When it comes to data breaches and leaks, companies tend to be aware of the damages these could inflict on their user base. But while unaffected companies analyze the situation to ensure that they’re not next, they often overlook the damages already done through their employees.
Data Breaches Are on the Rise
The increase isn’t just limited to the frequency of reported incidents, but also, the volume of compromised data, records, and files, because while the number of breaches dropped drastically between 2019 and 2020, the volume of records exposed more than doubled.
But in a world where data breaches and leaks are an everyday occurrence, it’s every company for itself. And since prevention is no longer a viable option, companies now focus on response and damage control. Still, the majority of efforts are directed toward a demographic of average consumers and their need for privacy and security, not people who work at companies with confidential databases of their own.
The number one motivation for hackers is financial gain, but that doesn’t always reflect in the type of data that they target in a breach, even if indirectly. Hackers who steal data to sell on the dark web rarely make much profit off of financial information, especially if it’s of prepaid payment cards.
This type of info doesn’t sell very well on the dark web because these cards rarely have sufficient funds. And banks and financial services providers tend to have strong security and identity verification requirements. Take, for example, the latest incident of the 600,000 payment cards that were leaked on the dark web. They barely contained any funds, and each card averaged at under $50.
It’s personal information that could be used to inflict the most damage. Anything from a person’s full name, phone number, and email address to their social security number and personal information and files.
Payment cards are for hackers looking for a relatively safe and quick profit. Personal information is used by malicious individuals looking for bigger targets.
Consequences for Employees
All employees in any industry or company are consumers of another. The data breaches and leaks of said companies can affect your employees and your business in multiple ways.
Increased Stress and Lowered Productivity
There’s no denying the emotional impact that people face when they realize that their privacy has been violated. And depending on the type of personal data that was included in the breach, their personal lives and relationships could have taken a hit as well, all of which can bleed into their work environment, leading to lowered productivity and quality of work.
Compromised data and personal information take a lot of work to secure and change. Employees could be overworked by having to visit their banks to secure their accounts and having to work on replacing all their old emails and passwords for those accounts, which are nothing short of a ticking time bomb.
The mental effects of a data breach are employee-centric and could affect their work. Still, there’s always the more direct threat of cross-contamination.
Depending on the type of breach that one or more of your employees were included in, the kind of data exposed differs. If cybersecurity and digital-distancing awareness isn’t prominent in your company, then having one employee’s information leaked could also jeopardize the security of your digital assets.
If they use the same email address, phone number, or even passwords in their personal accounts as for their work-related accounts, then whoever gained access to their info and credentials can now infiltrate the company. The consequences could be even direr if they store work-related files on personal devices and cloud storage.
Easier Targets for Phishing Schemes
Phishing attacks rely primarily on how much the perpetrator knows about their target. So, while phishing scams of winning an automatic lottery, a distant relative’s inheritance, or package delivery fees rarely work nowadays, highly personalized ones are harder to avoid. The attacker can include classified and sensitive information about their target, such as their social security number and date and place of birth to seem more legitimate.
A phishing attack motivated by a data breach isn’t likely to be after the person themselves. After all, they might know where the person works, along with their position and hierarchy in the company. They could use one of your employees as a gateway to your company as a whole, similar to phishing schemes directly targeting businesses, but with a much higher success rate.
There isn’t much that you can do when it comes to protecting other businesses from data breaches and leaks. But that doesn’t mean that you can’t react properly and prepare for the possibility of being indirectly included in one.
Enforce Digital Distancing
Digital distancing in a work setting is the practice of limiting or eliminating the connection between employees’ personal and work devices and accounts. This approach can be harder to implement in smaller businesses that don’t have the budget to provide staff with work-issued devices and in businesses that rely heavily on remote workers who use their personal laptops and accounts to work on company projects—like using their email to sign in to a work-only platform.
Even if device separation isn’t included, you should still enforce account separation. Emphasize that every employee must have work-only accounts and strong passwords that never get used on personal accounts, along with enforcing a type of identity verification like 2FA or passwordless logins.
Encouraging Open Communication
No one believes that they could ever fall for a phishing scheme, but that still happens. In addition to regular and intensive training on the latest phishing attacks, you shouldn’t leave employees alone when it comes to complex phishing attacks.
Promote open communication between your employees and the company’s IT and security departments. Encourage employees to contact them regarding any email or message that they deem suspicious. You should also avoid blaming employees as a default. That way, if an employee does fall for a phishing attack, they will immediately contact the IT department instead of panicking and working on covering up the problem themselves.
Offer Moral Support
When it comes to managing employees’ stress and the emotional impact that they suffer after a data breach, the only thing that you can provide is understanding and moral support. Also, the sooner that they get their life back in order, the sooner they’ll be able to get back to working properly again.
Consider offering victims of data breaches and leaks the time off and flexible schedule that they might need to meet with their banks and visit government offices to change and secure their personal information.