2016, The Year of the Data Breach and How to Protect Your Organization in 2017

Lessons Learned in 2016….

I.T. Security breaches are prevalent in today’s business community and have captured headlines across the U.S. throughout 2016. Previous years have not been so challenging to security experts, but 2016 is the year they would love to forget. Hackers were relentless at exploiting various loopholes to influence the vote, hassle people out of their hard-earned cash, or simply spy on them.

One of the largest online scandals of the year was Yahoo’s security breach. Yahoo shocked many people in September of 2016 when they revealed that millions of users’ accounts had been hacked. They later announced, in a separate incident, that over 500 million accounts were also hacked in 2013, but it wasn’t discovered until December of 2016. This means the hackers have had the past three years to use and exploit the data they collected.

We live in a global, interconnected world. The days of keeping information in-house and locked down are long gone. Cloud solutions, co-location, disaster recovery are all typical practices and necessary extensions of today’s businesses. Convenience, rapid response, cost savings and other factors play into the need for most businesses to have their data and information online.

Unfortunately, taking your business online without taking proper security measures exposes your organization’s most private and proprietary information, leaving you at risk for attacks by ruthless cyber-criminals who go to great lengths to hold your data hostage.

Although the major headlines are most commonly announcing breaches within large organizations, the businesses most at risk are small businesses.  The infographic shown here is a great representation of the risks of leaving your organization open to cybercrime.

cybersecurity risks

So, what happens when you are attacked?

The attackers use the data they collect to demand ransomware from organizations (holding your data hostage and threatening to delete it, share it or use it if ransom isn’t paid), expose private information for public humiliation (such as the DNC email scandal in the 2016 election), or even worse, to steal money from the helpless and often unknowing individual victims of the attack, which are either the small business owners themselves, or your customers that they gained access to. The cyber-thieves, or hackers, may use the data to conduct “credential stuffing,” where they use stolen usernames, passwords and often security questions to log in to the victim’s other online accounts such as their bank accounts, to transfer and steal money.

Although it was reported that no financial information was stolen, in the case of Yahoo, the attacks have threatened the solidity of a recent $4.8 billion intended purchase of Yahoo by Verizon. In a recent report by Investopedia, Verizon could request $1 billion reduction in the sale price based on a $2-3 reduction per customer record stolen or at the very least a 5-10% price reduction (or $4.8M). In either case, the breach will cost Yahoo money and lots of it. And, as a result, ”Yahoo has topped the charts and may go down in history with two of the largest cyber-attacks ever recorded.”

 

Top Security Breaches of 2016 Making Headlines…

1. Democratic National Committee Email Hack, was Russia involved?

No matter what your political affiliation, this story hits home for all of us. At the height of the U.S presidential campaigns, cybercriminals once again reared their ugly head. This time it was a breach of the Democratic National Committee computer network reported by WikiLeaks. Many allegations followed this breach including suggestions that the DNC was actively working against Bernie Sanders in favor of frontrunner Hillary Clinton. This clearly threw the campaign in disarray. Cybercriminals Guccifer 2.0 claimed responsibility, yet upon further investigation, it was reported that Russian state actors allegedly hacked the DNC.

These allegations have been in question, primarily because the APT attacks were performed by malware that was available on the Deep Web market. (The Deep Web allows cyber criminals to purchase previously used malware that can be altered to fit the next crime.) The malware that was used was originally believed to be developed by a Russian group. The invasion into the DNC was an elaborate and sophisticated operation. There were several questionable “mishaps” for such a sophisticated operation that would lead people to believe the hackers were Russian.  These amateur mishaps could have been programmed by the hackers to point the accusers in the wrong direction (towards Russia) on purpose. Simple issues such as an invalid hyperlink errors being automatically generated in Russian could have been programmed to throw-off the investigation. It is unlikely that such a sophisticated operation would have missed this error that would lead them to be a suspect.  Source: Counterpunch.org

So what do we take from all of this controversy? The DNC security measures were not up to par and failed to protect its data properly.  Bottom line – if you leave yourself open and vulnerable, be prepared to pay the price.

2. Dyn.com Denial of Service Attack (DDoS) Bringing Down Netflix, Twitter, Pinterest and GitHub

The ramifications of the Internet of Things, and what’s to come…

In October of 2016, a popular domain name system provider (Dyn.com) was a victim of a Denial of Service attack. Dyn’s managed DNS infrastructure was hit by a malicious botnet (a botnet is when a group of private computers is infected with invasive software that takes control of the computers without the owners’ knowledge), that caused Twitter, Netflix, Pinterest and GitHub to keep going up and down, interrupting service for users across the U.S.

