When 5 million adults and children downloaded games onto their VTech computer tablets last year, they hardly suspected they were exposing their private information to hackers.
The news hit on Black Friday. An attack on VTech’s online portal succeeded in breaking the lock on 5 million customers’ personal records, from emails, mailing addresses, passwords and security questions (and answers) to children’s names, genders and birthdates.
The massive data breach points to a mounting cybersecurity threat known as the Internet of Things, a vast and growing network of digital devices and their related technologies, such as WiFi and online portals, that share data through the Internet. Consumers will use an estimated 6.4 billion connected “things” in 2016. That’s 30 percent more than last year — and the number is expected to climb to 20.8 billion by 2020. All of these “things” represent potential weak spots in a company’s data security.
“The rapid growth of the Internet of Things and the digital economy is posing enormous challenges to businesses and the public sector in terms of protecting personal data privacy and building trusted relationships,” says ForgeRock, a provider of identity management solutions.
As the Internet of Things has grown, so have cyberattacks. The number of attacks has escalated by 176 percent in the past five years, and more than eight in 10 organizations say they’ve experienced data breaches.
The cost of each data breach is increasing too. One study found that the average total cost grew 23 percent over the past two years to $3.79 million. Businesses that suffer a breach must pay, on average, $154 per lost or stolen record — a six percent increase from 2014.
When you consider that the average incident involves 28,070 compromised records, those costs add up fast.
It’s not just a problem for large corporations, either. Small and medium-size businesses are also at risk. In the digital age, it’s not so much about the size of a company’s revenue or payroll as it is about the amount and sensitivity of customer data they collect.
Despite the high stakes, a shocking number of businesses lag behind when it comes to protecting their customers’ information. More than 90 percent of companies faced data privacy challenges in 2015, yet nearly a quarter of them failed to implement any kind of data privacy policy — often a company’s first line of defense against privacy breaches.
Protecting Customer Data from Employees
Still, having a privacy policy is no guarantee. As many as 82 percent of companies have employees who blatantly disregard them.
As a result, 61 percent of data breaches are ultimately committed by employees; around 36 percent stem from employee mistakes, while another 25 percent are initiated by malicious insiders.
Many companies focus their data protection efforts on warding against external threats. But data privacy — ensuring the information isn’t misused, misappropriated, or publicly exposed by employees with authorized access — often goes neglected.
To prevent employee-generated data breaches, companies should:
Train employees on data privacy. Just having a data privacy policy in place isn’t enough. More than half of businesses lack employee awareness or understanding of these policies, and 36 percent don’t have processes for training or auditing employee behavior when it comes to data privacy. This makes it essential for organizations to provide adequate data privacy training to employees who have access to consumer, employee or company records.
Limit data access. The less customer data employees have access too, the fewer opportunities there are for a data breach (intentional or otherwise). By setting up multiple levels of user access within your company, you can limit employees to only the information they need to do their jobs effectively.
Protect employee mobile devices. Nearly a third of U.S. employees store corporate data on their personal smartphones, and more than 70 percent of IT decision makers consider mobile devices to be a major security risk for businesses. To manage mobile-related risks companies can use remote wiping capability as a key tool. Additionally, businesses can require employees to notify the company if a device is lost or stolen.
Investing in Data Protection Technology
Employee error aside, outside hackers still pose a significant threat to businesses. It’s up to leaders to prioritize creating secure information systems for their customers. Yet more than a third of IT professionals say data privacy isn’t even on their executives’ radar.
Around 45 percent of companies lack an adequate budget for data privacy, and nearly a quarter say cybersecurity is too expensive to implement.
At the same time, nine in 10 IT professionals are predicting that companies in the near future will increasingly need dynamic and flexible privacy tools that can adapt to both consumer expectations and regulatory requirements. Fewer than one in 10 believe current data protection methods will be able to adapt to the needs of an emerging digital economy.
“As connected devices and technologies take on a greater role in public and private life, there are massive business benefits to building in new identity and data privacy solutions that can scale over time,” said ForgeRock CEO Mike Ellis. “Organizations clinging to legacy identity management technologies — which are currently inadequate — will be at a major disadvantage.”
In addition to exploring emerging technologies, companies should:
Re-evaluate data encryption practices. If you haven’t recently reviewed how your company encrypts data, you’re probably not up to snuff. “Companies that were encrypted based on what standards were five years ago are easily broken into today,” said Craig Spiezle, executive director for Online Trust Alliance. He recommends whole-disk encryption, particularly if your employees access customer data on their personal devices, as it offers better protection in case the device is lost.
Use data loss prevention (DLP) tools. A DLP platform offers a heightened ability to monitor and track data. It also allows business leaders to automate and enforce policies regarding how customer data is used and transferred. For example, the software can block any files containing a Social Security number from being sent outside the company. While DLP technologies are typically recommended for larger businesses, they’re also helpful for smaller companies with big data privacy needs. “I’ve seen companies with as little as 100 employees using it,” Spiezle said.
Get a third-party audit. A security audit performed by an outside party can provide an objective review of your data privacy infrastructure as well as recommendations for bulletproofing your information security system.
With several high profile corporate data breaches in the not-too-distant past, customer data security is a major issue for many businesses — and it’s only going to continue to grow. Companies that are proactive about protecting their customers’ information will have the advantage as information privacy demands continue to grow.