Click to learn more about author Madhan Kanagavel.

The characters in this story are new, but the script is familiar: in July 2019, an alleged hacker breached Capital One’s virtual database, obtaining sensitive customer data for an estimated 100 million customers in the U.S. and an additional 6 million customers in Canada. Amid the arrest of the suspect, Capital One customers have been left questioning why their data was accessible in the first place.

Capital One isn’t alone. Behemoths like Equifax, Target and Yahoo are just a few of the big names on a seemingly endless list of companies hit by hackers. These security incidents come at a great cost; in the U.S., the average cost of a data breach hovers around $8.19 million when taking into account multiple factors such as legal expenses, customer turnover, employee productivity loss and the resulting impact on brand reputation. 

With such extreme consequences for companies and customers alike, the question begs to be asked: could these companies have prevented the respective data breaches? The answer carries very real consequences for how enterprises should prioritize data security in the future. 

Enforcing Good Data Hygiene 

Most data breaches begin with an internal vulnerability due to human error, and Capital One’s case appears to be no exception. The problem seems to have stemmed from an improperly configured firewall at Capital One and lackadaisical permissions set on S3 object storage, which allowed an outsider to break into data stored on remote third-party servers. 

Security gaps such as the above can usually be discovered through periodic penetration testing and security audits. Regular testing can check for weaknesses and counter the dangers inherent in a ‘set it and forget it’ mindset. 

The issue also sheds light on the importance of companies taking responsibility for their own side of the security apparatus; even when the underlying cloud storage servers are highly secure, that doesn’t exempt a company from the responsibility of properly configuring its own firewalls to the specifications of those servers. AWS’s shared responsibility model showcases an example that bridges the gap between providers and customers. 

The other major take-away from the spate of recent data breaches is the importance of managing internal threats resulting from a lack of employee precaution. Each time an employee saves corporate data onto a USB drive, sends an email with sensitive information to a personal email address, or uses a consumer cloud sharing application, they put companywide security at risk. Our recent annual enterprise cloud and security report found that 83 percent of system administrators believe employees to be the weakest link. Your data security is as good as your weakest link.