What is a data breach and how do you guard against one?
Posted: Mon 18th Mar 2024
Technology has allowed many small businesses to do things they never thought possible. But it has also introduced new risks.
Data breaches are becoming increasingly common, and failing to protect your small business against them could be very expensive – and not just financially.
If you suffer a data breach, it can stop your business in its tracks – halting your operations, harming your reputation and eroding customer trust.
In this blog, we explain what data breaches involve and how they happen. We also look at what you can do if your data is stolen and what measures you can put in place to keep your data secure.
What is a data breach?
A data breach is when someone accesses, changes or deletes your data without permission, often because of weaknesses in your IT security.
Generally speaking, there are three types of data breach:
A malicious attack – either by cyber criminals or 'bad actors' inside your organisation
A breach due to human error – by careless employees or contractors
A systems glitch – this might be because a business process you have in place has failed
How is a data breach most often caused?
These are the most common causes of data breaches within businesses of all sizes.
Ransomware
Cyber criminals use this type of malicious software (malware) to encrypt data on your network, essentially locking it away and stopping you from gaining access to it. They then demand a ransom payment to restore it.
The cyber criminals view, copy and/or export data from your network before encrypting it, then threaten to leak it publicly if you don't pay the ransom.
However, it's important to know that paying the ransom doesn't always guarantee that the cyber criminals will restore your data.
SQL injection
Many websites and apps use SQL databases to store important and sensitive data, such as customers' usernames, passwords and credit card details.
In an SQL injection attack, cyber criminals exploit flaws in your IT security to make changes to how an SQL database works. Those changes then allow them to access, modify and delete data as they wish.
Phishing
This is when a cyber criminal contacts you by email, phone or text message, pretending to be a supplier, vendor or customer. They might ask you to open an attachment or click a link that – unknowingly to you – contains malware or a virus, or fool you into giving them valuable data.
Phishing is the most common form of cyber attack. Hiscox's Cyber Readiness Report 2023 found that 63% of the businesses surveyed had suffered a form of phishing attack.
Read more:
Criminal insider
This means someone – often an employee or contractor – who abuses their position to access and then leak sensitive information. Typically, they do it for profit or to harm the organisation in some way.
Accidental insider
Unlike a criminal insider, an accidental insider is someone who unintentionally causes a data breach. Some ways this can happen include:
falling victim to a phishing scam
using a personal device on a company network without authorisation
accidentally sending an email to the wrong person or company outside the business that contains information they shouldn't have seen
using weak passwords
Physical theft or loss
Data breaches can happen if someone within your business loses a laptop, hard drive, mobile phone or USB drive containing sensitive information, or has such a device stolen from them.
What should I do if my data is stolen?
If you have the misfortune of suffering a data breach, here are some measures to take to make your business more data-secure:
Change all your passwords. Do this on every account you have, regardless of whether they were breached. Choose long, complex passwords and use two-factor authentication (2FA) where possible.
Contact your bank or other financial institutions. Tell them that you've suffered a data breach and ask them to check your accounts for anything that looks like fraud. Ask them to send you fraud alerts and consider changing your account details or replacing cards.
Update your software. Secure your systems and fix vulnerabilities by installing updates.
Be proactive. Learn about potential threats and stay alert to signs of suspicious activity.
Contact your insurance company. They can provide crucial support to help keep your business afloat.
How can I help protect my business?
In 2023, the average yearly cost to a business that had lost data or assets in a data breach was £15,300. That shows the impact of these breaches can be significant, particularly for small and micro businesses that don't have the security of huge cash flows or budgets.
Fortunately, there are steps you can take to make it harder for cyber criminals to break into your IT systems and steal your data.
Take care of the basics
Use multi-factor authentication (MFA). This is an added layer of security that asks for two or more types (or "factors") of authentication to access a system. These might include passwords, PINs, fingerprints or codes sent to your smartphone.
Install firewalls. A firewall is your first line of defence. It stops any unauthorised traffic or malicious software from entering your network.
Install antivirus software. A comprehensive business antivirus solution will block, detect and remove threats like malware, and should also protect you against phishing scams.
Install encryption software. Protect sensitive data by making it so anyone without authorisation to see the information can't read it.
Use a virtual private network (VPN). Setting up a VPN allows you to send data via secure channels and stop it being intercepted by cybercriminals or hackers.
Use strong passwords. Make it standard practice for people on your network to use complex and unique passwords and change them regularly.
Make mobile devices secure. If employees use personal devices for work, you have far less control over security (passwords, access, use of public wi-fi and so on). Put in place a bring your own device (BYOD) policy that sets out clear expectations for each employee, and spend some time on training to highlight the potential threats.
Make sure employees are aware of the risks and threats
Educate employees. Highlight the importance of cyber security and train employees to recognise cyber-security threats and take appropriate action.
Communicate. Give employees regular reminders of how dangerous it can be to click links or attachments in emails from senders they may not be familiar with.
Make people accountable. Make sure every staff member is aware of their own role and responsibilities in protecting your business's data.
Manage ongoing maintenance and planning
Stay up to date. Scan your network and devices frequently and check for necessary upgrades. Install any updates or patches from trusted software providers as soon as possible.
Prepare for emergencies. Devise an emergency response plan that sets out what you'll do if you suffer a data breach.
Back up data. Do this regularly so you can easily restore it if the worst happens.
Protect your business with cyber and data insurance
If your business suffers a data hack or breach, Hiscox Cyber and Data Risks Insurance can help with the cost of retrieving data, performing repairs and defending against claims for compensation.
Through a network of IT forensic teams and legal experts, you can receive advice and assistance if you fall victim to a breach, including PR advice to help limit any losses and possible damage to your business and its reputation.
With Enterprise Nation's offer, you can get 10% off your business insurance policy with Hiscox. Why not get a free quote now?
Update your starters and leavers process
Set up new starters. Determine what new starters need in terms of access to data, systems and devices and set them up accordingly.
Process leavers. Have a policy in place for what to do when people leave your company, including promptly resetting passwords.
Review returned devices. Wipe or securely destroy data where necessary.
Small business insurance with Hiscox
Get a free online quote for your business in minutes with Hiscox. Make the most of the exclusive 10% discount for Enterprise Nation members and start building your cover now.
Disclaimer: Our partner Hiscox wants to help your small business thrive. Its blog articles will contain lots of useful information relevant to your growing business. However, this information is not meant as professional advice and you must not treat it as such. To find out more on a subject we cover here, please seek professional assistance specific to your circumstances.