How often do you hear news of data breaches or cyber-attacks?
- 2017 Average Cost of Data Breach – $3.62 Million – securityintelligence.com
- Personal data of 143 million Americans exposed in hack of credit reporting agency Equifax – washingtonpost.com
- Target had 40 million credit and debit cards stolen, exposed the personal information of 70 million shoppers and experienced a 46% drop in profits in Q4 2013 – krebsonsecurity.com
- Hilton’s $700k fine resulting from two breaches in 2105 could be as much as $420 million under the new laws.
- The FTC estimates that recovering from identity theft takes and average of 6 months and 200 hours of work.
Almost daily you can find a news item indicating a new threat or attack. For business leaders, having the information they need to make sound decisions is key to protecting your business. The following information is intended to provide a better understanding of the threats to businesses and the tools available to protect your business.
WHO? Identifying who the attackers are is the first step towards protecting your business. Due to the nature of the internet, cyber-attacks can come from anywhere. The attackers can be nation states, criminal organizations, disgruntled employees, hacktivists, or the kid next door.
Of all of the attack sources listed, the most difficult to defend against is the disgruntled employee. Because they have already bypassed most or all of the technological defenses put in place, policies and procedures become your best defense. And developing detailed policies and procedures will help your employees to understand the risks and take the necessary precautions to prevent outside attacks from happening as well.
WHAT/WHY? Businesses also need to identify what the attackers are after. Some attackers are after monetary gains, some are motivated by ideology, and some are simply malicious acts of vandalism. This often ties directly back to who the attacker is.
Most people immediately think of the financial losses when considering cyber security breaches. Not only can there be direct financial loss, but each of the types of losses can also cause additional financial losses.
Loss of data, ranging from ransomware attacks to damage to hardware. Here the additional financial loss can be in the ransom paid to restore data, the internal costs of restoring data from backups, and even the costs of replacing storage devices and hard drives.
Loss of intellectual property can range from proprietary information to large scale theft of data, such as the Netflix hack that ransomed “Orange is the New Black” and released it to the internet. In losing this type of data, businesses lose any income that would have been a result of a product or service that is now available from other resources.
Loss of productivity can come in many forms. If automated systems are targeted, then production processes can be shut down. Sales can be affected by disruptions in websites or point of sales systems. If systems and data needs to be restored, employees may be unable to perform their duties for an extended period of time.
When privacy data is compromised, whether it be employee or customer data, there can be long term problems for those with compromised data and possible legal action resulting against your business for the mishandling of data. Identity theft can cause damage not only in the form of debt, but also in ruined credit that can take years to repair.
The damage to the reputation of a business that has suffered a breach in data security can be crippling. Rebuilding the trust of employees and customers is sometimes a hurdle that cannot be overcome. The best plan for businesses is to prevent any of these losses through security and education.
WHERE? HOW? Understanding how the attackers are gaining access to your data will assist in setting up solid lines of defense. Let’s begin with the internet. The internet is an amazing tool. You can access the internet using telephones, tablets, laptops and computers – giving you instant access to information and communication, and allowing you to work from anywhere in the world. There is no governing body that monitors the internet for bad behavior, malicious intent, or illegal activities. This means that the job of defending your business is up to you.
Internet connections, Wi-Fi networks, websites, email, USB thumb drives and smart phones all provide a path that can be used to gain access to your data and systems. The access can be legitimate, but it could also be an attack. Defending these paths to your data require a combination of technology, education and policies.
Firewalls provide a technological defense by limiting the types of data that can use the path between your office and the Internet. Using encryption and strong passwords on your Wi-Fi networks and email can provide defense by protecting your network and data from unauthorized access to data and systems. Encryption can also protect data in the event of lost or stolen devices and equipment.
Social engineering and social media are used to find weaknesses of policies and procedures to gain access to data and financial gains. By limiting the information that is posted on social media, attackers have a harder time finding the information they would need in order to steal credentials or make requests while impersonating a business executive.
The physical threats to your data comes from systems not being secured from improper access. It does no good to have a password on a system when it is then written down and left where they can be easily accessed. Data on any movable device (laptops, tablets, cell phones, and USB thumb drives) should always be encrypted in the event they are ever lost or stolen. USB drives from unknown sources should never be connected to your computers.
Viruses, Malware, and Spyware can reach you in many different ways. By clicking an unknown link, opening an unexpected email attachment, or even filling out a form online, you may be opening yourself up to an attack. Making sure your systems and software are kept up to date will help to defend against attacks and vulnerabilities.
Insider and privilege misuse come down to education, policies and procedures. No one wants to believe that an employee or affiliate would compromise or steal data. However, the reality is that it does happen, and it is the most difficult type of data breach to prevent and overcome.
HOW DO YOU PROTECT YOUR BUSINESS? Ask yourself the following five questions to see where you are and what areas may need to be addressed in order to protect your business:
- Are my employees adequately educated about digital threats?
- Educate yourself and your employees to be aware of the sources of attacks.
- Do not use open Wi-Fi networks in public places.
- Never trust email.
- Limit the data you share on Social Media.
- Develop a system to alert employees of threats.
- Verify the identity of anyone requesting access to data/systems.
- Is my business’s cyber-security system robust?
- Install a reputable firewall and configure it correctly.
- Protect Wi-Fi networks.
- Maintain a reputable antivirus program.
- Keep computers up to date.
- Restrict administrator access to computers.
- Are my employees’ mobile devices and personal computers secure?
- Use VPN to access networks remotely.
- Secure mobile devices and only install Apps from trusted companies.
- Do not allow employees to use their own computers or mobile devices.
- Use multi-factor authentication.
- Is my business protected from emerging threats?
- Use identity theft monitoring services to alert you of suspicious activity.
- Use intrusion detection and intrusion protection systems in your network.
- Subscribe to reputable notification services to alert you of new threats.
- Audit your network, systems, and policies on a regular basis.
- What can I do right now?
- Develop policies for financial transactions that do not rely only on email or text.
- Never send sensitive data without encryption.
- Require strong passwords
- Have an outside party audit your network, systems, and policies.
QUESTIONS? If you would like more detailed information or would like information on how NortheastTel can help your business with Cyber-Security, please call or visit our office today!
(318) 874-7011 • 6402 Howell Avenue, Collinston, Louisiana, 71229