Look at the biggest data breaches of 2016 and a common theme emerges: pile it high, sell it cheap.
The hacking stories of the year involved tens of millions of stolen user accounts from the likes of LinkedIn, Yahoo, Tumblr and Twitter. But when those stolen accounts appeared for sale on the Dark Web, they were sold in bulk for a few thousand dollars a time – typically $100 for 100,000 user credentials.
There is a clear lesson for businesses. Don’t expect to lose one or two confidential files. When a data breach happens, expect a full-blown smash and grab of everything you’ve got.
Under those circumstances, it’s little surprise that 60% of small businesses don’t survive more than 6 months after the loss of confidential files.
You’re not just explaining to one customer that something’s gone wrong. You’re having to explain it to them all.
So, while your team is trying to close the breach in your network; you’re engaged in disaster management with your entire client-base. But don’t believe that the end of the criminal supply chain – the hackers and extortionists – is where your problem starts. The problem starts inside your business.
The insider threat
A year ago, analysts at Experian issued a stark warning: “Although there is heightened sensitivity for cyber-attacks amongst business leaders, a majority of companies will miss the mark on the largest threat: employees. Between human error and malicious insiders, time has shown us the majority of data breaches originate inside company walls.”
Hackers need help. They need employees to be a little careless: leaving old legacy systems and servers in play when they should have been decommissioned. Maybe they’re one of the many millions who use weak, easy-to-crack passwords like … “password”, which has been among the world’s most common log-in credentials for the last five years running.
There’s a risk from the loss of portable tech – with thousands of laptops, smartphones and USB memory drives containing company data disappearing every year. But when we talk about Bad employees, we’re not talking about careless or lazy. We’re talking calculated efforts to extract confidential data – financial records, customer lists, employee files, product designs and intellectual property – and either sell them to competitors or use them to start a rival enterprise. Heard the story about a finance director’s $1million dollar scam? Often the damage is done before it gets spotted.
But the real sting is that Good employees get caught out too. US law enforcement reports that the “Business Email Compromise” has become a global threat. This fraud takes advantage of good employees by conning them with a fake email that seems to be from their boss – asking them to pass on confidential information or make a bank transfer. The FBI says it has cost American businesses $740million since 2013 – and the cost is set to rise.
The four-stage solution
Faced with these three behavior patterns, businesses need to act in a variety of ways to mitigate the risk of data loss.
- Review
Do you know where all the confidential data is within your organization? Naturally, different departments and employees draw down sensitive files during the ordinary course of their work. Does that mean there will be “working copies” of customer records, even employee files, saved on employee desktops, laptops or external drives? The first step to cutting the risk of data breach, is knowing where the data is you need to contain.
- Deploy
Data loss prevention technology can lock-down confidential information and prevent unauthorized copying, sharing or saving. The best approach to data security is “minimal access” – give staff network and data access only to the information they need. If you’ve got the right solution in place, you’re helping to prevent data leaks from the moment staff start the working day and switch on their devices.
- Train
Do you ever talk to your staff about security? Do you train them? One study found that barely more than half of organizations advise their workforce about best practise – even setting tough-to-beat passwords. You need to bring staff up-to-date with hacker tactics and how data breaches happen.
- Persuade
But it’s not just you … you need to worry about the organizations you work with too. You need to take an evangelical approach to security and ask your business partners and suppliers to be rigorous in their defense of the data they hold – particularly about your organization, customers and contracts.
It’s an old cliché of management that employees are a firm’s greatest asset. That’s true. But unless you equip them with good information – and equip your business with sound defensive technology – they could be your biggest liability too.
[su_box title=”About Luke Walling” style=”noise” box_color=”#336588″][short_info id=’97533′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.