How much is your data worth to hackers?

Many businesses are at risk of losing data. Whether through a hacked email account, ransomware attack, malicious malware, or another method, no organization is 100 percent safe from losing critical data. It may be difficult to realize the value of the data at stake until it’s in the hands of cybercriminals, but the hope is to never get to that point.

Additionally, Microsoft 365 has taken a dominant role as the productivity solution of choice for enterprise data: M365 is used by over a million companies worldwide, with over 731,000 companies in the United States alone. In other words, there’s value sitting right in your corporate inbox.

Your business keeps so much sensitive and proprietary information all in one inbox: photos, contracts, business plans, invoices, tax forms, reset passwords, and pay slips are just a few of the details which can be found in your users’ professional inboxes. By simply breaching their emails, a malicious hacker can get access to all these vital documents. So, when you look beyond the treasure trove of confidential information that is kept within your employees’ inboxes and consider the other ways data can be stolen, you can imagine the consequences are staggering. Keep reading to learn exactly how much your organization’s data can be worth, and how you can better prepared for a breach.

Sit up and pay attention

Have you ever sat down and thought about how much the data within your organization is actually worth? First, let’s talk through some facts and figures. Did you know that a truly alarming 85 percent of organizations have suffered email data breaches in the last 12 months? Further, 67% of IT leaders reported an increase in data breaches due to remote work – with the risk being intensified for Microsoft 365 users.

The true value of stolen data

So, what is the motivation behind hackers these days? According to Verizon’s annual data breach report, 86% of all data breaches in 2020 were about money. On average, the cost of a data breach is $4.24M. Insider threats are more damaging, particularly if it’s a compromised account, careless employee misuse, or a malicious insider. The cost of such a data breach could be up to $8.76M.

After a hacker has successfully infiltrated a network and stolen personal data, they’ll often look to sell or even advertise that data on the dark web. No matter the size of your business, the hacker will do everything in their power to demand payment from any customer no matter the size or business sector (charity, health care, or else).

Let’s break down the true value of stolen personal data, item by item:

• Credit card with PIN: $15-$35
• Credit card details: $150-$240
• Stolen online banking logins: $40-$120
• Hacked email accounts (Groups of 2,500+) – $1-$15
• Hacked Social Media Account - $35-$80
• Stolen identity – $0.10-$1.50
• ID/passport scans or templates: $1-$35
• Mobile phone online account: $15-$25
• Full ID packages (name, address, phone, SSN, email, bank account): $30-$100
• Medical notes and prescriptions: $15-$20
• Hotel loyalty from reward program accounts with 100,000 points – $10-20
• Cloud service account – $5-$10

(Sources: Symantec, PrivacyAffairs.com)

Don’t let the numbers fool you: just because they may seem on the lower end of things, you have to consider the size of the data breach itself. Whether a network of hundreds or thousands was compromised, the cost of an attack skyrockets per individual. Hackers today have become more sophisticated than ever, and one user could be the stepping stone to the entire database they’re after. And ultimately, the payout can have a huge and harmful impact on the organization.

Microsoft takes security seriously

Microsoft takes Microsoft 365 security seriously and has made significant investments in service-level security. However, users can still perform either accidental or malicious high-risk actions within Microsoft 365 which can put your business at risk. Also, account credentials can be stolen through phishing scams and then used by third parties to get access to your data.

Email accounts are hacked by cyber criminals because they are often a weak link in an organization’s security pipeline. The diagram below, adapted from Krebs on Security is a clear overview of the value of your corporate email account.

Think about it – when anyone signs up for an online service, the user must enter an email address, and whoever controls that email address can reset the password and take over the account, all without the immediate knowledge of the account’s owner. And that’s just one example. A data breach can happen quickly, and the zero-day attacks we’re seeing today give organizations absolutely no warning signs.

Take ransomware, for example. Ransomware is a form of malware that utilizes encryption to hold a user’s personal information at ransom. This will leave the user unable to access their files, applications, databases, and more because it is encrypted. From there, a ransom will be demanded in order to regain access. The effects of a ransomware attack can be astronomical. In fact, the average ransomware payment is currently estimated to be between $50 million and $70 million, with it costing an additional $1.85 million to remediate the attack.

And then there’s phishing – the fraudulent practice of sending emails pretending to be from reputable companies in order to coerce individuals to reveal personal information, such as credit card numbers, account numbers and passwords. All phishing emails have a link provided that if clicked on will either direct the user to site and infect your PC with malware (such as ransomware) or direct you to a website asking for personal information.

How to stay safe from a data breach

A three-pronged approach is needed to keep your organization’s data safe. First, you must focus on security. Second, you should focus on back up. And third, making sure to focus on user awareness training since sometimes humans can ultimately be the weakest link in security. If they are trained properly and educated on best practices, this could prevent some threats and mitigate risk.

Let’s talk further about the first two steps in this approach and what should go into it.

Security

An effective Microsoft 365 security strategy will begin with a Microsoft 365 Security and Cyber-Threat Assessment and provide you with a security configuration score. Next, it is strongly encouraged to move forward with Penetration Testing as well, which will help you discover and prioritize vulnerabilities. This is followed by a recommendation on best practices and guidance on successfully implementing M365 security features.

Such a strategy will need to cover:

• Proactive threat reporting and monitoring of your Microsoft 365 environment
• 24 / 7 reactive and proactive security support
• Bi-monthly reporting with insights for improving your security standing
• A plan for setting up, enhancing and maintaining threat detection, threat protection, and threat response capabilities
• Identification of security and compliance gaps
• Remediation guidance for effective risk mitigation

Addressing the security skills gap within your IT team will be the most necessary and pivotal step towards protecting your business inbox.

Backup

Should data loss or theft occur, you will want peace of mind of knowing that you have preserved business continuity. When you consider that 75 percent of data loss is caused by user error, then you begin to understand why Microsoft recommends you have a third-party capability to back-up your Microsoft 365 data (Source: IT Compliance Policy Group). In this case, consider a backup solution such as SoftwareOne’s BackupSimple powered by Metallic, which provides industry-leading data protection for organizations without all the heavy lifting.

Even though Microsoft hosts the M365 platform, they are not responsible for maintaining a backup of your business-critical data. With Microsoft 365, it’s your data – you control it – and it’s your responsibility to protect it.

An effective and secure backup solution for Microsoft 365 like BackupSimple powered by Metallic will do the following:

• Protect your Microsoft 365 data from accidental deletion, security threats, and retention policy gaps
• Quickly report individual Microsoft 365 items across Exchange, OneDrive and SharePoint
• Drill down through backups by date or keyword search to quickly locate and recover
• Backup all or specific groups of users
• Ensure that data stays in your cloud environment and you have the control to restore when you need

A comprehensive M365 backup solution can give you peace of mind, should the unnecessary occur.