6.2 - Risks
2016 - Unit 2
Unauthorised Access to Data
As part of the security principle of confidentiality, data should only be viewed by individuals with the authorisation to do so. There are two main reasons why data may be viewed by someone who shouldn't - espionage and poor information management. Espionage is the act of collecting data so that it can be used against an organisation - such as a competitor acquiring information about their rival's product before it is launched publicly. If a company has poor information management strategies in place and data is insecurely stored or too many people have access to sensitive information then it is more likely to be viewed by unauthorised persons.
Data could also be accidentally shown to unauthorised people, such as leaving confidential files (either on paper or a USB stick) in a public place like a train - which has occurred in the UK several times in the past decade.
Not only would competitors benefit from unauthorised access, but the Data Protection Act (2018) would also be broken if personal data was accessed.
Accidental Loss of Data
Data loss refers to information being irretrievably lost - not just a copy of the file but the original version too so it cannot be accessed in any format. One reason for accidental data loss is equipment failure or a technical error that leads to data corruption, such as a database crash or hard drive failure.
Human error is another reason for accidental data loss as an employee might accidentally delete a file or discard an important paper document without realising.
If data is accidentally lost then it could mean that hours of data entry and collection will have been for nothing and might delay dependent processes such as analysis and trend recognition. Also, if it was personal data that was lost then the security principle of availability has been broken and the Data Protection Act (2018) has been breached.
Intentional Destruction of Data
This is the act of purposely damaging an organisation by deleting or denying access to data. Examples include viruses that corrupt data so that it can no longer be used and targeted malicious attacks such as DDOS (distributed denial of service) attacks or ransomware. Ransomware encrypts files so that they can only be accessed again when certain criteria have been met, usually the affected group having to pay an extortionate fee.
When data is intentionally deleted the organisation in question can respond by replacing the data and any infected computer systems / devices or by ignoring the loss and not making the breach public - but having to re-collect / re-analyse the data. Data destruction will usually lead to a loss of reputation as customers won't want to have their information stored in a system they see as unreliable and insufficiently protected. This loss of reputation could lead to customer loss and a decrease in profits. If the loss is ignored and unreported then it could result in a huge loss of trust when it is eventually revealed - like Yahoo who only confirmed a massive data breach that happened in 2013, two years later in 2016. This breach affected all 3,000,000,000 Yahoo accounts and is the largest data breach in the history of the internet.
The Data Protection Act (1998) will also have been broken if personal data has been deleted.
Intentional Tampering with Data
This is when data is changed and no longer accurate. This could occur through fraudulent activity such as hacking to change information displayed on a webpage. An example is if a student or a teacher changed exam answers for a better grade. A business example is if a company tampered with financial data to display larger profits and smaller losses than real figures, to boost investment or please stakeholders.
If data tampering is found out then it can result in a loss of reputation as that organisation cannot be trusted to report data accurately. If personal data has been altered then the security principle of integrity will have been broken as the data is no longer accurate. Data security methods and protection systems will also need to be reviewed if data has been tampered with, especially if it was an external individual that accessed and changed the data. Employees that tamper with data will be fired and may face legal action.
6.2 - Risks:
1. Describe two effects on an organisation for each of the four identified risks. 
2. Research at least one real-life example for each risk above and describe the consequences of that example, such as the Yahoo data breach.