Why Data Theft is a Growing Concern for Businesses

The cost of cybercrime continues to rise all the time. Indeed, this year, total losses are expected to reach $10.5 trillion, according to figures from Statista. While expenses as a result of downtime can be significant, the biggest contributors to these costs relate to data loss – and in particular, the deliberate theft of data.

It’s long been said that digital information is the most valuable asset of any organization, so it follows that data theft is among the most dangerous threats facing firms today. Cybercriminals are well aware of this, and over the last few years, have made targeting this information their top priority.

Therefore, it’s vital that any cybersecurity strategy has specific policies and technologies in place to tackle data theft. These solutions should include a range of technology, from access controls to anti data exfiltration (ADX) software in order to provide complete protection for sensitive data.

Data theft refers to the deliberate, unauthorized exfiltration of data from a business. This may be the result of hacking attacks by external actors or by employees within the business itself – known as malicious insiders.

Stolen data can be used for a wide range of purposes. For example, personally identifiable information (PII) such as names, addresses, financial details and Social Security numbers remain valuable to fraudsters. Indeed, in 2023, identity theft losses totaled $23 billion in the US alone – a 13 percent increase on the previous year.

Elsewhere, sensitive information such as trade secrets, future research and development plans or other intellectual property (IP) can be hugely useful to unscrupulous competitors or hostile nation states. For example, one study by Cybereason suggested that one Chinese-linked state actor has stolen trillions of dollars worth of sensitive IP from multinational firms in sectors such as defense, energy and pharmaceuticals.

However, for most companies, the biggest cybersecurity risk from data theft is stolen data being used for extortion. It is now a common tactic for cybercriminals to threaten the public release of information unless firms pay up. Known as double extortion ransomware, this is one of the most common types of cybercrime today. Indeed, our research suggests that more than nine out of ten ransomware attacks seek to exfiltrate data for this purpose.

Regardless of the type of attack, it will usually be necessary for bad actors to first gain unauthorized access to information in order to copy and exfiltrate it. This is often made easier by poor security practices that allow these individuals to move freely and undetected within networks to find the most valuable data.

The most common issues that can help any individual attempting to steal data include the following:

• Poor password management: Weak, easily guessed or repeated passwords are the easiest way for criminal actors to gain access to sensitive information. For example, businesses may be especially vulnerable if employees use the same passwords across personal and corporate accounts. This may mean that a data breach elsewhere in which login credentials are compromised can also be used to attack their employer.
• Lack of multifactor authentication: Multifactor authentication (MFA) is an essential backup to strong passwords. This ensures that even if primary login details are lost as part of an external data breach or phishing attack, hackers will still be unable to access databases. MFA linked to a user’s mobile device is common, but a physical token or dongle users have on their person is the most secure solution.
• Outdated software: Unpatched software is a challenge that affects many businesses and can leave them open to a range of threats. In fact, one study suggests 84 percent of companies have high-risk vulnerabilities on their networks – half of which could be removed with a simple update.
• Careless employee behavior: As well as poor password management, a common way for hackers to get hold of login details to access businesses’ data is simply for careless employees to hand them over. Phishing attacks that convince people to enter usernames and passwords into fake websites, for example, are one of the most common ways for credentials to be compromised. However, in some cases, hackers have succeeded in getting employees to send sensitive data directly to them – often by pretending to be senior executives.

The consequences of data theft can be wide-ranging and severe. Overall, the typical cost of a data breach in 2024 reached $4.88 million – the highest figure on record. However, monetary losses are not the only result. The impact can generally be split into the following categories:

• Financial losses: Direct expenses as a result of data theft typically include – but are not limited to – lost business, immediate mitigation and recovery, investigations, system hardening, compensation to affected users and legal expenses.

• Reputational damage: In the long term, data theft incidents can greatly impact a firm’s reputation and make potential customers think twice about using a business. This is especially the case if consumer PII has been stolen. However, in addition to this, the exposure of any potentially embarrassing internal data such as emails can also harm how an organization is seen.
• Legal and regulatory consequences: Finally, there may be a range of legal and compliance issues to contend with. This begins with direct costs such as fines from regulators or settling class-action lawsuits. However, data theft incidents may also make it harder for firms to comply with essential industry data privacy regulations, especially in industries such as healthcare or financial services. For example, a data theft could make a firm non-compliant with HIPAA or PCI-DSS regulations, which may affect its ability to do business.

Once data has been successfully exfiltrated from a business, it will be too late to react. Therefore, good data theft prevention must focus on detecting unusual activity early,  shutting down any attempted transfer of information before it can be completed.

Some of the key behaviors and activity patterns that can be telltale signs of data theft in progress include:

• Repeated attempts to access databases with different credentials
• Logins from unusual locations or outside working hours
• Accounts attempting to access data they do not have privileges for
• Unexpected changes to databases or information
• Spikes in network traffic, especially when leaving the network
• Transfers to unrecognized destinations

These red flags are much easier to spot with the right technology, such as advanced network monitoring tools and educated endpoint protections that can monitor every transfer leaving a business.

Taking proactive steps to address vulnerabilities involves having the best technology and the right policies in place. For instance, to guard against issues such as poor password practices and phishing, a comprehensive employee education and training program is a must. This should clearly set out the firm’s expectations for its users, as well as teaching them what red flags to look for in order to spot potential malicious activity.

To guard against malicious insider threats, it’s important to ensure that employees only have access to the information required to do their jobs. While this may not prevent users with privileged accounts, such as IT leaders, from accessing sensitive data, it does make it harder for the majority of employees to access information. Comprehensive monitoring can also help spot any unusual activity relating to data users are permitted to view, such as repeated copying of files.

On the technology side, there are a range of software solutions that will be important in building up a holistic defense system and preventing cyberattacks including newer technologies that go beyond perimeter defense to ensure that even if systems are accessed,  suspicious activities within the network are identified in real-time and shut down. 

Some key technologies that must be considered when protecting sensitive information include:

• Email security
• Identity and access management tools
• Endpoint protection solutions
• Patch management software
• Encryption
• Anti data exfiltration (ADX)

The final point to remember is that a strong protection strategy that guards against data theft is a key part of adhering to a range of legal regulations and data security compliance rules. The most pertinent here will be GDPR for firms doing business in the EU and the CCPA for those in the US, although industry-specific rules like HIPAA will also be relevant to some firms.

These rules are all designed to protect the personal information of consumers and are rigorously enforced. While their remit is wider than just theft – also covering any inappropriate or unauthorized sharing and use of data – firms that do let their information fall into the wrong hands can expect hefty penalties.

For example, in 2020, British Airways was initially fined £183 million under GDPR rules ($225 million) after hackers were able to access its online payments system and steal the data of around 400,000 customers. Although this was later reduced to £20 million due to the COVID-19 pandemic, it illustrates the potential consequences of non-compliance. Taking the right steps to protect data from hackers, from employee training to ADX software, is therefore essential to stay on the right side of the law, no matter where firms are based.