How to avoid expensive data breaches: Data security for SMEs

According to IBM’s Cost of a Data Breach Report 2023, a data breach costs companies an average of 4.5 million USD. This cost encompasses financial losses, for example due to production downtime, expenses for IT security specialists and consequential damages such as fines. Also, companies suffer reputational damage, which often leads to a lasting drop in sales.

Anyone who follows reports on cybersecurity incidents knows that the number of successful attacks on sensitive data in companies has been increasing for years. 

Prominent cases of data breaches in 2023

• Urban Sports
• 23andme
• Deutsche Bank
• ING
• ComDirect
• Motel One

In 2023 alone, 953 cyberattacks happened in Europe, with over 5.3 billion records stolen. These data leaks can be caused by a variety of errors, such as an unencrypted database on the Internet, clicking on a phishing email or a login password that is too easy to guess to access sensitive data. Examples of this are:

• An employee opens a phishing email, resulting in the compromise of sensitive patient data
• An unencrypted database is accidentally posted on the internet, making customer data publicly accessible
• A password that is too simple allows hackers to access sensitive data; a service provider receives sensitive data without sufficient security precautions and becomes the target of a cyberattack
• A hacker attack due to a security vulnerability in an old software version leads to extensive data theft
• Customer information is compromised by poorly secured cloud storage. 

It's clear that a lot needs to change in businesses on the continent when it comes to data security. 

What used to be a tried-and-tested approach to cybersecurity is no longer guaranteed to be the best possible protection against attackers. Many CEOs therefore underestimate the level of security in their organization. Which negligence favors data breaches and which measures provide optimal protection? 

1. Outdated Cybersecurity Technologies

Imagine trying to start a modern car with a key from 20 years ago. It won't work. The same applies to outdated protection systems such as virus scanners and firewalls. Small and medium-sized companies tend not to replace or update their cybersecurity and data protection software without need. Do your updates run automatically? In reality, this does not guarantee the best protection. 

In view of the high complexity and dynamics of IT infrastructures, the latest technologies are needed to stay one step ahead of criminals. Companies should ensure that their cybersecurity is AI-supported and proactive so that they can identify security risks early on and, in some cases, close them automatically. 

Related topic: The growing importance of data protection in the age of AI

2. Inadequate Backup Strategies

A digital document safe with copies of important data is a good start, but imagine storing all your valuables in a single drawer. If a burglar comes and finds it, it's all gone. It's just as insecure if backups are only stored in one place, and if there are no backup systems stored off-site and no automated backup plans in place, these are further weaknesses in protection that have far-reaching consequences in the event of a data leak.  

Modern backup strategies combine data backups on physical storage media and in cloud systems, consisting of infrequent, because time-consuming, full backups of systems and frequent backups of recent changes. With specialized software, this process can be orchestrated and optimized relatively easily.

3. Incomplete Encryption 

A basic rule that is disregarded far too often: Important data must be both transmitted and stored in encrypted form. Imagine sending a secret message in a transparent bottle. Anyone who finds it on the way can read it. The same applies to unencrypted data. This kind of end-to-end encryption is not so easy to implement in day-to-day business.  Especially not in mature companies where many years-old software solutions and new platforms, locally installed programs and cloud applications work together.

But if you don't want to invite hackers in, you have to overcome this complexity: The easiest way for companies to do this is to have their encryption practices and general IT security audited and optimized by specialized vendors. These security audits usually use penetration tests to simulate attacks by hackers. When introducing new applications, a data protection impact assessment is part of the standard process.

4. No Authorization Concepts 

People are often the biggest risk to data security: imagine if every employee in your company had a master key to every room and every file. The risk of sensitive data falling into the wrong hands would be enormous. The same applies if there are no clear authorization concepts.

Hiring an external data protection officer (DPO) can help here. These experts review existing data processing structures and practices. They then implement a concept that monitors and improves access controls using authorization management tools. Vendor risk management tools can also be used to assess the risk of external partnerships.

Related topic: 6 reasons for an external data protection officer

5. Lack of Security Awareness

Do you already have a comprehensive security concept? The document often lies unnoticed as a PDF paper tiger in digital folders. Where there is no technical constraint, many requirements are simply not implemented. 

Compliance training is needed so that employees understand why it is so important to adhere to certain processing steps and change the way they handle data. Imagine you have the best locks and alarm systems, but nobody locks the doors properly. It's the same with a lack of security awareness. It is essential to ensure that technical security measures are not undermined by careless behavior. 

Related topic: What are current best practices for data protection training? 

6. Lack of Guidelines for Action in the Event of Damage

Every organization needs a security policy that includes a record of processing activities (ROPA) for personal data and technical and organizational measures (TOM) to protect against data leaks. 

Employees need a single source of truth, a single central file in which they can read up on all issues relating to the correct handling of data and what to do in the event of a breach. What is the right response in the event of a data breach? Companies lose valuable time in an emergency due to a lack of clarity and ignorance, which unnecessarily increases the economic damage. 

7. Insufficient Monitoring  

New apps, new interfaces - the digital infrastructure in companies is developing dynamically. Imagine you have an alarm system that only checks once a day to make sure everything is OK. Burglars would have an easy time finding the right time. This is why Preventive and detective controls are essential. They not only detect potential security gaps but also identify attacks that have already taken place and have gone unnoticed to date.

In view of the threat situation, spot checks are no longer sufficient. Instead, real-time monitoring is required. With Intrusion detection systems (IDS), permanent and cost-efficient monitoring can be implemented.

Data leaks are not an abstract threat. According to IBM, 95% of companies experience more than one data incident per year. SMEs in particular need to rethink their security strategies. New technologies, new legal requirements and growing IT infrastructures make security a highly complex topic that cannot be dealt with on the side. 

If internal know-how or resources are lacking, companies should seek support from external experts. Up to now, many management teams have cut back on investments in data protection and data security. However, these are not a luxury, but a pure necessity. Anyone considering whether they can afford to modernize their security concept should be aware of this: One successful attack can be enough to seriously jeopardize the future of the entire company. 

How good is data protection in your organization?

Find out now! Our specialized lawyers will carry out a comprehensive data protection audit, identify any need for action, and bring your team up to date with data protection training! 

Learn more about our data protection consultation