The biggest breach of 2017 was arguably the attack that exposed more than 145 million Equifax customers and resulted in the theft of SSNs, birth date information, and other valuable data.
The breach will cost the company hundreds of millions, and the impact on consumers could be even more due to the costs of credit protection and identity theft. Such a breach can erode customers’ trust in a brand, especially one such as Equifax that is assumed to have bulletproof security given the types of data it manages.
In hindsight, there are several ways businesses can improve their data security efforts to make 2018 a year for growth and happy customers, instead of brand damage control. Here’s how:
Train Employees on Data Protection
Despite the depiction of hackers as ultra-sophisticated teams working hard to crack firewalls and other countermeasures, many of them get into systems with low-tech means. They often go through employees, who unwittingly provide them with access to login information, which is all a hacker needs to dive into a company’s data.
A common scheme is a phishing attack where a hacker will send out a message that looks like legitimate communications. The email message will look similar to the target’s own company (they might impersonate a high-level employee) or it will be from a vendor or partner company. For example, a corporate accountant might receive a phishing email from someone who claims to work at the firm’s bank. The recipient is urged to open a landing page which might then ask them to provide information.
These websites often contain malware such as keyloggers which will capture keystrokes, and be able to quickly decipher when user name / password combinations are entered. Employees should be consistently trained on the dangers of phishing schemes and tactics on how they can confirm the authenticity of any communications. Using the telephone to confirm a sender’s identity is an “old school” but very effective way of determining if a sender or company is real.
Another dangerous activity of employees is the downloading of fake software. Hackers can easily create software that looks like it serves a legitimate purpose, such as antivirus software, and then present it to a company’s workers as a “free trial” or special offer. Once it’s downloaded, the hacker has a conduit to the company’s internal systems and can quickly dive into restricted databases.
Be Wary of Ransomware
Ransomware is effective because it provides companies with an uncomfortable choice. Pay off the hackers and (hopefully) get back to normal operations, or dig in your heels and work to restore your site, platform, or services. It’s a growing problem with an estimated $5 billion in costs in 2017.
Ransomware at the company level typically involves hackers taking over a website or encrypting data so that it’s indecipherable without the proper key. These hackers also usually gain access through email attachments and by guessing passwords, which again point to lapses in employee training procedures such as choosing strong passwords. Companies can potentially lose millions during ransom periods because the hackers might steal data even if the ransom is paid, and if the ransom is not paid then they might permanently damage or delete valuable data.
The threat of ransomware cannot be eliminated entirely, but companies can take steps to make their business less appealing to attackers. They can take steps such as making sure all of their software is updated, including any applications and operating systems, as this will ensure the latest security patches and protections.
Firms should also back up their data continuously, so they can restore any data that is encrypted by hackers and avoid paying the ransom. Data segmentation is another smart tactic, where IT puts data into separate networks to mitigate ransomware-related losses. On the strategic side, management should determine an action plan in advance, by setting rules about whether or not ransoms will be paid, and in what timeframes this will occur.
Perform Backups Properly
For smaller firms, data losses in 2017 often were the result of a local failure event. Meaning, they stored their data on local servers or hard drives, and their system failed. The firm didn’t yet see the need for data backups, so they lost all of their critical information.
Firms of any size should create multiple layers of backups, using both traditional hard drive storage as well as the cloud. The cost of cloud storage continues to fall year-over-year, and the improvements in cloud security make it ideal for all but the most sensitive data. Companies that experienced data loss in the past year often did not stick to strict procedures on the handling, movement and storing of data.
It’s imperative to create a formal data management plan that delineates the entire data “chain of custody” throughout every part of the organization. The plan should detail every employee’s role in data management, and the steps IT is taking to backup information and prevent unauthorized theft.
Companies that want to keep their brand out of the “company destroyed by data leak” headlines should look at the mistakes made by companies that experienced breaches. The culprit is often employee actions, which can be improved through continuous training that provides real-world examples of common hacking attempts. In addition to the staff training, IT should also have plans in place to prevent/manage ransomware and ensure valuable data is backed up in secure locations.