can risks be sufficiently mitigated. – Arshad Noor, StrongKey
13. Misconfigured Cloud Servers
Security controls that worked well in traditional data centers don’t translate to the cloud. As companies adopt cloud services without adopting the proper security tools, we continue to see frequent data breaches due to misconfigured servers. To address this issue, enterprise security teams must implement automated security solutions that can identify and remediate misconfigurations in real-time. – Chris Deramus, DivvyCloud
14. Lack Of Data Access Oversight
Businesses often don’t know what sensitive data they have and who can access it. Specifically, they grant employees and contractors with more privileges than they actually need for their job. The more users have access, the higher the risk. Plus, PI overexposure is a severe violation of privacy legislation. To mitigate these risks, companies should continuously classify and audit their data. – Ilia Sotnikov, Netwrix
POST WRITTEN BY
Expert Panel, Forbes Technology Council
Successful CIOs, CTOs & executives from Forbes Technology Council offer firsthand insights on tech & business.