You know what's interesting about data breaches? Everyone focuses on credit card numbers and financial data, but the reality is that every piece of information has value to someone.
The Legal Aid breach perfectly illustrates this point, with over two million pieces of information accessed including details about domestic abuse victims, family cases, and criminal proceedings. This isn't just about data, it’s a potentially life-threatening situation for some of the most vulnerable people in our society.
A few years ago Wendy Nather coined the phrase the ‘chemistry of data’, meaning that individual data elements may be inert, but when combined, they can create a toxic mix. Data security doesn’t involve just securing data at rest or in transit. It also needs to be secured in use.
To this point, we often see organizations prioritizing the protection of their crown jewels while overlooking the seemingly mundane.
Unfortunately, when a breach does occur, we see organizations proudly state how no financial data was stolen, or how passwords were secured, but then proceed to give a laundry list of personal data such as email addresses, phone numbers, names, addresses, dates of birth and so on which were breached.
With so many breached datasets, cybercriminals can relatively easily connect disparate pieces of information. Like a puzzle solver who can create a complete picture from fragments that might seem meaningless in isolation. In the wrong hands, even the most basic personal information can become the foundation for sophisticated social engineering attacks.
So what's the answer? It's about implementing what I call the DEEP approach:
Defend: Implement controls which can prevent criminals from reaching employees. Being able to block phishing emails, messages, or other forms of malicious communication. The more we can keep threats away from employees in the first place, the better placed they will be to spot an attack if one did get through.
Educate: Through security awareness and training, which includes nudges, simulations, and personalized content, build accurate mental models—a clear and accurate understanding of potential threats and vulnerabilities—enabling them to recognize red flags and make informed decisions to maintain a secure environment.
Empower: Create a culture where protecting information is everyone's responsibility. Make reporting security concerns as straightforward as possible and celebrate those who raise potential issues.
Protect: Implement multiple layers of security controls. Because even with the best prevention, incidents will occur. It's about minimizing impact and maintaining resilience.
The Legal Aid breach serves as a stark reminder that in modern security, there's no such thing as "low value" data. Every piece of information we hold carries potential risk. While we can't eliminate all vulnerabilities, we can create an environment where protecting information—all information—becomes part of our organizational DNA.
The true value of data isn't always apparent until it's in the wrong hands. Protection isn't about ranking importance—it's about recognizing that every data point matters.
New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!