It was later discovered that the botnet comprised over 100,000 household devices that were infected with malware known as Mirai. Although the virus was discovered and contained within hours, the disruption caused new awareness and need for stronger security measures across the board.  With the rapid progression of the IoT (the Internet of Things) where everything is connected to the next with easy exchange of data, it is projected that more than 20 billion devices will be interconnected by 2020 (Gartner 2016). This massive coupling ensures that household attacks such as these will continue to grow rapidly as we become more and more connected.

As a result, everyone needs to be aware of the threats and do what they can to avoid them. Passwords seem to play a major role in protecting your data – so use them wisely and do not use the same password for any two platforms online. As someone responsible for propriety corporate information, intellectual and customer data, or you – as a consumer, you never know when or where the next attack will take place. Take all necessary precautions and pay attention to what is happening online.

3. The NSA Exposed! The Shadow-Brokers Steal and Sell Spy Tools used by the NSA (National Security Agency)…

In August of 2016, The Shadow-Brokers, an unknown threat actor, possibly Russian, was found responsible for several leaks tied to the NSA. The group claimed that they managed to infiltrate the National Security Agency and grab sophisticated hacking tools used in advanced cyber-espionage operations by the NSA’s elite spy team. These tools are supposedly capable of infecting devices and remaining there even after you’ve refreshed your system. The Shadow Brokers attempted to sell their stolen loot but didn’t seem to grab much attention. The public, however, believes that the NSA is simply downplaying things to avoid a crisis over fear for their privacy.

4. U.S Department of Justice Database Hacked

On February 8th, 2016 hackers breached the U.S department of justice database. The criminals were expressing their anger over the U.S.’s relations with Israel. They released data on 10,000 homeland security employees on the first day and followed this by leaking data on 20,000 FBI workers. Despite this, the department of justice doesn’t believe anything more sensitive than contact information was leaked. The hackers on their part said on Twitter that it took a whole week for the authorities to realize they had been hacked in the first place. Not good.

5. Wendy’s

The fast food chain in May of 2016 revealed that some of its restaurants were affected by malware. By infiltrating their third-party point-of-sale systems, hackers gained access to their customers’ data.

According to USA Today, Wendy’s franchise owners use a third-party PoS (point-of-sale) system which was the weak link in the system. Over 1,000 of the franchises were affected by the malware invasion which stole their customers’ names, credit card numbers and expiration dates throughout a 6-month period. The CEO of Wendy’s, Todd Pengar, also announced that they conducted a rigorous investigation to understand what occurred and apply those learnings to further strengthen their data security measures.

Wendy’s offered their affected customers a year of complimentary fraud consultation and identity restoration services, although no final number or estimated damages were reported.

So, what does this mean for you? If business giant Wendy’s can have a breach with their PoS system, so can you. Wendy’s can afford a few hiccups with their customers, but can you?

A few more data breaches to top off 2016…

6. Dropbox Takes 4 Years to Report Stolen Customer Account Information

In August 2016, it was revealed that more than 68 million Dropbox users’ accounts had been breached – in 2012! Dropbox reported that usernames and passwords had been stolen four years earlier and anyone who hadn’t changed their password since 2012 could be in jeopardy. Because of the breach, the file hosting company now asks its users to change their passwords often to avoid being victimized by attackers. They also encourage everyone to use different passwords for every online platform.

7. Kiddicare Fake Survey Requests Due to Unsecured, New Website in Development Stages

Kiddiecare.com’s (an online retailer) customers started receiving messages asking them to participate in online surveys that they weren’t sending. After investigation, it was discovered that this was the result of security errors from testing the company’s new website in an unsecured environment. The company downplayed the extent of this data breach claiming that credit card data hadn’t been compromised.

8. Healthcare, Central Ohio Urology Group, Blackmailed with Threat of Leaking Private Patient Information

Many hospitals have been attacked but most notable is the attack on Ohio’s Urology Group in Central Ohio. Highly private health information of patients was stolen and threatened to be leaked in a deliberate attempt to swindle doctors, patients, and insurance companies out of money.

Consequences of a Security Breach

  1. Ruined reputation & cyber-vandalism – Cybercriminals find pleasure in planting false information online – on your website or elsewhere, that can ruin your reputation causing distrust with your customers.
  1. Theft & loss of intellectual property– Aside from all of your company data – from financial information to private customer information, unprotected data can have detrimental results. If your intellectual property or proprietary information is leaked, your company’s entire existence could come into question.
  1. Revenue lost – With systems down, reputation damaged, the irreversible revenue lost can put a small business into bankruptcy.
  1. Low employee morale – nothing is worse than working for a company that has openly disappointed its customers with a data breach. With failed systems, comes failed performance and loss of star performers. No one wants to work for a company that didn’t care enough to at least try to protect itself from cybercriminals.
  1. Lawsuits & out of business – Worst case scenario is not only dealing with the above consequences, but also the threat of lawsuits and your business actually shutting down due to a cyber-attack. Do what you can to protect yourself and your data. Be sure to look at monitoring and management services, disaster recovery services, co-location options as well as data security insurance available through most business insurance agencies.

