2015 Top Tech Focus is Data Security – What you Need to Know
There was a time when data breaches like hacking or cyberattacks were rare and the stuff of science fiction – encountered by the average person only in movies, in comics and on TV. Fast forward a technical blip – a mere decade or so – and we see data breaches as a common concern and necessary risk investment for almost every company and vertical today. And news – off and online – as well as trending topics across the web reflect the commonplace frequency of cyberattacks and the threat of data breaches to businesses of all sizes, and at all levels from individual users to whole government entities. No sense in beating a dead trojan-horse – we can all agree that the threat of data loss (especially as a consequence of failed cybersecurity) is a real concern in our global marketplace. The trending search patterns and tags across online media outlets also point to the concern and highlight cypersecurity and data protection as a continued and steadily increasing focus area in 2015 across industries – from the smallest of SMBs to the largest of corporations.
Data-Driven Technology Landscape
The cross-industry competitive landscape is dominated by information technology and the use of data as a strategic weapon and competitive differentiator. With the majority of retail shopping done online and now mobile driving more online transactions than desktop computing or other commerce outlets, we have seen our commercial marketplace booming because of technology-facilitated commerce. And as you might expect, with this comes the liability of data breach with so much virtual transfer of sensitive information. Commercial entities maintain sensitive client information, personal and financial, and depending on the industry may even house personally identifiable information that could lead to identity theft if it fell into ill-intending hands. Such personally identifiable information is prime target data for malicous hackers who leverage secure data of this type to steal identities, sell social security numbers to the highest bidder, and auction contact information to spammer pipelines. Obviously this is not only detrimental to a company’s retention of existing clients, but also carries legal, financial and perception repercussions that could quickly lead to an irreparably damaged brand and even an organization’s downfall.
With the increased cyberthreats looming at each turn, it helps to know what threats exist, and some reasonable steps you and your employees can take to foil cyber-ne’er-do-wells.
Data Breach Attack Patterns
According to a 2015 Verizon Data Breach Investigations Report, almost all attacks can be classified into nine (9) distinct patterns:
Point of Sale (POS) Intrusions
Data predators often target the point of sale (POS) systems of retail businesses to nab customer payment data. Companies that deal primarily with consumers and handle many transactions a day (such as retail, healthcare, and hospitality industries) are most at risk, but with the general proliferation of multi-modal payment across all consumers – from gas and groceries to Apple Pay and Google Wallet – POS intrusion has high potential to increase as a threat and all payment gateways and governmental agencies are continuing to closely monitor and watch for this breach method.
Web Application Attacks
A common culprit of data loss, online applications and content management systems (CMSs) are often a treasure trove of exploitable data. Attackers will attempt to use stolen credentials or hack into vulnerable systems to either cripple the system, hold it for ransom, or obtain data ranging from passwords to email addresses and contact info to credit card numbers. Having strong firewalls, well-monitored and consistently updated anti-virus, and standard encryption and data security policies still go a long way to bolstering your network’s databases against Web application attacks.
Insider Misuse
Sadly this is still widely held as the most frequent cause of data breach in corporations and SMBs. As the category name indicates, this breach comes from within rather than from without. Companies with poor access protocols and authentication oversight may find that their biggest vulnerabilities are their employees – who may intentionally or unintentionally mismanage or disclose data to third parties.
Physical Theft and Loss
An obvious one but still prevalent enough to rise to the 2015 categories list. Losing your wallet is pretty bad. Losing your laptop (which contains all your saved passwords, sensitive documents, and stored payment data) is worse. And as many consumers are now seeing – loss of mobile devices can be even more detrimental given their constant-on, always-with nature and the fact that more and more applications enable mobile-facilitated lifestyles with the incorporation and facilitation of data-based payment, contact information, health information, password recovery, and more. A good principle for both your company assets as well as a good rule of thumb for you and your employees as consumers and users of personal computing devices – from iPhones to laptops: lock up, encrypt, and password-protect everything.
Miscellaneous Errors
We all make mistakes. Employees and customers both are responsible for exposing company and personal information to malicious parties accidentally. There are any number of risky behaviors that fall into this category, such as inadvertently posting sensitive information on public pages, accidentally sending communications with sensitive data to the wrong recipients, or use of unsecured public networks or making payments on unsecured gateways or vehicles resulting in increased risk of breach and exposure of sensitive data.
Crimeware
This category encompasses a wide swath of bugs, viruses, malware, ransomware, software, and even human-coupled malicious and invasive tactics like social engineering and phishing. All of these carry a threat of compromising systems with at least one primary goal of extracting sensitive data, passwords, or financial information. Poor administrative protocols, and unhealthy environments and technical infrastructures are the quickest way to invite this category of data security threats into your company. Ensuring strong protocols, firewalls, anti-virus, well-patched and consistently updated software and networks are still the best ways to protect your company against crimeware attacks. Check out our preventative maintenance managed service for a more detailed look at the type of things you should do (or we can do for you) to reduce your chances of breaches of this sort.
