Tag: securitybytes

 

Small and mid-sized companies have a tendency to operate under the assumption that hackers target only more extensive operations. There’s a simple logic to that misconception that these criminals instigate cyber breaches that reap the highest possible reward. Nothing could be further from the truth.

 

Check out what Robert Herjavec and Scott Schober have to say on Cybersecurity.
Click Here

 

 

While hacks into the Democratic National Committee and Equifax make big headlines, the majority of cyber attacks are carried out on smaller, vulnerable systems. Most hackers merely look for the low hanging fruit. If your small or mid-sized company has modestly valuable data and lacks top-tier cybersecurity, you are that low hanging fruit.

 

By 2020, upwards of 6 billion people globally and 283 million Americans are expected to utilize the Internet. That means businesses of every level will be fully engaged and it only takes two miscreants on another continent to breach your security.

 

Cybercrime has already reportedly outpaced the combined profits of all the major drug cartels in the world at $6 trillion annually. Unlike vast criminal organizations, two computer whizzes with laptops thousands of miles away can extract sensitive information without a company even knowing until it’s too late.

 

These days, stealing credit card info is not among the highest priorities. Cybercriminals have discovered that personal and personnel information can yield significant paydays. If you still don’t think cybersecurity ranks among the highest priorities for small and mid-sized companies, just listen to this.

 

Hacks Are Often Inside Jobs

 

It may seem counterintuitive, but a company’s most significant cyber threat can be found among the most valued employees. Staff members are not generally acting in a nefarious fashion. In fact, loyal employees are often just that, loyal. But a pervasive attitude exists in workplaces that checking in on personal social media, using various non-work related apps and platforms is both allowable and safe.

 

According to cyber security experts, upwards of 93 of all breaches that are investigated thoroughly trail back to an employee. Although that person is generally not the so-called “inside man” or “inside woman” regarding criminal intent, their nonchalant attitude about checking personal sites exposed the small or mid-sized organization to a massive data breach.

 

Many are merely duped by phishing scams or inadvertently infest a business system with malware. This could occur by synching an unsecured device, moving data on a USB drive back and forth between home and work, or surfing the Internet among other security missteps. While many business decision-makers believe their data is not at risk, it takes a cybersecurity professional to build a company-specific “human firewall” that reduces internal threats through actionable policies and training.

 

Small And Mid-Sized Organizations Held Hostage Everyday

 

No Third World drug cartel can compare to the volume of theft leveled by small-time hackers. Ransomware remains the top malicious software and ranks among the most lucrative type of cyberattack. This variety of malware targets business systems by penetrating them through a camouflage method of encryption. Once inside a business’ network, it quickly encrypts critical data and makes everything inaccessible to the organization.

 

The name “ransomware” was earned by what comes after. A defiled organization will likely get a notice to pay a certain amount — often in bitcoin — to get an encryption code allowing you to restore access to your own files. This hostage situation often proves fruitful for the cybercriminal because paying them off appears to be in the company’s best financial interest. Sadly, too many business leaders only move forward with advanced cybersecurity after suffering a feeling of helplessness and humiliation.

 

Underachieving Cybersecurity Protocols Prove Costly

 

A Verizon Data Breach Report reportedly concluded that upwards of 60 percent of all incursions during 2016 could be attributed to outside forces. These data breaches were considered instances of “hacking” by a third party’s intent to circumvent existing security measures. Hackers tend to seek out a company’s weakest cyber defense points to gain access.

 

In essence, this follows the adage that a chain is only as strong as its weakest link. Among the more notable instances of a weak-link failure was JP Morgan’s massive breach in 2014. Despite having a top-tier cybersecurity team in place, a single server was missed during a password update. That single under-protected server resulted in what was ranked among the top 10 worst cyber thefts in history. Approximately 83 million household and business accounts were reportedly impacted at a whopping $100 million.

 

While this level of cyber theft makes mainstream media headlines, hackers tend to have greater success penetrating smaller companies with far less sophisticated cyber security systems. The basic criminal business model relies on volume not occasional massive paydays. Think about it this way. The Brinks Job made bank-robbing history in 1950, but stick-up men knock off liquor stores every day.

