5 minute read | January 5th, 2020

Cyber Attack or Data Breach?

What is a Security Incident?

It depends. During a Security Incident there is often confusion, perhaps intentionally, about the difference between a Cyber Attack and a Data Breach. I believe precisely defining these terms is important because the consequences and resulting actions are different.

What is a Cyber Attack?

The effect of a Cyber Attack is an organisation being no longer able to operate as before.

A Cyber Attack includes the results from actions that deny, disrupt, degrade, or destroy a computer system. Thus, it is clearly possible to recover from a Cyber Attack and return to business.

What is a Data Breach?

A Data Breach is the unauthorised release of controlled information.

The effect of a Data Breach almost always results in a loss of stakeholder confidence. However, where regulatory compliance is broken, the result may also include, formal investigation, statutory fines and legal action. It is hard to recover from a Data Breach and significant effort will be required to regain trust from stakeholders.

It is very possible to have a Cyber Attack and a Data Breach within the same Security Incident.

A cyber security incident doesn't necessarily mean that a data breach has occurred

Cyber Security Incidents

A Cyber Security Incident most often refers to information systems that are being or have been threatened. Whilst a Cyber Security Incident usually refers to something bad, it doesn’t necessarily mean that a breach has occurred. 

An organisation that successfully deflects a cyber attack has experienced a Cyber Security Incident but not a Data Breach.

Security Incident Examples

  • Ransomware is a Cyber Attack: Data is usually encrypted preventing access and the organisation is no longer able to operate as before.
  • Emailing sensitive information to the wrong person is a Data Breach.
  • Emailing all your contacts in the ‘To:’ address may be a Data Breech.
  • Losing a laptop with encrypted storage is a Security Incident. Whilst encryption remains effective, confidentiality remains intact, this is not a Data Breach but is still classed as a Security Incident.

Cyber Security Thresholds

I find it useful to use a threshold for Cyber Security Incidents. Whilst network scanning, email spam, and phishing attempts are certainly annoying, their impact can be mitigated to remain well below the threshold. In many organisations this level of activity is ignored, remains undetected and is therefore unknown.

Many attempts are stopped or end before the threshold is reached and before a deny, disrupt, degrade, or destroy event occurs.

Whilst network scans, spam and phishing campaigns often have little impact, these activities should be classed as ‘active preparation’. It is a mistake to refer to activity like this as a Cyber Attack as this noise will conceal the announcement of a genuine attack. 

Dealing with a Cyber Security Incident

  • Advance preparation is always cheaper.
  • It is either a Data Breach or it’s not.
  • Unless an investigation is underway or has been concluded, avoid the term ‘Cyber Security Incident.
  • Following investigation, and where no data has been compromised, the term ‘Cyber Security Incident without data being breached’ is correct.
  • Where data may have been compromised, determine the extent, inform the affected parties and where necessary the regulator. The term ‘Cyber Security Incident resulting in data being breached’ is appropriate.

Final thoughts Cyber Security Incidents

The most clear and present threat to any organisation is Cyber Security. I hear about new ‘active preparation’ activities several times a day, new Data Breach events several times a week. However, I only hear about office flooding and building fires a few times a year.

Many organisations practice their fire evacuation policy and check sheets routinely. I wonder how many of them have no policy, offer no training and make no preparations towards their cyber risks?


Why choose to work with Sytec?

  • We focus on reducing risk
  • Our work and checks are separated independent processes
  • We consider compliance and security checks as the default
  • You will know which engineer has access and when they took action
  • You will have phone, email and face to face access to security certified engineers

About Sytec

Sytec provides IT networking, security, audit, consulting, and support services to a broad range of businesses. Based in Salisbury, engineers are available to respond on a same day basis to ad-hoc or emergency requests, and within minutes for customers with a prepaid pool of consultative support.
We enjoy representing many other IT companies who require responsive field engineers, sytec.co.uk/subcontract for more about our coverage and response.