We’ve heard a lot about data breaches lately. As I recall, 2014 started out reeling from news of the Target payment card compromise. We wrapped up the year with news of the Sony Pictures Entertainment hack, which was intriguing, horrifying and perhaps even an assault on American constitutional freedoms (depending on your perspective). Then, in early 2015, we learned about health records being stolen from Anthem, one of the largest healthcare companies in the United States – which showed just how personal these breaches can get.
It seems like we are hearing about a major data breach just about every month. Personally, I’m not sure if data breaches are actually going up, or if we’re just getting better at detecting the indicators of compromise. According to Trustwave’s Global Security Report, in 2013 a whopping 71% of individuals or companies didn’t even know that their data was stolen.
We can keep going on about recent news and statistics all day, but the point isn’t to scare you too much. What I really want to do is explain what a data breach is (and what it isn’t), how to reduce your risk, and what to do if it happens to you.
What is a Data Breach?
Plain and simple, a data breach occurs when sensitive or private information is seen, stolen, or used by someone who is not authorized to do so. A data breach is not the same as data loss (e.g. a hard drive crash or accidental delete), a system compromise, or identity theft, although a data breach could be an underlying cause or effect of any of those things.
Who do Data Breaches Usually Target?
While there’s not one monolithic answer to this question, data breaches usually tend to target specific types of information because of their value. An overwhelming majority of information stolen was related to financial information, whether it is payment cards, financial credentials, or personally-identifiable information, such as social security numbers. From that, we can extrapolate the types of organizations that might be more prone to an attack than others.
According to the Trustwave report:
- 45% of data thefts involved financial data not related to payment cards (i.e. bank account login information, or customer records)
- 54% of data thefts involved websites that process payments for customers
- 33% of data thefts involved point-of-sale (POS) systems (that’s right – even if you don’t process cards online, you still have a 1 in 3 chance of being victimized)
- 59% of data breach victims reside in the United States, followed by the United Kingdom (14%) and Australia (11%)
- 35% of data breaches were in the retail industry, followed by food and beverage (18%) and hospitality (11%)
The brutal facts are there. If you own or operate a consumer-focused business in the United States, it doesn’t matter if you collect payments online or not; you need to be thinking about how to protect yourself from a data breach.
How Do I Prevent a Data Breach?
Each business needs its own set of tailored security controls in order to be adequately protected, but there are a couple of things that you can do right away to protect yourself.
Be careful of malicious links and attachments. Don’t open an e-mail, a file, or link if you don’t know where it came from. This is the leading method for an attacker to get you to download nefarious software onto your computer. Once that software is installed, the attacker has a free pass to search your system for confidential data. Don’t fall for it. Also – you’re only as strong as your weakest link, so if you have employees make sure they do the same. Otherwise, they’ll be leaving the front door wide open. It doesn’t matter if that employee has sensitive data on their specific computer. Everyone who accesses your network is a liability.
Use strong passwords. According to Trustwave, weak or default passwords were responsible for about one-third of compromises leading to data breaches. A strong password consists of a minimum of seven characters and a combination of upper- and lower-case letters, symbols and numbers. I recommend setting a password policy on your server that forces your users to set secure passwords. For organizations that are handling exceptionally sensitive data to include private customer information and financial data, I recommend using two-factor authentication.
Figure out what and where your sensitive data is, and lock it down. Protecting your critical data means first figuring out that it’s critical. Sit down and make a list of all of the information that if compromised can cause you serious problems. Then, figure out where it’s stored. Finally, take steps to lock it down. Is access to that data limited to only you or just a few people? How is it accessed? Does it require a username, password, or more? During this exercise, think like an attacker. How hard would it be to find your way in?
Plan your response. Regardless of how much you protect yourself, no solution is 100% foolproof. Therefore, it’s important to think about how you might detect if something has gone wrong, and how you’ll respond. Studies show that victims who detect and respond to a data breach sooner can reduce cleanup time by up to two weeks.
I Think I’ve Been Hacked. Now What?
If you think you might be the victim of a data breach, you need to take action right away, which might involve getting professional help. Depending on your business and the possible consequences of a breach, you may need to consider multiple options, such as:
- Contacting law enforcement – which may lead to gathering more clues and evidence
- Taking immediate steps to contain the damage – which might even include temporarily disconnecting from the network
- Cleaning your system and patching vulnerabilities – depending on the severity of the compromise, you might need to completely re-install software on the affected systems.
- Recover lost data or files – hopefully you have a working backup that you can restore from; it might be needed.
- Reach out to stakeholders of your sensitive data, to include employees, partners and customers to notify them of the breach and instruct them if they need to take action.
- Learn from the compromise and take proactive measures to prevent similar incidents from occurring in the future.
As I mentioned earlier, you can have iron-clad security and still be the victim of a breach, or you can have virtually no security measures and get lucky over and over again. It’s just like a physical security system; having a state-of-the-art alarm might not save you – but it sure does help your chances. The best thing to do is to plan; put countermeasures into effect that will reduce your risk of compromise, and know what to do in case it happens. That way, you can treat security as a part of your business rather than a catastrophic event that could potentially put your operations in jeopardy.
If you need someone to help you think through how to prevent a data breach or respond to a breach in progress, 7 River Systems can help. Visit our Contact page to get in touch with us.