Data breaches

Here, NEBRC Ethical Hacker, Setareh Ghazaani looks at the issues surrounding data breaches. Setareh, who holds an MSc Honours in Cyber Security from Sheffield Hallam University joined the NEBRC for the opportunity to pursue her own areas of interest while expanding her knowledge and skillset required for the challenges in today’s cyber security world.

As reported by UK Government website1, in the past 12 months, four out of ten companies and a quarter of charities have experienced cyber security breaches. This year, like in previous years, it is greater among medium companies (65%) and big corporations (64%).

Data breaches are defined as the exposure of sensitive and private information to unauthorised individuals. This means the information can be accessed or altered without authorisation, which can lead to malicious activity. Any organisation should take security measures to prevent data breaches.

Here are some best practises to minimise the risk of a data breach:

  • Patch management: network devices and computer software should be updated to be able to resist known cyber-attacks. Also, if not supported by the vendor, they should be upgraded.

  • Encryption: whether in transfer or stored, data should be encrypted with advanced encryption mechanisms. All the connections should be established through secure channels.

  • Enforcing security policies: security policies for strong passwords and multi-factor authentication, BYOD (Bring your own device), incident handling, as well as necessary security policies, should be enforced on all of the devices and systems.

  • Training: cyberint reported that 95% of data breaches are caused by human errors2. The only effective manner to avoid social engineering attacks and other online security threats is educating employees.

  • Providing up-to-date backups: the highest reported attack in 2021 was ransomware attack and providing backups in various locations is the ultimate solution.

However, even the most secure organisations can be victims of cyber security attacks. GDPR Article 333 requires organisations to notify the Information Commissioner's Office within 72 hours of discovering a data breach. They should also be notified in certain instances of potential violations, particularly if they are serious and involve people sensitive or identifiable data.

For further information about cyber security for your business contact a member of the NEBRC team at