The term data breach has become part of our world’s common vernacular. It affects businesses of all types and sizes, and is something that none of us are immune to. However, like all things in business, trends frequently change when it comes to cyber attacks, which is why it is imperative that we all stay engaged in this conversation, share information, and remain educated about what the common threats are, who is at risk, and most importantly what we can do to actively protect ourselves and our businesses from cyber threats. This blog will discuss these topics, and more.
For this article we took a dive into Verizon’s 2015 Data Breach Investigations Report in order to better understand the current state of global cyber security issues. According to the report businesses from across the world suffered tremendous losses last year. It estimated that the financial loss of the 700 MM compromised records toppled $400 MM, and affected sixty-one countries. While sixty-one countries may sound like an extreme number, the reality is that sixty-one is a significant decrease from 2014, when the number of countries affected was ninety-five. Well, let us take a minute to say bravo to the thirty-four countries who got it together last year! But, that is not to say that other countries who suffered losses didn’t take huge steps to ramp up security. More likely than not it is really just a side effect of doing business, and obviously the countries with more business activity are going to rank proportionally on the attack scale. More business equals a bigger target, it's pretty simple. And it is worth mentioning that “no industry is immune to security failures.”
It’s no longer a surprise when we hear news of another big business being hacked, and suffering monumental financial losses. We all remember breaches involving Target, Sony, Anthem, and Home Depot being in the news over the past few years. Spurring a massive public discussion about cyber security. Which has resulted in an increased awareness on the subject, and really is the only good thing to come out of the attacks. On the flip side, for the handful of attacks that hit the news, and seem to spin the media into a frenzy, there are millions that go unnoticed in public forums. Affecting everyone from government institutions and universities to privately held SMBs and large public companies.
Last year the top three industries attacked were public services, information services, and financial services, but the top three industries that suffered data loss were public services, manufacturing, and financial services. Wait a minute, manufacturing? Where did you come from? Well, it is important to acknowledge the fact that not all businesses who are attacked suffer a loss, which is probably how information services slipped by on the data loss side of things. When proactive steps are taken to protect private information before an attack happens the business is more likely to come out unaffected. Once again, “no industry is immune to security failures.”
So, if “no industry is immune to security failures” how do you know if you and your business are at risk? The short answer is- if your business exists, you are at risk. The long answer is much more complex, but there are key factors and trends that we can watch to better assess our own situations.
Reportedly, the primary threat actors have not changed much over the past five years. Not surprisingly, the majority come from external attacks, less than 20% come from internal issues, and a very minimal number come from outside partners. This has remained true for some time now. So, what has changed?
Today “in 70% of the attacks where we know the motive for the attack, there’s a secondary victim” (Verizon, 2016). That means that when an attack happens your business might not be the true target of the attack, but actually just a means to an end. Perhaps that is a larger company that you do business with, or someone that your website could potentially attract. Regardless of if you are the target, or simply a conduit for the attacker to infiltrate another business, it is important to know that if you are involved in anyway you could suffer financial consequences. Flashback to the Target breach of 2013, where the attackers actually entered Target’s system by using malware called Citadel that was installed through an email phishing attack on a small vendor who did business with the retail giant. The vendor’s credentials were stolen in order to hack into Target’s POS system, and we know how that ended up- a complete disaster for Target, Target’s customers, and the vendor. So this teaches us that “no industry is immune to security failures!”
We’ve learned through the Verizon Report that regardless of how the threat is made - malware, phishing, RAM scraping, etc.- the facts are that in 60% of cases, attackers are able to compromise an organization within minutes. They can jump from the initial victim to the next in less that 24 hours, and nearly half will spread to organization number two in less than one hour.
What can you do to prevent this?
Experts like Lance Spitzner, Training Director, SANS Securing The Human say that “one of the most effective ways you can minimize the phishing threat is through awareness and training.” We say that goes for all types of security threats. Ensuring that you and your team have the skills and tools needed to protect yourselves can make a world of difference should an attack occur. So, if nothing else, take this away from this article:
- Don’t sit around and wait for the attack, then scramble in an effort to recover. As a company leader, waiting could cost you your job, or result in the failure of your business. Instead take a proactive approach and develop a protocol for protection and secure document retention. Store your critical business documents in an encrypted and secure location, like an online data room. Using software with built in security features like two-factor authentication, full encryption of data, and controlled sharing help eliminate risk from outside parties, and allows you to gain insight into how a breach occurred-if it was from an internal source or through an outside partner.
- Don’t take the “this won’t happen to me” approach. Take the time to educate yourself and your team on security best practices, and develop an awareness program. There are plenty of detection tools out there, like SecureDocs Virtual Data Room client Lastline, who have built business around detecting malware, and other outside threats. Most of all, talk about security. If something odd happens speak up, and empower your team to do the same.
- Don’t open suspicious emails or their attachments. You may think that the days of phishing are behind us, or that they only come in the form of a strange email from a foreign country saying something about a friend, relative or co-worker needing money, but that is not true. Those types of emails still exist, and although most people are savvy enough now to explore other options before engaging in that sort of thing. What is also important to realize is that today’s phishing scams are much more sophisticated. They may look as if they come directly from a business or service provider that you regularly engage with. It’s likely they may even have some of your personally identifiable information on the,-name, address, account number- but don’t be fooled. Err on the side of caution, and always go directly to a company’s website by typing the url yourself, no hyperlink clicking!
We encourage you to do your due diligence when it comes to your professional and personal security. Ask questions, raise an issue if you feel something is not being properly addressed, and take measures to organize and secure your business today. And one last time, remember, “no business is immune to security failures!”