Author: Amit Khanna
In the battle of keeping your crucial information secure, it's not just the hackers you should worry about but also lax security and stupidity that these hackers rely on. Data breaches are on the rise reaching new record each year. Year 2014 is no different either with maximum security breaches in a year so far. It won’t be wrong calling it the year of data breach considering the fact that three out of eight biggest data breaches in last decade happened in 2014. And to be put it in numbers, there is almost 30% increase in security breaches every year which is much more than number of companies adopting stringent methods to prevent such security breaches.
These breaches are not constrained to any particular sector or particular geography but restrained to the need of hackers or criminals thus making it epidemic. Even the big players like Home Depot, JP Morgan Chase, Sony Entertainment, eBay are not able to help themselves from this epidemic. To understand the gravity of the situation let’s look at the major data breaches of 2014 and how much it affected companies and its stakeholders (employees, customers, suppliers etc.). You must be thinking what these stakeholders have to do with data breaches it should be organization's problem. Not exactly! Most of these breach not only steal organization’s data but also the personal information and even debit & credit card numbers of stakeholders.
Being the year of maximum data breaches, there are few that needed to be highlighted to present the severity of such attacks. These attacks are different not in the severity but also the way the data is breached and how it was done so as to make you understand the different way of attacks.
- Sony Online Entertainment Service’s breach is one of the worst corporate breach where lots of internal data including employee’s personal information, passwords, upcoming movie scripts, upcoming movies, salary information were exposed out in public. An attacker use sophisticated malware to get the information but Sony used to store employee information and security credentials were not up to par.
- JPMorgan Chase is another such case where it affected about 76 million households and 7 million small businesses. Hacker compromised the personal information by getting the access to the computer of an employee with special privileges.
- Home Depot, the world largest home improvement chain, also faces serious intrusion where 56 million credit and debit card information were compromised. The criminal used a third-party vendor's username and password to enter the network and later acquired elevated rights for the system. The organization had to face more than $43million lawsuit for this breach.
- Internet Corporation for Assigned Names and Numbers (ICANN) which overlook after the internet address system was also attacked by mere spear phishing attack. Crafted email message was sent to employees from domain similar to organization’s domain. This email compromised credentials of several staff members.
The data primarily include the personal information, credit & debit card information and most importantly date related to point of sales. So now the question is what could the organization do to prevent such breaches? There are two ways going about it. First is filling all the loopholes in the security and second the most important is to learn from other’s mistake. So here are the few takeaways that can help you prevent such breaches in your organizations.
- Educate your Employees: - Most of the security breaches won't even happen without the employee interaction with either malware, spam emails or through other communication channels like phone, SMS, etc. E.g. In case of ICANN, if any one employee could even report the phishing email that has been sent then there won’t be any leakage. Also in cases like Home Depot, phishing is confirmed as the cause. Therefore, it becomes mandatory for the organization to put important efforts in educating their employees about such attacks and channels to report the same as they are the weakest link in their chain of security. Also 84% of the large companies suffer phishing attacks so educating employees become crucial for any organization.
- Employing internal and external firewalls: - Proper firewalls need to be there in place both internally and externally which could prevent such breaches. 94 million credit cards information was stolen from TJX network as they don’t have any firewall. Firewalls are the front security gates and by not putting them in place you are inviting Hackers a homely welcome.
- Focus on detection and response: - Cyber security is a continuous process so there needs to be proper detection system and reporting system in place to prevent such breaches. Many experts believe that focusing effort in detecting security breaches as quickly as possible and then responding appropriately will help to minimize the harm. Also anti viruses and firewalls need to be regularly and proactively updated to detect new intrusion methods and malware. Proper guidelines need to be in place to what need to be done in the case of security breach.
- Encrypt critical data: - In case of JPMorgan Chase, criminals were not able to access the credit and debit card due to encryption system in place. Proper encryption system does not only eliminate the breach but also adds an extra layer of protection. Organization can rely on SSL, SHA or other encryption algorithm to encrypt the data present on various servers to achieve high level of confidentiality.
- Update Security Channels:- With the advent of technology, it becomes crucial to adopt technologies and strategies which are more secure. E.g. Banks should provide EMV cards to their customer which requires password for payment and difficult to duplicate. The security update resolves a privately reported vulnerability and help in system fighting malwares. So reinforcing and updating organization’s defense over time become necessity as hackers are constantly looking for loopholes in this era of information.
- Choose Right password: -Passwords or decryption key should be chosen properly to make it difficult for hacker to steal it. This can be done by using numbers, special characters, capital letters, etc. in your password. Also one should ensure not to use the same password for multiple servers. This will ensure that if a hacker has one key then he won’t be able to access other servers using the same key. On an average it takes 2-3 months for hacker to crack into the network and exploit it. So user should change their password within 2-3 months to make it impossible for hacker to get access.
- Divide and Conquer: -Some companies practices “air gap or air wall” where a secure computer network is physically isolated from unsecured network which prevents the hacker to access it. However, it won’t be possible to isolate network but companies could segment networks based on the type of crucial information it holds and imposing proper security measure for more secure network. This measure not only ensures extra security for more crucial data but in case of breach it would help to detect the breach and respond appropriately.
We are living in information world where Information is everything. Any data leakages or security breaches not only result in a financial loss but also cost the organization its image. The above steps would ensure the security of any organization, but one thing that needs to be understood is that cyber security is a continuous job. It requires continuous efforts from CISO (in some cases CIO) to detect loopholes and block them permanently as well as from employees not to fall into any traps set by the criminals.