By Gerald R. Gagne
The success of a company is built on customer service and its reputation in the community. A business may have built up goodwill over decades, but it could come undone in a matter of hours if a highly-publicized security breach compromises private customer information. This will not only cost a company its reputation, but also tens of thousands of dollars in losses and possible fines.
It is essential that companies take all precautions available to them and create a robust information security plan to protect the personal information they hold on their customers and employees.
To be prepared, it’s important to know what kinds of threats are out there.
No matter the size of the company, there are a number of ways for hackers or cyber-terrorists to permeate into an IT system. Here are some of the major attacks and exploits out there today:
Technical vulnerabilities – these come in the form of missing patches for software defects, using outdated systems and applications, “zero-day” attacks that occur before defects are realized, and custom exploits that take advantage of specific vulnerabilities.
Malware, including computer viruses, worms, Trojan horses and backdoors.
Insecure ports and services, and other web-based tools or access points vulnerable to attack.
Compromised user credentials, such as passwords and user names that are no longer secret.
Rise of the ‘Opportunistic’ Risk
The large-scale hacks of the past are in decline and smaller attacks, called “opportunistic” attacks, which exploit the vulnerabilities and methods mentioned above, are on the rise. These attacks result from a lack of basic security controls such as:
Not using passwords or using default passwords.
Not installing patches for known exploits.
Not building secure and properly configured firewalls.
Not installing the latest anti-virus software.
Not having adequate monitoring procedures.
In the last few years, hackers and cybercriminals have turned to one of the oldest criminal practices to find vulnerability in a company: exploiting people’s behavior. The term for this is “social engineering,” in which a criminal exploits a person’s desire to be helpful, or their greed, causing them to put aside their better judgment even for a moment. Cybercriminals combine this ancient art with the latest technology to gain access to the information they need.
Some of the high-tech social engineering techniques used today are:
Phishing – using fake emails from seemingly legitimate entities to trick a person into revealing important information such as passwords and usernames.
Spear phishing – a more personalized and direct version of phishing that uses fake emails that appear to come from entities like Facebook and are personalized to the victim to appear more trustworthy.
Vishing – using Internet-based phone systems to avoid tracing and caller ID, and tricking victims into revealing their personal information.
Baiting – purposely leaving behind removable media such as thumb drives and CD-ROMS for the curious to take and plug into their computer, which contaminates the computer with a virus.
Hackers and cybercriminals use a powerful computer-based tool to get the information they need: social media. Very often, people put enough personal and work information on their Facebook or LinkedIn pages to allow the cybercriminal to target them individually and appear to be a friendly source.
It is possible, however, to prevent social engineering scams through best practices such as:
Training staff to be aware of scams and to keep their work and personal worlds apart.
Installing and using strong email filtering programs that sift out malevolent spam.
Regularly installing and updating anti-virus and anti-malware protections.
Utilizing sophisticated data loss prevention software to analyze the use and movement of important information.
Beefing up or adding web filtering software to prevent the use of social media sites, personal email and instant messaging in the workplace.
Old-fashioned physical security – locking things up.
Data Breach Cause AND Effect
It seems there are more stories than ever on security breaches in the news, and very often they result from the following problems: Stolen laptops; stolen paper reports; hacking incidents; vendor mismanagement; improper destruction of files; lost backup tapes; and/or dishonest employees selling information.
According to the nonprofit watchdog group Dataloss Database, through July 2011 there were 369 reported incidents of security breaches that involved personal information. This loss represents approximately 127 million records.
The costs resulting from security breaches are very real and very high. According to the Ponemon Institute, in 2008, the cost per record borne by an organization was $202 per compromised customer record. In 2011, it went up to $214. The average total per-incident cost in 2010 was $7.2 million, compared to $6.65 million in 2008.
As data breaches increase, more regulations will follow, which will add to the financial and reputational costs that come with each incident. Massachusetts already has the toughest-in-the-nation data privacy law, now in full effect. The law, commonly referred to as CMR 17, or the Massachusetts Data Privacy Law, holds entities accountable for a security breach by establishing a minimum standard that must be met in areas such as encryption of data and storage of documents that contain personal information. It is very possible for companies to face fines, possible civil action and further public exposure from this new law. By creating and implementing a data security plan, however, a company can be in compliance with the law and avoid becoming prey to cybercriminals.
Computers and web-based tools provide companies with great opportunities and advantages. With these opportunities, however, come greater risks. By observing best practices, putting in place a company-wide security plan that includes vendors, and hiring top consultants, a company can dramatically increase its ability to stave off hackers and cybercriminals and prevent data breaches.■
Gerald R. Gagne, DPA, CISA, is director of marketing for Wolf & Company and specializes in IT security.