Throughout the pandemic, much of our everyday lives moved online. We ordered groceries online, packages from online retailers arrived daily at our doors and we signed up to apps to track our daily exercise. With every package ordered and every new app signed up to, companies collected more and more data from customers.
The pandemic has also normalised personal data collection in new areas of our lives, with contactless table service in pubs and restaurants all using an app asking for personal information like email addresses and postcodes. As Omicron spreads throughout the globe, this is only going to become more commonplace.
While online shopping and signing up to apps are nothing new, the pandemic has accelerated the speed at which businesses implemented them, leading to a data bonanza where many companies are holding more data than they intended or need to. Businesses must consider what data they truly need and ensure any data they keep is safe from a serious security breach.
What causes data breaches?
First, it’s important to understand how data might get breached in the first place. The number one reason for a data breach is criminal hacking. While this would initially feel like determination on the part of the hacker, criminal hacking is often facilitated by old, unpatched security vulnerabilities which the company should have updated. This is especially common in applications written by smaller teams with fewer eyes over their systems, meaning mistakes are not picked up quick enough.
In fact, according to recent data, 99.9% of exploited vulnerabilities had been compromised more than a year after the associated common vulnerabilities and exposures (CVEs) were published. Therefore it is crucial businesses keep everything up-to-date to minimise the risk of criminal hackers finding vulnerabilities.
Another common issue is data breaches in the cloud. As many as 50% of companies now store their data in the cloud, up from 30% in 2015. While third-party cloud applications offer multiple benefits for companies to store data, they also carry a unique set of vulnerabilities. For example, remote and indirect management of the cloud means anyone can access it outside of an organisation.
While there may be evidence that the cloud provider was liable for the data breach, for example, in a faulty update, this is rare, and the onus is on the company holding the data to follow proper GDPR laws to avoid any fines. These fines are substantial too, costing either £17.5 million or 4% of annual global turnover in the UK, depending on the size of the corporation, so it is in a company’s best interest to keep all data safe and compliant with regulations.
The danger of unnecessary data
Data is crucial to effective businesses, so obviously it’s not an option to hold nothing. They just need to consider carefully what data is needed, ensure proper regulations are followed and delete any data that isn’t essential to the running of their business.
For the data that they deem essential, the onus is on the business owners to take the necessary security measures to guarantee it is protected, and ensure only the people who need to access it can access it.
Finally, businesses should cease collecting unnecessary data as soon as possible. For example, while email receipts are mildly convenient, there is evidence that they are being abused. Mystery shoppers found that four out of 11 major high street retailers who offered email receipts still sent marketing emails, despite them insisting that they did not wish to receive them, thus breaking GDPR laws. So unless a company is willing to prove otherwise, they are at serious risk of receiving a heavy fine.
How can businesses mitigate the data breach risk?
One of the best ways to avoid breaches is to train all staff members to think like a DevSecOps professional. Because a data breach could come from anyone, that means training everyone from the cleaning staff to the CEO – which could include basics such as not letting unauthorised individuals into server rooms or proper password hygiene.
Going a level deeper, businesses also need to teach staff how security is managed and integrated into the cloud vs. on-site, how their cloud provider deals with firewalls and VPNs, and the names of everyone who has access to certain data in the company to mitigate the risk of somebody passing information over to the wrong person.
They don’t need to learn any coding, but teaching and encouraging all staff to update software regularly will also mitigate numerous risks. Websites and software systems are like plants, they need constant tending, weeding and watering. Not keeping everything up-to-date makes them vulnerable.
Technical measures help, but keeping staff happy also makes it less likely they will release any private data to deliberately sabotage the company’s reputation. There are numerous examples of staff sabotaging companies for personal gain, including in 2018 when a Tesla employee released ‘gigabytes of Tesla data to third parties’ to show their grievances towards the company.
Finally, businesses could consider running their system on open source databases such as PostgreSQL. This makes it much more likely the source code is audited by far more people than it might be in a small development team, helping to minimise vulnerabilities that leak data. Only up to 26 people can change the source code of Postgres, but all changes are publicly shared with hundreds of people, so if anything suspicious does happen, then it will quickly be picked up and resolved.
Furthermore, it takes years for somebody to get to the point where they are trusted to commit changes to the code in Postgres, so business leaders can have confidence that their data is in the right hands. Finally, businesses will also save money with Postgres, as the open code can be audited by the business themselves, which generally wouldn’t be possible with closed source products without spending substantial amounts of money.
It’s important to remember security is like an onion. There are layers of protection; from row level security on an individual table, right up to comprehensive network encryption and host based access controls in a mature and feature rich open source database such as Postgres – with hundreds of people watching for bugs and fixing them quickly to ensure the security of your most precious asset; your data.