Getting ahead of cybercrime: Part 3

The digital data held by your business is incredibly valuable, especially when it’s integrated with your technology and readily accessible through cloud services. It has the potential to provide benefits, insights and improvements well into the future. 

That data can also make your business an attractive target for cybercriminals, who will steal and sell your data if given the opportunity.

As the data your business holds grows in size and complexity, it can be overwhelming to manage and difficult to protect. Some businesses remain unaware of the obligations and risks associated with their data until it’s too late.

We want you to be aware of your company’s potential Blindspots, and consider them along with the other areas of concern discussed in our previous articles on Imposters and Attackers.

Below you’ll find details on what to watch out for, along with relevant stats from Verizon’s 2021 study on global data breaches, and links to resources with more information.

Regularly check your ‘Blindspots’

It’s easy to understand why it’s necessary to secure sensitive or confidential business data against cybercrime threats. However, there’s another type of data you’re obligated to protect, with additional risks, that businesses often overlook.

Personal information 

• This is any data that can be used to identify an individual, and has the potential to be harmful to an individual, if exposed.
• This data may be related to your customers, suppliers or even yourself or your employees.
• Be especially mindful of any contact details, payment information, tax details, or identification numbers that might be stored in your systems. 
• Some of this data is useful and necessary for your business to operate, but also comes with legal, contractual and ethical requirements around its use. 
• Verizon found that 39% of data stolen from small businesses was personal information. 

Privacy laws (globally) 

• Individuals and governments around the world are increasingly concerned about how businesses safeguard any personal information they hold.
• Legislation has been rolled out around the world designed to protect individuals, and hold businesses accountable (for example, GDPR, AU privacy laws, NZ privacy amendments).
• Your business is obligated to comply with these privacy laws in whichever regions you do business.
• Failing to meet your obligations can result in serious legal action and fines, so it pays to be proactive.

Protect yourself:

It’s critical to review the personal information your business is using, and ensure it’s stored securely and in-line with industry best practices. 

Train your employees to take care when handling personal information, and if they need to store it or share it, how to do so safely.

Depending what countries you do business in, you may need to comply with one or more privacy laws. Being familiar with any legal or reporting obligations you have can help shape your own policies and ensure you’re prepared if personal information is deliberately or accidentally exposed. 

As part of a global advisory council on Responsible Data Use, Xero has committed to a framework that guides us in how we protect and use customer data. We want to share our research and provide guidance on how your business can benefit from doing the same.

Insider threats 

• Risks to your data can come from within your business, and could be deliberate or accidental.
• Misuse: A disgruntled employee could deliberately use their position and ability to access information to steal data for revenge or profit.
• Mishandling: Untrained staff may not realise the sensitivity of some data, and could accidentally expose it through insecure storage or sharing.
• Once sensitive data is exposed deliberately or accidentally, it’s not possible to regain control of it. 
• Insider threats can be difficult to detect, and in some cases it can take years to discover mishandling or misuse of data.
• According to Verizon’s 2021 report, personal information was exposed in 80% of cases due to human error.

Protect yourself:

Protect your business by following the advice above to identify and secure the personal information your business holds on your customers and employees. Review what personal information is being stored, how it’s being stored and who has access to sensitive data. Limit access to personal information to only those who actually need it to carry out their job. Ensure that your business isn’t using shared logins as well, so you have an accurate audit trail if you ever need to investigate access to the data.

For a more structured approach, we recommend performing a cybersecurity risk assessment for your business. It’s the best way to gain a comprehensive overview of the most important data you hold and how it might be vulnerable. Take this a step further by creating an internal cybersecurity policy to guide employees on the acceptable use of company technology and data.

Take a layered approach

Through this series, we’ve covered a number of cybercrime risks posed by Imposters, Attackers and Blindspots. Any one of these threats can have the potential to cause financial losses and serious damage to your business’ reputation. Once an incident occurs, it’s likely to leave you vulnerable in other areas too. Cybercriminals know this, and often combine their methods to take advantage in as many ways as possible. 

For example, phishing emails and fake Wi-Fi can lead to ransomware or account takeovers, which could result in the theft or exposure of personal information.

That’s why it’s important to combine your cybersecurity measures to give yourself broad and effective protection, with in-built redundancy to minimise the damage if anything gets through.

If we apply this to the example above, you can reduce the chance of phishing and fake Wi-Fi incidents by educating your employees on what to look out for.

If someone still makes a mistake, having anti-malware and strong security on company accounts reduces the risk of a device being infected or an account being taken over.

Even if this happens, by limiting access to personal information and storing it securely makes it difficult to steal or expose. In addition, having backups of this data can help you recover quickly, if your devices are locked behind ransomware.

Ultimately, you’re making yourself a less attractive target by having a series of security hurdles and safety nets that will increase the difficulty for cybercriminals or internal threats, and likely discourage them from pursuing their end goal.

What’s next?

If you haven’t already, take a look at our previous articles on Imposters and Attackers. Get familiar with each ‘area of concern’ we’ve covered and the measures you can take to protect your business against them. Check out the links to the resources we’ve provided, and share them with your employees too.

Taking these steps will equip you and your employees to have meaningful internal conversations about cybercrime and cybersecurity. You’ll also be able to seek guidance from IT professionals to find a strategy that’s tailored to meet your needs and budget.

Remember that each security measure you implement will help to break the threat chain, and combining your defences is an effective way to reduce your overall risk.

When compared to the costs and damages of cybercrime, cybersecurity measures will save your organisation time and money. Get started today so your business can continue enjoying the benefits of the cloud with confidence for years to come.