In recent years, companies have become, more than ever, targets of data theft attacks. This affects large organisations (think of the Uber attack in 2022), as well as small businesses. The latter, although often poorer in information, are easier to undermine.
Data theft can be achieved in several ways, namely:
- Phishing
It’s one of the most prevalent now and it continues to grow in popularity thanks to Artificial Intelligence (AI) and identity theft. Phishing can take the form of messages or false documents imitating the company's corporate identity. - Malware
It continues to grow in number and should not be overlooked either. Here too, AI can clearly help the deployment and use of malware, by making the application as visually "harmless" as possible.
Overall, more than 353 million people were affected by reported data breaches, leakage and exposure in 2023, in the United States alone. And let's not forget the ones that went unreported... The same year, IBM estimated that the average cost of a data theft for a company was around $4.5 million. Let's take a look at why this happens and how this cost is characterised.
Remediation
Once a data theft is detected, it's essential to react quickly, by determining the nature of the theft (employee data, trade secrets, business, etc.), as well as the way it occurred. Afterwards, it is then possible to draw up a plan to contain the breach.
However, this step can involve significant costs and require calling in a specialised team in the context of a cyber crisis, possibly stopping the company's business until the situation is stabilised.
It is also necessary to think about the "post-attack" phase: having learned from the attack, implementing new security measures is a new paradigm in data protection. When this step takes place after an unforeseen event (or is simply not anticipated), it can quickly become extremely costly.
How the attacker uses the data
It is also necessary to carefully study what kind of data has been stolen. If it concerns the company's business, manufacturing secrets or operating methods, there is a high risk that it will end up for sale on the Internet. This indirectly implies a major business impact: competing companies can understand how you operate and adapt accordingly. Or maybe your unique know-how may find itself at the mercy of everyone else.
It's also important not to overlook the fact that, while this data may not arise directly after the theft, it is possible (and likely) that it will resurface years later – for example, phishing with stolen information several years after the "storm" has passed. This can be devastating, affecting your company all over again.
Legal consequences
If the various data protection laws are not complied with by the company victim of data theft, the company may be sued by the individuals who have suffered the data theft.
In Europe, it is essential to follow the GDPR guidelines on data protection. Also, from the 17th of October 2024 onwards, the member states of the European Union (EU) will have to comply with the rules of the NIS 2 Directive. This legislation, which came into force in 2022, must be applied as quickly as possible to protect one's data, but also in the event of an attack.
Sometimes attacks can get through the protections put in place, despite compliance with the NIS 2 Directive and GDPR, but both these legislations protect against legal expenses and other fines in the event of a successful attack. In France, for example, those responsible for such data can be punished by the French Data Protection Authority (CNIL) up to a maximum of 4% of the company's worldwide turnover.
It should be noted that in the event of a personal data leak, the person responsible for the data is the head of the company. This is particularly true for small and medium-sized businesses. On the other hand, this responsibility may be delegated to the HR Director or Chief Information Officer (CIO), in organisations where the size of the business does not allow the head of the company to monitor the situation in a controlled manner.
Loss of competitiveness and reputation
After a data theft, the company's image can remain tarnished for months. Customers and business partners may refuse to collaborate with the company again. Certainly, after a data theft, the company invests time and money specifically because of the attack, so its competitiveness index intrinsically decreases.
Similarly, it may worry partners working with the company, for fear that their data may have been retrieved. Also, there may be concerns that the remediation was not entirely effective, or simply that it could happen again. In short, the trust index also decreases.
This leads to major hidden costs, which are difficult to quantify as they depend on the state of the company prior to the theft, as well as its success in the remediation stage.
How to avoid data thefts?
Companies need to take specific steps to protect themselves against these attacks. Here is a non-exhaustive list of recommended actions:
- Ensure compliance
As explained above, it is necessary to comply with data protection regulations, such as the GDPR, and NIS 2 (in Europe), in order to avoid legal and financial penalties. This includes implementing measures to protect personal data, of course, but also prompt notification of data breaches to the relevant authorities.
In order to achieve this, you need to carry out a risk assessment of your organisation, to establish a comprehensive security policy based on the risks identified. Management must be involved, as the NIS 2 Directive introduces the concept of making management responsible for security.
Alter Solutions offers a wide range of services to help your company ensure compliance with the various regulations. Find out more about it here. - Train employees
It's always a good idea to remember that human error accounts for 80% of cyberattacks. It is therefore essential to train your staff in how to deal with phishing and other possible threats on the Internet. To this end, we recommend regular phishing campaigns to test employees' level of cybersecurity knowledge. Depending on the results, it is then easier to adapt training courses to meet specific needs. - Implement solid security solutions
It is also essential to put in place strong security measures: a robust password policy, controlled management of removable media, antivirus and firewall protection, and regular software updates, especially for security software. - Use a Managed SOC service
Small and medium-sized businesses often don't have the time or resources to set up their own SOC (Security Operations Center) to control, monitor and analyse the security of their company's information. For this purpose, it is possible to use a Managed SOC service – for example, a SOC delegated to a company dedicated to this type of service. This is a more cost-effective solution, as it avoids the need for the organisation to invest in in-house security equipment and personnel.
Find out more about Alter Solutions’ Managed SOC service here. - Identify and classify sensitive data
It is strongly recommended to classify a company’s data, establishing different security perimeters according to need and sensitivity – for example, some data may be stored in secure clouds. Data classification also helps to define who can access it within a company, thus limiting the factors that can compromise it.
Conclusion
Data theft can have repercussions on many aspects of a company: not only on the compromised information system, but also on the commercial, legal, and human aspects within the company. That's why we strongly recommend that every organisation follows the recommendations outlined above, to limit the risk of compromise.