BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

The Top 5 Data Breach Vulnerabilities

Following
This article is more than 8 years old.

In previous blogs I've focused on some very specific data breaches and specific defense mechanisms. I often find CEOs, particularly owners of small businesses, who don't know how to approach security, or even if they have a firewall in place.  I often hear the response "my IT guy handles that", which more often than not in small business turns out to be a young person with very little IT and zero security experience.  In this blog I'll explain five key areas that a CEO needs to understand to have a holistic approach toward their data security.  Note that one of the 5 categories isn't "Your Networks".  We all intuitively understand that our networks are vulnerable, but often don't take into context the other vulnerabilities that cause our networks and data to be compromised. In future blogs I'll delve into specific types of attacks and defenses at a C-level to provide the level of understanding required to understand the threat and determine what resources are appropriate to mitigate the risk to your business.

In today's environment with daily releases of new data breaches that cause CEO's to be fired and businesses to suffer existential losses, it's critical that every CEO of companies large and small understand information security. According to IBM research, the average cost of a data breach totals around $3.8 million.  77% of businesses reported a data breach in the last 12 months and the estimates worldwide of total data lost to cyber crimes range from the high hundreds of $B to over $1T.  What’s frightening is that a staggering 63 percent of businesses don’t have a mature system in place to track their sensitive data. Are you one of these businesses? Equipped with the proper knowledge and security tools, you can secure vulnerable areas of your business and minimize your risk of a data breach. Start by reviewing these top cyber vulnerabilities and solutions.

Your Employees

If you thought hackers were your biggest security risk, think again. Internal attacks are among the top threats, partially because it’s incredibly easy for people who already have access to sensitive data to abuse it. As I've mentioned in previous blogs, the FBI presented guidance on how to combat the "insider threat" at the Black Hat hacker conference several years ago.  You’re also at risk of having physical data and devices stolen from less-than-happy employees. To minimize your risk of internal attacks from disgruntled employees, be sure that all user accounts are current with regards to security access and employment status. As soon as you terminate an employee (literally within minutes, ideally prior to termination), they should no longer have access to your systems. It's a good idea to incorporate IT system access removal into the termination process so that it is done in real time.  Even a delay of a day in removing access to a terminated and disgruntled employee could cost you significant losses. If you haven’t updated your user accounts in some time, go through and immediately delete those that aren’t in use, such as those that belonged to people who are no longer with your company.  Also set a process for a monthly (at least) review of all accounts to look for any suspicious activity or rogue accounts. Then, develop a system that monitors these accounts for suspicious activity and ensures security of privileged accounts — such as strong passwords and two-step verification. Also have a system in place for tracking physical assets such as hard copies of important files — if you use them — as well as computers and devices that must be turned in after an employee leaves the company. Similarly, careless or uninformed employees also pose a risk (i.e. easily guessed passwords on sensitive accounts or accounts left logged into when no one is using the device). Even errors like sending a document to the wrong person can prove to be detrimental to your business. To reduce this risk, be sure all employees are thoroughly trained in security measures with mandatory annual training and put strong policies in place, such as mandatory password change time frames and web filtering to restrict what types of sites employees can and can’t visit from work computers to mitigate malware downloading risks. A good firewall, Intrusion Detection System, and/or Intrusion Prevention System is absolutely mandatory for every business.  There are cost effective solutions for small businesses that incorporate many of the features required.

Unsecure Mobile Devices

Maintaining a high level of security around your business is tough when mobile devices are in use. This is especially true if you don't have a bring your own device (BYOD) policy in place, but employees still use their personal devices for work related data (which is almost inevitably the case). When employees bring their own devices to work, it means you have less control over security, passwords, and application downloads that could pose security threats. You also don’t know who has access to that device, such as the employee’s family members. If you allow BYOD at your company (which by default you do unless you completely restrict technically as well as through policies all work communications to work devices), have a clearly written policy to make sure your employees are well informed about security threats as well as BYOD expectations. Having mobile security solutions in place that protect corporate data can help minimize risk of a data breach as well. There are many mobile device management solutions available from older companies such as IBM and Symantec to newer companies such as iBoss and AirWatch (acquired in 2014 by VMWare).

Cloud Storage Applications

Placing your data and applications on the cloud can be convenient in many ways because it allows you to access your data from anywhere often on multiple devices. However, this convenience also can open up the attack surface of your systems to attackers if not done with security in mind. Choosing a reputable cloud storage company that encrypts your data can reduce the risk of data leakage.  Also look for ways to restrict access to cloud-based data and solutions using dual factor authentication. While you may have to pay higher fees for additional security measures, it's usually money well spent.  Also do a security checklist for cloud implementations to ensure that all of the changed processes involved with cloud storage and access are validated for any security holes that may differ from ones that existed when applications were hosted locally.

Third-Party Service Providers

Cloud storage companies are only one type of third-party service provider, but since outsourcing can be both cost-effective and convenient, it’s likely that you’re using multiple third- party service providers. Problems arise when their systems aren’t secure and they have access to your information. For example, if you use a third-party accounting software, a hacker could get into their system and gain access to your financial records. This can happen when providers use low- security methods, such as using a default password for all client accounts — resulting in the risk of stolen security credentials and a number of other threats. The Target breach has been widely reported to have occurred through the air conditioning vendor's systems, which had connection to Target's internal networks. To reduce your risk of a data breach through third-party service providers, start by choosing a reputable provider. Require them to validate their data security procedures in their contract and if practicable have them assume all liability for any breaches that occur as a result of their systems connecting to yours. Even then, add an extra layer of security to your data by requiring limiting their access to certain hours and the minimum number of systems and networks to which access is required. It’s also an important practice to disable your third-party accounts once you no longer need them.

Malicious Attacks

When you think “data breaches,” the first thing that comes to mind is likely “hackers,” — people who maliciously attack your systems to get ahold of your data. One way to become vulnerable to these types of threats is to download malware. This is typically unintentional but often occurs when an employee clicks on a suspicious link or visits an untrustworthy website. Other times, a hacker might guess an employee’s password and then send out seemingly trustworthy emails to other colleagues in an attempt to gather their passwords and sensitive data as well (aka Phishing or Spearphishing attacks). Having outdated systems also increases your risk of malicious attacks. Old or simply unpatched operating systems, for instance, often have widely publicized vulnerabilities that even non-sophisticated hackers (i.e. "script kiddies") can download and exploit. If your OS and applications aren't being updated frequently, it gives hackers more opportunity to exploit known vulnerabilities. Keeping your systems updated with the latest patches— including operating systems and browsers — will significantly reduce your risk of a hack. You must also equip your devices and endpoints with anti-virus and security software. That way, if an employee accidentally clicks on a suspicious file, the endpoint software will provide another layer of security to offer another opportunity to prevent the breach. It’s also crucial that you have a policy in place for alerting management to malicious attacks. Employees should be trained in spotting suspicious emails, and they should know who to report them to.

This post is intended to provide a 50K foot level context of factors to consider with respect to your company's data.  Now that you have a better understanding of where your business might be vulnerable, you can start the process to create policies and put into place systems to mitigate the risk of a data breach and hopefully mitigate the damage that may occur.

Follow me on TwitterCheck out my website