It’s a question many CEOs and small business owners would fail to answer. Perhaps the most common response: “The IT person will handle it.” But let’s face it, IT doesn’t always have security experience. Even for those with the necessary skills, it’s easy to become overwhelmed by increased vulnerabilities due to data breaches.
The Internet has evolved in many ways, but one thing that has held steady is the number of hackers able to compromise data through various methods. Whether creating new malware and viruses, or sharing tips, resources and information on dedicated forums, hackers are regularly devising new ways to infiltrate networks and steal information.
Cybercrime has become a status quo, and criminals view it as a battle of the titans—a way to see who is who in the hacking business. Many cybercriminals are able to steal information and vanish without a trace.
Data breaches are real, and they are damaging. In 2015, a hack on US government computers was reported to have exposed 21.5 million government employees. This is just a drop in the ocean of major hacks executed within the past decade. Careers, reputations and lives are put at risk in a matter of a few clicks.
In the past decade:
- 25% of data breach occurrences have been a result of malware or hacking
- Incidents of payment card breaches have increased over 170%
- Several sectors have experienced data breaches, and the top three starting from the most affected include: the healthcare, government and retail.
- The most stolen record type is PII – Personally Identifiable Information.
- Financial data is the second most stolen record type
The vast majority of data breaches remain unreported and undisclosed. Businesses, big or small, must find ways to not only establish data protection solutions but also have strong security mechanisms to detect intrusions and expose criminals.
What is a Data Breach?
According to the International Organization for Standardization (ISO), a data breach is defined as the following:
“Compromise of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to protected data transmitted, stored, or otherwise processed.”
It is estimated that cybercrime cost to businesses is at $445 billion – $2 trillion, and by 2019 global cybersecurity will be worth $155.4 billion.
More than 70% of top executives believe that cyber threats will impact growth; this should be a major concern to any type of enterprise. In just one year, the initial costs attributable to cybercrime increased 52% to $1.1 millon. Collaborating with expert security organizations can mitigate these issues.
Types of Data Breach and Recommended Practices
Theft or loss
Theft or loss of computers, laptops, electronic media and paper files is one of the most effective loopholes of accessing private data. The Veterans Administration (VA) cybercrime incident led to infiltration of private and confidential records of more than 26.5 million veterans discharged from duty. This information included names, social security numbers, and dates of birth. Reports further confirmed that the breach was result of an employee improperly taking materials home.
Companies should ensure proper physical security of computers and electronic devices. Practice the following methods:
- Have a secure area where files and portable devices are protected.
- Lock laptops before stepping away
- Use more security measures for portable devices, such as encryption and strict physical security
- Guide employees on how to properly handle or dispose of sensitive paper records
- Report the loss or theft of files or computer devices immediately
Insecure storage or transmission of sensitive information
This is one of the most effective tools of cyber criminals. PIIs, financial data and other sensitive information are carelessly stored and transmitted via email, usually due to ignorance.
- Never use a public web folder to save files containing sensitive information
- Access to a restricted folder should only be granted to authorized parties
- Sensitive data via remote access or client-server transmissions must be securely transmitted
- Never use unsecured wireless devices for sensitive data
- Avoid sending paper mail that contains your SSN, financial data, license or ID number
Is your password good enough?
Hacked or revealed passwords have been recorded as one of the most effective approaches that criminals use to compromise data. With almost 50% of US citizens having their personal information exposed through a data breach, it is imperative to ensure that your password is secure enough to prevent the worst.
- Have strong password combinations
- Never reveal or share your passwords
- Different passwords for different accounts
- Immediately change default passwords
- Consider password managers
Missing Patches and Updates
OS and application vulnerabilities provide a major resource for hackers to gain unwanted access. Once security is compromised, all data in a system can be exposed.
- Ensure that all necessary patches and updates are installed to all nodes connected to a network.
Infected computer device
Viruses and other malware should be prevented or quarantined using a reliable anti-malware software. The digital world is always evolving, so update expired antivirus software. A known malware may go undetected if updates or patches aren’t installed.
- Antivirus / anti-malware should be installed and updated regularly
- Never click on unknown links or attachments
- Avoid opening files sent via chat applications, instant messengers or P2P software, especially if the computer contains restricted data
Poor software configuration means exposure to data breaches. Hackers use this as a loophole to steal data, as most users fail to acknowledge anything suspicious before an installation is complete.
- Never install suspicious or unknown applications
- Sensitive information should never be stored in areas without access permissions
Improper disposal & reuse
A recent case of improper disposal was witnessed when close to 240,000 records were reported to have been potentially exposed when Boston Globe opted to reuse recycled papers for printing and wrapping newspapers bundles. These papers contained payment card as well as personal check information that may have led to a data breach. Disposal or reuse of materials should always be thoughtful and secure.
