Rapid digitization and workplace mobility has made our lifestyles far more ergonomic than before. However, an increase in daily accessibilities has brought about a plethora of opportunities for cyber attackers to engage in unethical and unlawful activities. According to a recent survey by EY Forensic & Integrity Services and ACFE Mumbai Chapter, 40% of senior legal and risk executives stated they had witnessed a cyber breach in their organizations in the last year.
The information does not have to be digitized for it to be hacked, but digital files have made data breaches ubiquitous. Cybercriminals continue to expose and endanger consumers’ PII as well as their PHI at a worrying rate. To avoid regulatory action or litigation, as part of their incident response frameworks, companies should disclose and notify data breaches to their stakeholders, including regulators, if their PII or PHI has been exposed. But doing so is no easy feat - identifying a PII or PHI leak requires specialized resources and modern technological solutions in conjunction with a well-established data breach response plan.
What types of data can be compromised?
Different types of data tend to be useful to third parties, and they pose varying degrees of danger to a company. Examples of different kinds of information include:
- Personally identifiable information (PII) – This refers to any data that could be used to identify a specific person. It comprises contact details, birth date and educational background.
- Financial information – This includes credit card numbers and income statements, bank account and investment details, and any other similar information.
- Protected health information (PHI) – This contains details about individuals’ medical history such as previous or existing ailments, prescription medicines, therapies, and medical or health records.
- Intellectual property information – This refers to product drawings and manuals, specifications, scientific formulas, marketing texts and symbols, proprietary software, and other materials generated by the company.
- Information on the competition – This includes competitive market information, market research, pricing data, and business plans.
Personal, financial, and health information can be misutilized for fraud, identity theft, and unsolicited marketing, while intellectual property can be infringed or misused to create products and services that emulate another brand. Competitors may sell competitive information to thwart an organization’s growth plans and goals and leak privileged information which may end up jeopardizing their legal position. IT security data is another valuable target since it can allow unauthorized parties to access a variety of data within the company’s system.
The risk within - How internal stakeholders may pose a threat
With the advent of remote working, multiple stakeholders – employees, vendors, third parties, gig workers – can pose a threat as they have access to the company’s network and sensitive data. This can be easily accessed from within the network, through external email accounts, mobile devices, and even the cloud.
Insider threats can potentially lead to a failure in data protection and threat mitigation strategies. Disgruntled employees may leak confidential information, or even sell it for a profit to external parties. Cloud data and email accounts are frequently used by employees of the company’s cloud services provider, and mobile devices may be misplaced, hacked or corrupted. In the face of such dangers, businesses must assess the repercussions of data breaches and devise risk mitigation strategies to address internal threats as well.