The frequency of cybercrime has increased in line with technological development and digital transformation. Data breach is the most common form of cybercrime at the organisational level because of the huge amount of digital data organisations store and move. The risk of a Data Breach affects every type and size of organisation; it can potentially ruin the reputation of an organisation and the costs of investigation, redress, victim compensation, fines and penalties can be extremely expensive.
What is a data breach?
According to the Corporate Finance Institute, a data breach is an ‘incident in which secure, sensitive, and confidential information is accessed and exposed to an unauthorised and untrusted environment.’ The CFI goes on to say that it is ‘a violation of security protocol for an organisation or individual in which confidential information is copied, transmitted, viewed, and stolen by an unauthorized person.’
A data breach can be intentional or accidental. As we shall see below, data breaches occur as a direct result of systemic weakness and careless or uneducated user behaviour, as well as from determined attempts to illegally access confidential information.
The consequences of a Data Breach
The potential costs of a data breach are immense. A data breach can cause delays to time-critical operational performance and violate data integrity. If a data breach is made public and is perceived to have been avoidable, it can seriously damage an organisation’s brand reputation and undermine customer confidence. The cost of restoring breached IT systems can be high and business interruption can cause financial losses. Data breaches carry a high risk of infringing regulatory requirements which can result in heavy penalties and fines. Data Breaches can also leave organisations open to litigation and compensation claims from customers and employees whose personal information has been stolen.
Areas of greatest threat: Email and generic file-sharing systems
A major cause of data breaches is employee activity combined with weak operational and security systems. There are instances of intentional employee malicious activity but, in most cases, data breaches are caused by human error and an overreliance on using email and generic file-sharing systems (GFSS) to transfer sensitive and confidential information.
Email: Organisations largely rely on email to send and receive information within and outside the organisation. This leaves the organisation open to human error as emails can be accidentally sent to the wrong recipient or email address. Attachments are not usually encrypted so potentially sensitive information is not secure, which may result in a breach of the General Data Protection Regulation (GDPR). Furthermore, using email to transfer sensitive information may cause compliance breaches as it does not guarantee delivery or visibility of transfer.
Generic file sharing systems: Employees who need to send files that are too large for their organisation’s email system will often send them via a GFSS. GFSS are usually built for personal use and convenience and do not have the security competencies necessary for sending an organisation’s confidential information. GFSS do not provide an audit trail of transfer and often results in multiple versions of files sitting in various locations which cannot be accessed by other employees if the need arises.
External attacks: External cyber-attackers probe for system vulnerabilities and compromise employee email accounts. Weak passwords, based on personal details such as birthdays, can provide access, as can targeted spam and phishing emails. These are often designed to look as though they are from trusted individuals and organisations but contain links and attachments that, if clicked on, leave the organisation open to malware and spyware attacks.
Educating employees to be aware of such ploys and the consequence of accidental behaviour is essential to preventing data breaches. Equally important is equipping employees with secure file-sharing technology that is fit for purpose.
The FCA takes data security very seriously and insists that financial services companies have processes, systems, and controls in place to manage their information security risk. SYSC 13.7.7 in the FCA Handbook stresses the importance of restricting access to important information, making information available to authorised individuals when it is needed, and ensuring their identity is verified.
An increasing number of organisations are using a Virtual Data Room for their day-to-day file-sharing needs. A Virtual Data Room (VDR) is often associated with highly confidential corporate transactions such as fundraising and M&A activity. Still, the benefits of using a VDR are far more wide-ranging and provides the information security and controls that email and GFSS do not.
Virtual Data Room
All organisations need to store and share confidential financial, commercial, legal and employee information. Many organisations are also responsible for confidential customer and client information. A Virtual Data Room is equipped with multiple tools, processes and controls to protect and manage highly sensitive information from data breaches, uninvited viewing, and unauthorised sharing of information.
Keeping information secure: A Data Room guarantees the security and safety of information through several advanced protection mechanisms. These include data encryption at rest and in transit; two-factor authentication; audit trails that show logins to the Data Room, uploads, downloads and deletions; watermarking of documents; and preventing actions such as copying, downloading, printing, saving, modifying and forwarding of documents without permission. Compliance with international standards such as ISO270001 guarantee protection from hackers, viruses and third-party malevolence.
Access control: A Data Room provides full control over who has admission to it with user-based content permissions that determine access to documents. Granular tools manage user permissions on a folder, sub-folder and individual documents basis.
Activity monitoring: Inside the Data Room user activity can be closely monitored: who has been in the Data Room and when, how often and how long for, what they looked at and how long for. This information can be collated into activity reports which can be used to identify abnormal user behaviour.
Secure sharing of information: A Data Room provides a safe and secure space for sharing confidential information with employees, customers, clients, business partners and advisers. Information can be easily structured to simplify the search process. Users with pre-approved permissions can access information at any time and from anywhere, thereby removing the security risk of sending information by email or GFSS. A Data Room enables secure collaboration between multiple parties in private and group chats, together with Q&A sections to answer commonly asked questions and mechanisms for answering more specific questions.
The increase in cybercrime makes information security the top priority for organisations. Without adequate systems and processes organisations will be vulnerable to potentially ruinous data breaches. A Virtual Data Room provides the necessary functionality, processes, and controls to store and share confidential information securely and efficiently and provides a far superior solution than email and GFSS, which leave an organisation open to external attack and human error.
If you would like to see how Perivan’s market-leading Data Room Engage can solve your Data Room needs, contact the Perivan team who can arrange a demo and answer your questions.