How to protect your business against data breaches
According to the Crime Survey for England and Wales published this October by the UK’s Office for National Statistics (ONS), the official crime rate all but doubled in the year ending June 2016 after the inclusion of online crime figures for the very first time. In fact, card fraud was cited as the most common crime in the UK. John Flatley, head of crime statistics and analysis at the ONS, stated that members of the public are now 20 times more likely to be a victim of fraud than of robbery.
The Numbers Are Soaring!
The value of financial fraud alone in the first six months of 2016 increased by 25 percent on the previous year’s figures to £399.5 million. On top of this, the ONS states that banks failed to report more than two million additional fraud incidents to police, distorting the report and making it almost impossible to determine a realistic picture of how far-reaching and damaging the recent breaches have been. To add to this dismal picture, limited resources mean that police investigates fewer than one in 100 cases of cyber fraud.
With data breaches occurring on an almost industrial scale, it seems that criminals are gaining ground on, or even overtaking, the forces of law and order. So here are the top four vulnerabilities that you need to address to avoid becoming the victim of a headline-grabbing data breach.
1. Insider Theft
Fraud by employees is all too common. In a report this year by Accenture and HfS Research, 69 percent of enterprise security executives reported that they had experienced an attempted theft or corruption of data by insiders during the last 12 months. According to the US Association of Certified Fraud Examiners (ACFE), a typical organization loses five percent of its annual revenue to insider fraud.
What’s more, the UK’s HR trade organization, the CIPD, has warned that contact centers are particularly at risk, as they frequently employ staff who are likely to be on a relatively low wage and who potentially view their job as a short term prospect. This can make them susceptible to the temptation of supplementing their often-low salaries with fraudulent earnings.
2. Website Vulnerabilities
A never-ending race is in progress between security professionals and fraudsters when it comes to securing websites. Hackers are constantly finding new ways to break in, while security companies are running fast to be ready with the next new line of defense to keep them out.
Even the world’s biggest brands aren’t immune: Yahoo only recently announced that more than one billion user accounts may have been hacked in 2013, in what is now one of the biggest data breaches in history. And this is separate to the company’s previous breach in 2014, which saw hackers steal information related to at least 500 million user accounts. The cyber-criminals stole a range of sensitive data including names, email addresses, phone numbers, encrypted or unencrypted security questions and answers, dates of birth and encrypted passwords. The severity of the breach is very much reflected in the 23 lawsuits that have been filed against the company so far.
3. Identity Theft
If criminals manage to lay their hands on documents that confirm a victim’s identity, such credit card numbers, passport numbers and even email addresses, they are in a strong position to do a great deal of damage. By mimicking someone’s identity, a fraudster may open new credit cards, order goods online and even raid bank accounts, something that it is extremely difficult for the victim to combat. According to the Times, almost five million people in the UK had to cancel their bank cards last year through fear of theft.
People are still one of the weakest links in the security chain. “Phishing” — the art of tricking information out of unsuspecting individuals, or “spear phishing”, which is the highly targeted version of the same tactic, have proved effective for criminals. One such example is Snapchat, which fell victim to a phishing scam when an employee was tricked into emailing hackers with staff members’ private data. The thieves simply mocked up an email address in the name of Evan Spiegel, Shapchat’s CEO, and requested that personal details such as names, social security numbers and payroll data be emailed over. The unfortunate employee sent the data requested.
Employees are also targeted by cyber-criminals with the simple aim of getting an individual to click a link within an email. This small act can see hackers infiltrate the business IT network to steal data, or install ransomware to extort money from the company.
Be Prepared Using Some Simple Steps
While the task of securing a company’s IT systems is by no means easy, there are a few simple recommendations that can certainly help as a first line of defence.
1. Make Sure Software Is Up to Date
It may seem like this should be in the idiot’s guide to data security, but keeping software updated is an often-neglected task. Ensuring the latest version of a program is installed will mean it comes with the latest security features and will have any new vulnerabilities patched.
2. Set Strict IT Account Boundaries
By setting accounts to basic “user” rather than “administrator” rights, IT teams can protect against phishing attacks, and stop them gaining control over high-level network privileges. If a dangerous link is clicked by a “user” account, the exploit will result in far less damage.
3. Make Use Of a Password Vault
Passwords are the foundation upon which most data security is based. Yet people continue to use weak combinations that leave themselves, and the companies they work for, at risk. Implementing a password vault will mean that you can create individual login details for each website, and that the passwords can be long and complex, without you needing to remember them off the top of your head every time!
4. Educate Staff
Employees need to be on the lookout for any potential data security threats, such as unusual or suspicious emails. To be properly prepared requires regular awareness training, so staff can know and understand the current threat landscape, and the different methods used by cybercriminals. Most importantly, don’t just make training a once-a-year “tick box” exercise. It must be strategic and ongoing to truly make a difference.
5. Review the Way You Handle Data
If the business is storing huge reams of sensitive data, it is crucial to evaluate the best way to tokenise or encrypt this information, to keep it out of the hands of cybercriminals. Ideally, businesses should be removing as much data from internal IT systems as possible. After all, if it isn’t stored, there’s nothing there to steal in the first place, which essentially makes your network worthless to any cybercriminals out there!
6. Check For Security Cracks in Your Walls
If you don’t know your vulnerabilities, how can you begin to protect against their exploitation? This is where penetration testing comes into play. By investigating your perimeter and scanning your internal network, you can find and then close any holes before the cybercriminal has a chance to enter the system. In reality, your website and external IPs are likely being probed 24/7 by hackers looking for an easy entry point. Undertaking penetration testing will mean you can find these vulnerabilities before the criminals do.
The Responsibility Lies With You
Data security is the responsibility of any company that handles and collects consumer information. And this has never been so publicly acknowledged than through the introduction of the new EU General Data Protection Regulation (GDPR). The regulation is clearly aimed at getting organizations to take the threat of cyber fraud seriously, by making them accountable for maintaining watertight IT systems. Should your company suffer a breach, it will face fines of €20 million or four percent of global turnover, whichever is higher. That is an extremely convincing incentive for you to look closely at not only how your organization stores sensitive data, but why they do so in the first place. If a compelling business case can’t be made for holding onto data, get rid of it. After all, if it’s not stored, it can’t be stolen in the first place.
By Tim Critchley, CEO, Semafone.
Published under license from ITProPortal.com, a Future plc Publication. All rights reserved.