 

Unpatched Security Bugs Attract Cybercrime Infestations

 

One of the more prevalent methods used by a hacker is to infiltrate your system in plain sight. Cyber thieves often use well-known software deficiencies commonly called bugs as a type of cracked door.

 

When software companies send out routine fixes such as patches, users have the option of making this repair. But when a system appears to be functioning appropriately, a small or mid-sized business may discard the effort as more of a nuisance than anything else. That could prove to be a fatal data breach mistake.

 

When systems linger unpatched, hackers may be quick to seize on specific vulnerabilities and infiltrate a company’s network. It’s important to understand that cybersecurity only seems like another time-consuming task that detracts from company goals. Anyone who uses computers, devices, software or accesses the Internet is inherently in the cybersecurity business. Without adequate cybersecurity systems, policies and protocols in place, the entire organization remains at risk.

 

Data Breaches Threats Represent A Clear And Present Danger

 

If you remain unconvinced about how crucial cybersecurity is to your business’ integrity, consider these telling facts. The U.S. government has placed the most significant emphasis on increasing only two areas of the military budget — special ops and cybersecurity.

 

Today, a person’s electronic medical records are more valuable than credit card information on the dark web. And, electronic ransoms are the fastest growing cybercrime and are expected to occur every 14 seconds by 2020. The question is no longer if a sub-par system will be hacked, it’s when

 

Businesses of all types and sizes today must navigate a complex matrix of vendors and partners. In many cases, there is frequent sharing of data, including sensitive and proprietary information, that could be problematic if hacked or stolen.

 

 

The advent of new technologies, including the Internet of Things, automation and cloud systems, make for the collection and sharing of information more accessible than ever before. However, the increased volume, accessibility and transfer of data creates problems and added risk for companies. To help companies protect information and minimize the risk of data theft, here are 6 answers to common third-party security questions.

 

1. How Can I Assess My Company’s Data Security?

The place to start is with an internal audit of your system. Which vendors have access to which data? How are they connecting to your networks and what can they access?

 

It’s smart to map your third-party partners, understanding who they are, how they access data and what data they can access. Make sure third parties only can reach information that is necessary. Often these audits can detect access that was given long ago to third parties that no longer should or need to have access.

 

2. What Can I Do to Assess My Third-Party Partners?

There are basic things you can do to ensure that third parties have the right safeguards in place when using your data. Asking for copies of their data security policies and audit results is an excellent place to start. If there are practices or results of concern, you can ask for more details. Some companies require their vendors to undergo a thorough security audit with detailed questionnaires or independent verification of processes and systems.

 

The practice is not just good business sense. Many new regulatory mandates, including the European Union’s General Data Protection Regulation (GDPR), require companies to ensure that third-party vendors are also compliant with the appropriate requirements.

 

3. What Foundation Do I Need to Data Security and Third Parties?

Be sure your organization has clear policies and procedures that govern data access and security related to third parties. Policies should be evaluated regularly to reflect new technologies or practices.

 

4. Who Is Responsible for Data Security?

 

Often, risk ownership can be a gray area as companies exchange data, update it and enter it into each other’s systems. A risk assessment matrix should be created that defines and tracks data within your corporate ecosystem. The matrix should include:

 

• Vendors, partners, customers and subcontractors throughout your supply chain
• Classifications of each third party based on how they interact with the organization
• Risk types mapped to each third party
• Risk levels assigned to each vendors’ assigned risk types

 

This exercise allows you to build a comprehensive risk assessment model to inform decisions, policies and access.

 

5. What Technologies Can I Use to Help With Security?

Ultimately, control rests with your organization. You can control the parties with access, the types of access, and the assets that can be accessed. Here are some tools to deploy to assist with that control:

 

• Encryption is effective in protecting data stored in your systems and transmitted to other parties. Encryption need not be applied to everything, but high-risk information merits investment in encryption tools.
• Two-factor authentication is another consideration. If you use multi-factor verification tools for internal access, you most certainly should do the same for external access.
• Risk-based authentication goes a step further. Rule-based access, such as only allowing access from a particular domain, can be incorporated into your security plan. If an access request does not meet the pre-defined rules, additional authentication layers are applied.
• Monitoring networks is a wise move. Monitoring what is accessed and by whom allows for a better understanding of information transfer. Firewalls that inspect data packets and issue alerts when unauthorized data are in play help prevent unwanted extrusion.