Payment-card Skimmers
A newer variant that has become more and more prevalent over the last five years, payment-card skimming entails devious identity thieves placing their own card reading hardware on top of or into actual card readers (such as ATMs or gas stations) to skim payment and contact information.
Denial of Service Attacks (DoS)
Though still potentially invasive to sensitive data stores, attacks in the DOS category target networks with the goal of crippling operations and disabling them, rather than to directly steal data. In a denial of service attack, botnets flood the target’s network with huge volumes of unwanted traffic, making business impossible for authentic users. The impact does have data repercussions from these attacks bringing down networks and the accompanying potential for mid-stream data loss. Organizations with high volumes of data transfer traffic such as e-tailers are especially vulnerable to mid-stream data loss from a DOS attack.
Cyber-espionage
Yep. It’s not just for governments. Espionage happens across industries, and if your passwords are weak or you have poor encryption protecting your credentials, competitors or their agents can target sensitive company information without you noticing. Stronger data security protocols, password security, and administrative oversight are key to protection here. A simple first precaution? Avoid jotting passwords on post-it notes and leaving them about your desk. Somewhere in the ballpark of one out of every eight credential breaches result from gaining password credentials from offline sources – such as walking by your desk and snagging that sticky-note on your monitor.
Steps for a More Secure Business
Aside from some of the tips we mentioned above, what are your best steps toward securing your business against data breaches – both online and off? Start by leveraging a combination of multi-factor authentication, installing physical security measures, keeping excellent logs, and leveraging industry-standard security protocols – such as appropriate data encryption for data type, function and access. All of these tactics can help prevent or mitigate the impact of a potential breech.
A great first line of defense is employee awareness and education. Online security in its entirety is just more than an internal IT Department can handle, so management must support both processes and training of controllable risk behaviors to help minimize the chances of a breach. Adopt an organization-wide training program to get your employees up to speed on your internal security procedures and key best practices for workplace security. Follow this with a healthy dose of constant vigilance from your IT staff and MSP partner. (Don’t have an MSP partner? Check out our latest whitepaper on the key criteria to consider when looking at managed service providers.) Verify and re-verify that each employee knows the basics of online security and any internal processes to safeguard data and network security such as using strong passwords, identification of suspicious websites, links and applications, and procedures such as locking workstations. And if you don’t have one documented yet, you should definitely develop (or work with your IT services partner to develop) and then widely distribute to your employees a complete set of cybersecurity policies that each employee is expected to uphold.
Another standard tactic is to implement security measures to track each device on the network (both workstation and mobile devices) and prevent access to devices if physical theft occurs by remote administration and wiping of devices. Theft or no, be sure to wipe clean any device no longer in service as soon as possible. Be sure to partner with your internal IT team or your technology services partner to be sure that what you thought you fully deleted or reformatted to remove is indeed gone from the device. Physically secure your devices whenever possible such as issuing and having all employees use cable locks to secure laptops, and limit access to secure areas (such as server rooms) to only authorized persons. A good practice is to document your access protocols so everyone is clear on who has access to secure areas and who should steer clear of them.
Each workstation and device capable of storing and transmitting data is a potential point of entry and data breach risk variable. Ensure access to network and data structures is possible only through secure, administrator-managed devices using appropriate identity management protocols, firewalls and secure virtual private networks (VPNs) where necessary.
Data Security Dilemma for Small- and Mid-sized Businesses
The reality of our global, technology-enabled marketplace and competitive landscape is that most modern businesses of any size have so many potential entrance points that it is easily a full-time job to protect yourself, rarely can you do it well without help, and even then it’s nearly impossible to to protect yourself completely. Sadly, even the most secure companies get hacked, and history has shown that – though it may not always be the case – if someone wants to get in bad enough, they typically can find some way in. Management and IT departments can only do so much, and entire industries have grown up around third-party network management (internal, cloud-based, or even hybrid), data backups and security, business continuity and disaster recovery based on the ever-changing and ever-complex technology universe.
If you aren’t sure about your company’s data security and would like to speak with someone on our security team – no cost or obligation of course, we’d love to help. Click the button below to contact us about data security or any of your data, technology or business continuity needs. And if you haven’t guessed, we have a number of ways we can help you if you are looking for an IT service provider to assist with hosting, networking, data backups and security, business continuity planning and disaster recovery, and more. If you’re interested, we’d be happy to share with you the ways we can help you stay secure today while preventing an attack tomorrow — contact us by clicking the button below.
Curious to learn more? Contact Dynamic Quest, your managed IT service provider?