- Securely delete or destroy sensitive data
- Copy services or ITS should be hired to securely erase network devices, such as photocopiers, printers and fax machines before disposal
- Sensitive paper records should be shredded
Mobile devices are integral to both our personal and business lives. Although they make our lives easier in many ways, they are incredibly susceptible to data theft.
It’s estimated that fewer than 15% of companies deploy mobile threat defense systems as part of their IT infrastructure. Organizations and businesses should focus more on resource allocation towards mobile security to guarantee protection.
[sociallocker]Types_ of Data Breach and Recommended _Practices[/sociallocker]
Data protection tips for mobile devices
Configure app privacy settings
Most apps offer privacy settings after installation. Determine what type of information you would like stored or shared and follow these guidelines. Checking and configuring privacy settings to limit data-sharing will help prevent breaches. Most applications allow users to customize sharing settings, but always be aware what you decide to share.
Activate remote location and device-wiping
This is very helpful when your device is lost or has been stolen. When enabled, tracking applications will relay information and identify exactly where the device is. Device wiping apps allow you to remotely wipe any private information, even when you cannot physically access the phone.
Make use of app permissions platforms
Permissions platforms such as MyPermissions.com allow users to check permissions across nearly every app on your mobile devices, including giving regular reminders to have permissions cleaned. You’ll also receive alerts if an app attempts to access your personal information.
Physically lock mobile devices
Almost everyone owns a mobile device, whether a smartphone, tablet or laptop. Be sure to lock these devices, however, because they can easily slip from your bag or pocket.
Backup your data
Backing up mobile data is often overlooked. However, it has proven to be incredibly useful when a device is lost, stolen or damaged. There are several cloud options that offer affordable, safe and secure storage for all kinds of data. Cloud computing will only become more essential, as it offers plenty of backup options as part of the whole storage package.
The convenience of Bluetooth technology is undeniable, but cybercriminals do use it to access information. Bluetooth attacks are popular in the US, as hackers infect devices with malware where login details are targeted from mobile devices. Make sure you disable Bluetooth when you are not using it.
Disable automatic uploading
Automatic uploading should be disabled, since some apps enable this feature to backup your data. Even though it can be helpful, it may leave your personal information vulnerable.
Review your push notification settings
Always check push notifications on your home screen and confirm that applications with sensitive information are not displaying. You may forget a device on your desk at work or at a counter somewhere in a grocery store.
Scrutinize before installing an app
App stores are being flooded with new applications, and while this influx provides variety in mobile development, some of these applications could be sharing your personal information—even your exact location—without your knowledge. Always confirm before installation that the app is a trusted source, and avoid installing APK files from third-party app stores. Hackers often use these file-types to transfer malware and other viruses.
Calculating the cost of data breaches
There are a myriad of factors that determine the cost of a data breach. These factors should be considered for businesses to make better decisions on resource allocation, as to limit financial consequences when cybercriminals gain uninvited access:
Unexpected loss of customers
A recent study done on companies affected by data breaches showed that most businesses lose customers due to exposure of confidential information. It is, therefore, important for affected companies to hire professionals, such as privacy officers and information security experts, with the capacity to create strategies that reduce the cost of the data breach. For example, offering breach identity protection to victims of data breaches has proven to be an effective mechanism for holding the trust.
The depth of the breach
The deeper the effect of a data breach, the higher the cost is going to be. Ensure effectivity of data classification and retention programs to limit any vulnerabilities that may be used by hackers to phish information.
By identifying a data breach faster and containing it, companies can limit costs. This can be accomplished by improving security solutions, such as incorporating security analytics, enterprise-wide encryption, SIEM, including threat-intelligence sharing platforms. Although helpful, organizations should know that complex security systems affect the total time required to identify and contain breaches.
Risk management and compliance
This aids in the detection of data breaches before they hit. Create a framework to aid in the evaluation of risk and exposure to improve the company’s ability to perform forensic and investigative activities. The costs involved in detection and escalation include audit services, crisis team management, plus the forensic activities a company is involved in.
Post data breach costs
Inbound communications, legal expenditures, help desk operations, remediation, discounts, breach protection services, and regulatory interventions are great examples of costs incurred due to risks associated with data breach. Insurance is important in managing any financial implications related to compliance failures and lawsuits.
Almost every organization processes and/or stores data — most of which is private and confidential — making companies susceptible to breaches. Unfortunately, data breaches will continue to increase and become more complex and difficult to identify. No defense system guarantees 100% data protection, so spreading public awareness and having an effective alert, containment, and mitigation system will help detect and prevent data breaches.