 

6. What Documentation Does My Company Need?

When you’ve determined your guidelines, policies and rules, be sure to put it in writing. Make it a part of your new contracts and insist on amendments to any existing agreements with third parties. Contractual guidelines help to protect companies from litigation as more plaintiffs go after multiple parties in the case of a data breach.

 

Not all contracts need to be the same when it comes to data access provisions, although it is good practice to establish a baseline of minimum requirements in all applicable third-party agreements.

 

With the growing threat of cyber attacks, an active approach to data security is a way for organizations to mitigate risk and ensure that data stay in the right hands.

 

Data breaches never fail to stay at the top of news headlines, and these are news headlines that should be highly regarded if you are a business owner. According to the ID Theft Center, there were at least 1,579 breaches, which was a 44.7 percent increase from the year before.

 

 

A Look at Early November 2018 Data Breaches

 

The astounding uptick in data breaches is expected to continue as a trend for 2018, and the first half of November 2018 has already shown multiple problems. Take a look at some of the breaches that have occurred already in November for 2018.

 

Ontario Cannabis Store/Canada Post

 

The legalization of cannabis across the country in Canada brought about a lot of prickly, unfamiliar situations for consumers and business owners. However, to worsen matters, their new and booming industry took a hard hit because of a massive data breach during the first part of November. The data breach was in the form of a hacker who managed to get into Canada Post’s delivery tracking tool.

 

Customers who had purchased cannabis for mail delivery from Ontario’s Cannabis Store had their information exposed. This data risk is considered severe because those in the up-and-coming cannabis business in the country could face concerns with consumers about the privacy of their personal information. This data breach affected as many as 4,500 customers.

 

HSBC Bank USA

 

Domestically, a significant data breach with one of the top names in banking left financial institutions and consumers alike a bit fearful. HSBC Bank had multiple customer accounts compromised. To date, the number of accounts compromised and customers affected has not been disclosed. Nevertheless, this has been considered a severe data breach because the data taken can be severely damaging to consumers who hold accounts at the institution.

 

The risk to related businesses because of this kind of breach is pretty massive. Banking customers place money in their accounts because they trust the institution will keep it secure. This kind of data breach with one of the world largest banks does not fare well in the minds of consumers; it only lessens their overall faith in banking systems as a whole. So far this year, financial institutions have taken a hard hit.

 

Other Data Breach News Around the Globe for November

 

Pakistan had an epic fail in November with hackers managing to get the account information of at least 8,000 banking customers. This data breach didn’t just affect one bank; it actually affected customers from ten different banks across the country. The stolen data has already shown up on the Dark Web as records for sale for prices between $100 to $160 per record. So far, the cybercrime division in Pakistan has found more than 11,000 records.

 

Noteworthy Data Breaches So Far in 2018

 

The new November 2018 data breaches are added to a growing list of breaches that have already occurred for the year. Facebook was perhaps one of the most publicized data breaches for the year. In April of 2018, at least 87 million records were breached, and it’s most probable that there were far more. Orbitz also had a considerable catastrophe when travel booking accounts were hacked, leaving something like 880,000 customers’ payment cards exposed.

 

Data Breaches in 2017

 

Numerous businesses in the past have had problems with data being compromised, especially in 2017. There were at least 16 data breaches for major retailers, according to Business Insider, including Macy’s and Adidas, to name a few. Sears even had a data breach in April that affected at least 100,000 customers who had their credit card information compromised. Restaurants were also hit with data breaches in 2017. Sonic and Panera Bread were two of the most noteworthy.

 

So far this year, the numbers of data breaches have exceeded those in 2017 by a long shot, which just shows how much of a risk data breaches are continuing to be in spite of considerable efforts to stop them. All business owners should amp up their security efforts and keep a close eye on data, so it is rightly protected.