Target incurred $290 million in expenses related to its 2013 security breach where millions of customers private information was stolen. Does your company have $290 million to recover from an infiltrated system? Reports state that over 50% of customers say they will not do business with a company who had experienced a security breach. Can you afford to lose over 50% of your customers?

How to Protect your Organization Against Security Breaches

By now it is surely clear that modern-day attackers prey on vulnerabilities of organizations and internet users worldwide. No one is spared because attackers can prey on whoever they want as long as they can gain leverage over them.

Whether hackers are attacking to expose information, sell personal information for their gain, demand ransomware (money in exchange for data being held hostage), or they are just attacking your company’s systems to prove that they can, it is crucial that your organization take the necessary steps to protect the individuals and the information that is under your care.

The problem with cyber-attacks is that they get embed so deeply into your system that it can take months before your in-house IT can detect a problem. In the case of ransomware attacks, the malware gathers all the data it can while it is undiscovered so that upon discovery, the attackers can demand ransom from the victims or the organization. Not wanting to harm their image or lose customers, affected companies often downplay the extent of an attack and pay the ransomware to regain access to their data and protect their business.

The best step is to take precautionary steps to avoid getting hacked, or in the very least, take the steps necessary to monitor and manage your devices and systems in order to discover an attack as soon as possible. To reduce your risk of an attack on your organization, it is important to take deliberate protective measures.

Five Steps to Take Today…

1. Train Employees on Best Practices and Risks

Educate staff on best practices so that they know not to open email or click links that they aren’t sure about. They need to also understand the importance of reporting suspicious activity as soon as they discover it so that the attackers can be stopped in their tracks.

2. Update Security Software Regularly

Updating security software is important, but you must do so regularly if you hope to keep up with the pace of malware. The viruses of today have the rare ability to mutate whenever you try to take measures against them. If attackers get into your systems and are able to mutate the virus, you will be left to their demands.

3. Hire Professionals to Help

Work with consulting professionals to help fortify your systems against relentless attackers. Due to security being their primary focus, consultants are typically better versed and more up-to-date on the latest viruses and means of protecting your systems than your own I.T. department who is busy working on your I.T. business issues. Having a dedicated third-party consultant will ensure that you have a team to back-up the in-house staff which is always better than going it alone.

4. Update and Change Passwords Regularly

Small business networks are particularly prone to attacks because most users leave their networks open. It is important to protect networks with passwords to make sure attackers don’t have leeway into these accounts. But now, more important than ever, it critical to take extra measures to protect your accounts. It is also imperative that you train your employees on best practices for creating passwords. Many re-use the same password over and over for different accounts for ease of use. Although in the short term this may be true, it won’t be easy once they are hacked and their privacy and even your organization’s data is exposed.

5. Perform a Security Assessment

security assessment is important in helping individuals and organizations to know what risks they face and what they can do about it. Constantly monitoring your I.T. systems is the best thing you can do to detect problems and take measures against them. Assessments must be conducted across the I.T. and physical infrastructure especially for organizations that want to align themselves with international security standards or frameworks.

Professional security assessment agencies offer different products over a range of technologies. This ensures that relevant security controls are duly integrated into the design of any projects undertaken by the organization. The company you choose to work with should be able to incorporate accepted security architecture in a bid to streamline the entire organization’s security strategy. Their main objective should be the delivery of cohesive, best practice security measures for you based on your needs, your company’s growth goals and the budget limitations you have in place.

What is the future of security?

Sometimes it seems like the only solution for an organization is to pay ransom or meet other criminal demands, but U.S security authorities advise you not to. Bending to the attackers only encourages them to continue breaching systems. Ransomware keeps changing, so it is imperative that you stay on top of the latest threats. Judging from the events of 2016, it is obvious that nobody will get away with ignoring the critical need to protect I.T. systems.

Experts believe that things will get worse before they can get better in 2017. There are predictions that attacks will become more prevalent and complicated to prevent experts from mitigating them.

Some may think that taking protective measures is an expensive venture, but not protecting your data is far more expensive in the long run.  Without a clear picture of what attackers may be up to, it is the only way to prevent data breaches with untold effects. You should consider any steps you take to protect your organization’s data as a form of insurance. No one can full-proof your organization from a hacker, but you can take critical steps to ward off such attack.

Are you at Risk?

Take CenterGrid’s quick I.T. Security Quiz and to see if your organization is at risk. Or, if you know you are at risk, contact CenterGrid today to discuss a security assessment and next steps. The cost to protect your organization is minor compared to the cost to repair a damaged reputation and disgruntled customers.

 

CenterGrid