03/13/2020

How to Keep Your Company (and Customer) Data Secure

In an age where even high-profile companies fall victim to data security breaches, keeping your company and customer data secure is a perpetually growing concern for businesses of any size. The ever-heightening apprehension is justified, considering that cyberattacks are only continuing to rise and financial impacts are being felt by companies for years to follow.

The cost of cybercrime is expected to reach $6 trillion a year by 2021. It’s likely that big increases in breached data will stem from the advancing technologies that are common in the workplace. The importance of preparing for a cybersecurity breach has never been greater.

Are You Prepared for Data Breach?

The average cost of a data breach is $3.9 million.
The most expensive component of a cyber-attack is information loss at $5.9 million.
The average size of a data breach is 25,575 records.
82% of companies report a shortage of cybersecurity skills.

What Can You Do to Improve Your Data Security?

Be proactive. Learning the basics of securing your company data is a good start in preventing a seemingly inevitable security breach. Don’t wait until you experience a harmful cyberattack to better your data security practices.

1. Redundant Cloud-Based Backup Strategies

Protecting your information with a complete data protection plan is crucial. This really should already be a main part of your cybersecurity strategy. If you don’t have a sophisticated cloud storage backup location for your data, the time to organize one is now.

Brave River’s Data Backup & Protection clients receive advanced backups to the cloud and backups of the cloud. This adds a layer of redundancy by ensuring that files are backed up on multiple storage devices. These protections prove to be invaluable when disasters like ransomware attacks, natural disasters, crashed hard drives, and accidental deletions don’t mean the end of your digital files.

2. Password Strength & Two-Factor Authentication

A supposedly elementary component of cybersecurity, weak password practices remain a primary factor in data security breaches. According to the Verizon Data Breach Investigations Report, 80% of data breaches are caused by compromised, weak, and reused passwords.

The report compares accounts to doorways, stating “static credentials are the keys, password managers and two-factor authentication are the stool pins in the lock. Don’t forget to audit where all your doors are. It doesn’t help to put XO-0’s (a high security combination lock) on most of your entrances if you’ve got one in the back rocking a screen door.”

Some important requirements for company account passwords:

Uppercase & lowercase characters, numbers, and symbols.
Minimum of 8 characters.
Does not contain personal information.
Change at least every 90 days and do not repeat.
Two-factor authentication.

Requiring two or more authentication factors is one of the best ways to ensure that stolen credentials can’t be used to gain access to email accounts and corporate networks. Even so, only 57% of businesses in 2019 utilized multi-factor authentication.

3. Employee Cyber Literacy

Investing in the cyber literacy of your employees will save you some incredible future headaches, considering that 90% of cybersecurity issues originate from human error. Social engineering attacks are a common method used by cybercriminals to exploit employees into divulging enough sensitive information to infiltrate a company’s network.

With these types of threats, attackers disguise themselves as contacts like coworkers and even CEOs to request sensitive information. To unassuming employees, these requests seem legitimate and are often fulfilled. If not entirely, the attacker can at least gain more information to use in their future attacks.

Social engineering attacks are becoming increasingly common since threat mitigation tools and firewalls are powerless in detecting them.

Some types of social engineering attacks include:

Phishing attacks – using email to solicit personal information by posing as a legitimate person or organization.
Vishing attacks – leverages voice communication and can be combined with other attacks to entice a victim to call a number to divulge information.
Smishing attacks – exploits text messages by sending links that when clicked automatically opens a browser window, email message, or dial a number.

Advanced security systems like Barracuda Essentials are constantly studying new threats and feeding new intelligence into filtering technologies. Systems like these can add to your layers of defense.

Social engineering isn’t the only way your staff can compromise your cybersecurity. Employees can put your network at risk in several ways, from clicking on a bad link, to plugging in an infected thumb drive.

In a 2016 experiment, CompTIA scattered 200 thumb drives throughout Chicago, San Francisco, Washington D.C., and Cleveland to see how many people would use a random USB stick they found on the street. And the results might surprise you.

Roughly 20% of the people who found the drives plugged them into a computer and opened the file that was stored on it. Some of the people guilty of falling for the trap were even techies from the Silicon Valley area.

4. Cybersecurity Assessments

An analysis of the current state of your IT security practices will reveal unexpected weaknesses and vulnerabilities. These cybersecurity assessments look at your processes, staffing, and IT governance to gain an understanding of your current security status and needs.

In addition to a network evaluation, actionable and prioritized recommendations should be provided. These evaluations and recommendations help you to mitigate any and all identified security risks, so you’re equipped to address them before they’re exploited.

