Averting Security Breaches in an Organisation

A "breach" is an incident in which sensitive or confidential information is made available to unauthorised individuals in some way. A breach can happen in any way and  have long-term effects that go beyond the loss of data. The consequences of such breaches could also include financial and reputational loss due to heavy regulatory penalties, among others. Because of this, it is important to put in place the right safeguards to prevent a breach from happening.

Breaches may occur through social engineering techniques such as phishing, tailgating, pretexting, baiting, and quid pro quo. Malware, ransomware, and insider threats are additional forms of breaches. Typically, the goal of a cyberattack is financial gain. Other motivations could be political or personal in nature. Article 2.6 of the Nigeria Data Protection Regulation 2019 (NDPR) imposes a data security obligation on data controllers and processors. This provision requires data controllers and processors to implement security measures such as installing firewalls, securely storing data with access restricted to specific authorised individuals, implementing data encryption technologies, developing organisational policies for handling personal data (and other sensitive or confidential data), protecting email systems, and continuously building staff capacity.

Ways to prevent data and security breaches:

  • Access control: Every organisation should limit access to personal and sensitive data. Records should be partitioned so that only those with a specific need for access have the appropriate level of access for the required time frame/period.

  • Employee training: Employees are widely regarded as the weakest link in the data security chain. Organisations should prioritise regular employee training so that every member of the company can easily identify phishing attempts.

  • Unpredictable and complex passwords or pass-phrases: Make sure all of your passwords are long and difficult to decipher. Change all passwords on a regular basis, and never reuse passwords.

  • Two-factor or multi-factor authentication: The authentication can be what you know, such as a password, what you have, such as your phone, or what you are, such as biometrics.

  • Software updates and vulnerability patching: All application software and operating systems should be updated on a regular basis. Install patches whenever available. This helps to improve network security and prevent attacks.

  • Firewalls and network segmentation: A properly configured firewall acts as a barrier between networks with varying levels of trust, blocking unauthorised incoming traffic and making it easy to contain attacks.  

  • Encryption: Both data in transit and data at rest should be encrypted, as stolen encrypted data has no value. This restricts data access and renders it useless to those who do not have the key.

  • Data minimisation: Limit the collection of personal information to what is directly relevant and required to achieve a specific goal. Retain the data for no longer than is required to achieve the purpose.

Additional measures include regular security audits, off-site data backups, third-party risk management, data de-identification, anonymisation, and pseudonymisation.

It may not always be possible to prevent a data breach, as no security system can be completely foolproof. In the event of a breach, it's important to have an incident/breach response plan that will trigger a quick response right after the breach. This will lessen the damage caused by the breach. Achieving the highest level of security helps businesses comply with regulations and instils trust in data subjects, investors, and the general public.