With the advent of the Internet, the risks of cyber intrusion have increased beyond our wildest imaginations. Cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015 which represents the largest transfer of economic wealth in history, reports Cybersecurity Ventures. The bad guys now outnumber the good guys, and their skills are equal to or better than ours. Our private data is coveted by cybercriminals, hackers and even foreign governments. Our information has tremendous value, and we need to all realize this and act accordingly.
How is a data breach commonly defined? A data breach is an occurrence where information is pilfered from a system without the knowledge or authorization of the system’s owner. Data thieves are equal opportunity exploiters which tamper with small, medium and large organizations. Stolen data may include confidential company information such as business plans, product specifications, trade secrets, etc., or credit card numbers and personal customer data including Social Security numbers and birth dates. Settling a vendetta can also be the reason a data breach occurs as well as acquiring employee data to enhance a competitor’s recruiting efforts. Whatever reason the cybercriminal has in accessing private data, the result is not only a major negative economic impact, but a significant tarnish to a company’s brand image.
Where Hackers Gain Access to Company Data
Hacked and breached data is no longer accessed solely from servers, but increasingly also from sources common in the home and workplace including mobile phone and Internet of Things (IoT) devices such as Google Home and Amazon Echo. Mobile devices have become much more of a target because of the wealth of information they hold and due to the blending of personal and business information. It is also increasingly common for cybercriminals to access consumer data through the IoT devices in place at large companies. It is a difficult task for the IT team to monitor, install updates, and check for viruses on potentially thousands of IoT devices that may be in place at a large company. By accessing a single webcam, a cybercriminal can infiltrate an entire network and steal consumer data. It is important to assess the number of IoT devices at your company and ensure that they are not all connected to a single network.
What’s a company to do in the face of unprecedented hacking threats to corporate and personal information? Companies today must optimize the values of the Internet in storing and transferring very sensitive data which is often not well protected. The cybersecurity landscape is continually evolving with security measures that may work today but could become obsolete by the next day. Hence, for businesses to reduce the risk of a data security breach, they need to be continually vigilant about every type of cyber threat that exists, both new and old. Cybersecurity is no longer a technology problem; it is a business risk that must be addressed throughout the enterprise.
Educating Employees About Data Protection
Employers have an obligation to ensure that all employees are well-informed as it relates to risk. Staff is the front line of defense when it comes to security and every single employee is a candidate for security awareness training. Phishing is the leading security concern of most companies. Implementing anti-phishing campaigns for all employees and consultants, not just the ones who fell for the click-bait, is essential. Links containing malware and phishing continue to be the easiest way cybercriminals find their targets. Patching must not be optional.
Also, increasingly on the rise, is spear phishing, which is an email-spoofing attack that targets a specific organization or individual, seeking unauthorized access to sensitive information. The email may look like it came from American Express or Commerce Bank, for example, but its true origin is likely an offshore scammer. Spear phishers look to social media tools like LinkedIn and Facebook to learn more about an individual’s interests and habits. For example, Sally Smith posts lots of photos of her cat on Facebook and her spear phisher plays upon her love of felines with a targeted email that fools Sally into believing that she is receiving some new cat photos, but she has, instead, hit a hyperlink that led to a zip-file of malware being downloaded to her computer.
Employees who use social media for personal reasons make a choice. When they cross the line and include information about their employer, their job, organizational structure, the nature of their business, etc., they can empower the cybercriminal with the tools they need to target them and their employer through spoofing, spear phishing and possibly other ways.
A smart move to implement for a company’s email program is to classify all email received from outside of the organization with an identifier such as a red banner that relays that the email is from outside of the network, so open with caution.
To ensure data integrity, companies need to create new standards for their computer systems with employees authorized for select applications based on their job level. If that employee needs other applications, they go to the company’s IT department and ask for them. With firewalls in place, no employee should ever be able to download freeware or shareware software.
The policy for mobile phone apps requires more rigidity. As humans, we tend to overload our mobile phone with dozens of apps. It’s important that all apps be vetted by the company’s IT department to ensure that no one is letting in a cybercriminal from the mobile back door. It is important to ensure that all employees’ mobile technology, often connected wirelessly, is as secure as possible. Most Wi-Fi hotspots aren't encrypted, making it easy for anyone within range to usurp the data sent and received from the Internet on a mobile device. An encrypted connection is vital whether an employee is using a laptop on a hotspot or home computers on their own wireless router.
Ensuring Data Stays Private
What are the primary steps a company should take to ensure their data remains private? Conducting a comprehensive inventory is vital with the identification/location of all key assets including Personally Identifiable Information (PII). Review how the assets are stored, who has access and why, how it is transmitted and whether it is encrypted. Purge what is not essential.
Companies should consider establishing their own privacy policy with data privacy as a key area of focus. In the European Union (EU), General Data Protection Regulation (GDPR) reshapes the way data is handled across every business sector and applies to any company that does business in the EU. Other countries have their own data privacy laws. Today, a handful of states have enacted data privacy legislation, but it is likely that the United States will pass federal requirements around privacy rather than allow each state to create their own.
Steps to Follow Post Breach
Comprehensively assess the incident. Consider the who, how and what. Determine exactly what information was lost in the data breach. Was it less sensitive easy-to-access information like street addresses or more sensitive information such bank card account numbers, confidential company reports?
If it truly is a breach, assemble a team of experts to conduct a comprehensive breach response. Depending on the size and scope of your company, the team may include management, forensics, legal, information security, information technology, operations, human resources and communications.
Focus on containment, preservation of data/evidence, remediation, notifications, and securing the help that your company will need. The Federal Trade Commission’s Data Breach Response: A Guide for Business addresses all of the steps to take once a breach has occurred including the importance of notifying law enforcement and affected parties.
Companies and individuals must protect their data as they would their physical assets. Spend a little extra on digital security software. Monitor your systems for vulnerabilities, scan and update often, implement firewall protection, change passwords often and never repeat them, and purge legacy systems. By actively promoting good cyber hygiene practices, servers, personal computers, mobile phone and IoT devices’ data will be better protected and outside attacks will be thwarted.
About the author: Stevan (Steve) Bernard, CFE, is a security technology consultant for Allied Universal, the largest provider of security services in North America. Steve led Sony Pictures global protection services with responsibility for the CSO/CISO function, investigations and forensics, physical security, BCP, environment, medical, major events and protection, employee health and safety. Prior to this he worked in high-tech, energy and law-enforcement. His tour in the U.S. Army included a year in Vietnam where he was awarded the Bronze Star. He is a Certified Fraud Examiner, has a BS degree in Criminal Justice, an AA degree in Psychology and is a graduate of the FBI National Academy.
