Disasters such as earthquakes and floods are the usual suspects that come to one’s mind when thinking about disasters that affect a business.
Unfortunately, there are other unforeseen circumstances as well which could lead to similar consequences. Some of them occurring naturally, while some are man made.
Recollecting Some Recent Data Breaches
In 2015, a wine store in Calgary, Canada was attacked by hackers who infected their databases with malware and demanded $500 in Bitcoin to regain access to their systems. Bitcoin is a form a digital currency which is comparatively difficult to trace.
Although the amount demanded was $500, the store owner had to face a loss of $5,000 to $6,000 as he also had to pay the IT company and the software dealer who helped him resolve the issue.
The incidents only got worse in 2016. In May, Threatpost reported that three dozen global enterprises were breached by attackers. They were exploited due to a single vulnerability the hackers found in SAP business applications which were being used by these enterprises.
Worse still, these attacks, which only came to light this year, had been carried out since 2013 across corporations in the United States, the United Kingdom, Germany, China, India, Japan, and South Korea, and spanned 15 critical industries.
Also this year in May, Kansas Heart Hospital in Wichita found itself a victim of cyber crime. It was a ransomware attack and they were forced to pay an initial amount of $17,000 only to find themselves at the attackers’ mercy again when they were demanded to pay the second time to have the data returned/released.
Data breach examples remain incomplete without the inclusion of probably the single biggest data breach ever.
The data breach wherein more than 500 million user accounts were stolen was confirmed by Yahoo this year. While it was only announced this year, the actual data breach took place in 2014!
According to a report by Recode, the stolen information included names, emails, telephone numbers, dates of birth, hashed passwords, and security questions and answers.
Yahoo claimed no financial information was stolen. Nevertheless, Yahoo did withhold this information which cost them their reputation, users and also a buyout deal by Verizon.
This is only a fraction of the hundreds and thousands of cyber attacks taking place each year resulting in leaks of millions of records.
How can you avoid them?
Unfortunately, there is no such thing as being 100 percent secure. In some of the smaller breaches like the Calgary wine store, clearly the systems were less secure and hackers were able to take advantage of that vulnerability.
Judging by the size of the business, they also demanded a ransom they knew was not out of scope of the owner and the probability of getting paid was higher. Store owners most likely do not have the same level of security that big organizations do.
The Kansas Heart hospital, on the other hand, is an example of how giving in to the cyber criminal’s demand is not a good idea as you never know if and when the demand will ever end.
It is very difficult to comment on the Yahoo incident as they claim the breach to be a state-sponsored attack, while most information security experts flatly refuse to accept their claims.
These attacks are a reminder that cyber criminals do not care much about the size of the business in most cases, especially if they are able to find a vulnerability they know they can exploit.
Now is as good a time as any to re-evaluate your organization’s security policies and procedures. Below is a typical but effective plan to secure a business from such threats.
Steps to avoid a Data Breach
1. Backup data
Data Backup is the most basic step a company can take, one which does not even require regular intervention (unless it is an in-house backup solution).
Once a company engages in an agreement with an online backup service vendor, they are pretty much responsible for carrying out the automated backup process.
2. Create a Disaster Recovery plan
A Disaster Recovery plan is an overarching concern, of which data backup is but a small part. A good disaster recovery plan effectively backs up data, restores data in case of disaster, and provides infrastructure and systems (if part of the agreement) to help your keep your business.
And all of this is done within a specified timeframe to ensure that an enterprise suffers a minimum possible downtime.
3. Vulnerability Assessment
It is necessary to conduct a vulnerability assessment on a regular basis as it points out any new flaws in a system or software package, or probably an old flaw which went undetected or unnoticed in a previous assessment.
These assessments also help to keep insider threats at bay, making these individuals think twice before causing the company any harm.
4. Patch Management
It is imperative that the IT security team install patches released by operating system vendors. Cyber criminals these days have a database of zero-day vulnerabilities.
It is possible that some of these patches may contain fixes, however, the vendor may refrain from announcing it, referring to it only as a “highly recommended update”.
5. Security Policy
A security policy is a compendium of policies detailing steps to be taken in case of a security event. Different departments are expected are carry out responsibilities pertaining to them.
6. Identity and Access Management
Identity and Access Management (IAM) imposes strong restrictions on users in terms of accessing their assigned systems and applications.
This restricts them from accessing confidential information for which they have not been authorized. It also restricts outgoing and former employees from accessing data they are no longer authorized to access.
7. Security awareness programs and activities
The only thing which can still affect a company despite a strong security policy is an employee’s unawareness.
Most companies do not educate their employees on the steps a company follows, or with the steps employees are expected to take to keep their own and the company’s confidential data safe from outside threats.
8. Documentation of data and its storage
With the adoption of cloud computing, many businesses segregate the storage of their data. It is necessary to document where all files are stored and who are the authorized users for each of these files, in addition to how they are accessing it.
A large amount of data is exchanged or transmitted each day amongst all businesses. Without the use of an encryption algorithm, or if using a weak encryption algorithm, hackers can easily read any intercept data.
It is fair to presume that any data exchanged within a company or between a company and client is confidential.
10. Restrict downloads
Businesses who do not regulate internet services provided to their employees have to pay far more than just exceeded bandwidth costs.
Employees frequently take the liberty to browse on social media, post confidential announcement updates, stream movies (affecting productivity) and in worst cases download media from torrent or shady websites loaded with adware and spyware.
11. Destroying data before disposing
In the old days when companies used to dump all their discarded documents and media in the garbage bin outside the company, thieves would steal them.
They would examine all the dumped information in the hopes of finding something that could help them exploit the company. Companies should make sure they thoroughly destroy all paper documents, media, hard drives, etc. before discarding them.
IT security can be a daunting task. While some aspects require attention on a daily basis, some may be outsourced and would only need attention when reports are released.
However, compared to what a business has to go through in the face of a data breach, these tasks look quite easy in comparison.