If It Can Happen to Them, It Can Happen to You

Yahoo

Yahoo logo

Yahoo has an infamous history of major security breaches – the worst of which being the exploitation of 3 billion user accounts. Identity theft was a main concern after the company disclosed that security questions and answers may have been compromised.

All users were forced to change passwords and reenter any unencrypted security questions and answers to make them encrypted in the future. It’s speculated that the compromise was carried out using forged cookies to gain access to user accounts without the need for a password.

First American Financial Corporation

First American Financial Corporation logo

885 million users’ data spanning over 16 years were reportedly leaked in May 2019. Bank account records, social security numbers, wire transactions, and mortgage paperwork were among the sensitive personal data involved in the breach.

According to Dave Farrow, the Senior Director of Information Security at Barracuda, the breach was caused by Insecure Direct Object Reference. IDOR allows the unauthorized access to resources by letting attackers modify the value of a parameter used to direct to a sensitive link. Farrow simplifies this by saying, “The hacker has simply identified an authorization error in the website and walked through the front door.”

Verifications.io

Verifications.io logo

Email addresses verification platform verifications.io revealed in February 2019 that 763 million unique email addresses were exposed. Many records also included name, phone numbers, IP addresses, dates of birth, and genders.

The breach was discovered by security researcher Bob Diachenko, who uncovered the non-password protected 150 GB-sized MongoDB instance. He states, “This is perhaps the biggest and most comprehensive email database I have ever reported. Upon verification I was shocked at the massive number of emails that were publicly accessible for anyone with an internet connection.

Marriott

Marriott logo

Marriott set a record-setting data breach when they announced that hackers accessed over 383 million guest records. Some of these records consisted of passport numbers and credit card information. The breach dwarfed the amount of people affected by the infamous Equifax breach that impacted 147.7 million Americans.

What to Do After a Data Breach

There are certain steps to take if you do encounter the worst-case scenario of a data breach. The Federal Trade Commission outlines a detailed guide for businesses that experience this, which is worth a read in its entirety. To summarize some of its key points:

Secure Your Operations

Prevent any further data loss by assembling an expert team to conduct a breach response. This likely includes forensics, legal, information security, IT, operations, HR, communications, investor relations, and management.
Forensics teams will outline the details of the breach by capturing forensic images of affected systems, analyze evidence, and outline remediations steps.
Consult with legal counsel with data security expertise.
Take all the affected equipment offline immediately, but don’t turn off machines until forensic experts arrive.
If possible (and with a good data backup plan, it should be) replace affected machines with clean ones.
All authorized users should change their credentials.
If any personal information was posted on your website, remove it. Be aware that search engines store, or cache, information for a period. Contact them to ensure they don’t archive any information posted in error.
Document everything and do not destroy evidence during your investigation and remediation.

Fix Vulnerabilities

You likely segmented your network so that a breach on one server/site can’t lead to a breach on another. Work with your forensic team to determine whether your segmentation plan was effective.
Review logs to determine who had access at the time of the breach. See who current has access, whether it’s needed, and restrict if it’s not.
Verify the types of information compromised, the number of people affected, and gather contact information.
When you receive forensic reports, take the recommended steps as soon as possible.
Have a communication plan for all audiences – employees, customers, investors, business partners, and other stakeholders.
Don’t make misleading statements and don’t withhold details that could help customers protect themselves.
Don’t publicly share information that might put consumers at further risk.
Public common questions with clear answers on your site where they’re easy to find.

Notify Appropriate Parties

Determine your legal requirements.
Most states require the notification of security breaches involving personal information.
There may be other laws specific to your situation (electronic health information, etc.)
Notify law enforcement immediately and report the potential risk of identity theft.

Notify Affected Businesses

If the breach involved access information (credit card numbers, etc.) notify the company so they can monitor the accounts.
If names and Social Security numbers were stolen, contact credit bureaus. Advise whether you recommend that people request fraud alerts and credit freezes.

Notify Individuals

Notify people that their information has been compromised as soon as possible so they have the opportunity to take precautionary steps to limit damage.
Consult with law enforcement about the notification process so it doesn’t hinder an ongoing investigation.
Consider offering support such as free credit monitoring.
Provide people with accurate contact information and outline what steps they can take given the type of information exposed. Identitytheft.gov is a good resource to provide and an appropriate place to file complaints.

There will always be threats that target company and customer data and techniques used by cybercriminals will only continue to advance.

Companies do have the power to prevent hacking and data security breaches by taking proactive measures and implementing policies that protect sensitive information.

The best protection against a security breach is a strong defense. Which today, is absolutely possible and an unquestionable necessity.