The Online Trust Alliance (OTA) recently released its 2015 Data Protection and Breach Readiness Guide for its seventh consecutive year. This guide helps provide businesses with prescriptive advice to help optimize data privacy and security practices to prevent, detect, contain and remediate the risk and impact of data loss incidents and breaches.
Tag: data protection (Page 1 of 2)
- Don’t keep what you don’t need. Most businesses hang on to too much data for too long. And it’s often data that they don’t need. Or worse, didn’t realize they even had. So do a spring-cleaning. Do an inventory of all your data and everywhere you keep it. Identify what you don’t need, then get rid of it forever. And not by simply hitting the Delete key, but overwriting it to military standards or shredding it. When it comes to data breaches, you can’t lose what you don’t have.
- What you do keep, know where it is. So many data breaches result from data being in the wrong place at the wrong time. Like highly sensitive customer or employee information being carried around town or across the world on an unprotected laptop. As part of your inventory you need to know where your data is at all times so that you can protect it at all times. That means checking servers, desktops, laptops, websites, tablets, phones, removable storage, filing cabinets, storage lockers, warehouses, third parties and anywhere else it might be hiding.
- Classify your information. Not all information is created equal. And understanding that you can’t protect all data all the time, you have to focus on the stuff that’s worth protecting. That’s where data classification comes in. There are a number of different ways to classify data, but they’re usually a series of three to five categories of importance – from top secret to simply private and confidential. By assigning a security classification to your data, you make it easier for employees to instantly understand how they need to handle that data.
- Encrypt. In most states, you get an almost free pass on data breaches if the breached data was encrypted. That’s how good encryption is at making data useless to hackers. Encryption is getting much easier to implement and afford. Encryption isn’t just for credit cards and online transactions. In any business you can easily encrypt files, folders, hard drives, texts, phone calls and emails, photos and videos, and just about any kind of data.
- Comply with PCI. The credit card companies are pretty good when it comes to protecting information, which is why PCI compliance is a great baseline. It’s not perfect and not a guarantee, but you should never be without it.
- Lock down your website. Many of today’s breaches start with the exploitation of poorly protected and patched websites. Which is really a shame because it’s so easy to protect your website. Make sure you’re using some kind of web scanning or monitoring service that will find and fix security holes before hackers do.
- Turn every employee into a data sentry. Technology only goes so far when it comes to preventing data breaches. People fill that gap, and the most important people are your employees. Every employee needs to understand the value of data, the risks of breaches, and how their choices can make all the difference
- Try not to move it. If you know where your data is and you don’t plan to move it any time soon, then it’s very easy to lock it in place. But data is at its most vulnerable when it’s on the move – like stored on a traveling laptop or phone, sent on tape to a third party like a payroll processor, or even being emailed between employees.
- Don’t forget paper records. It’s estimated that one in every five data breaches involves paper records. That means documents stolen from a briefcase or in a burglary, dumped without shredding, or simply mislaid. So as part of your inventory you need to go through the piles of information in every office, pick what you have no more need for, and shred it.
- Use layers of security. While antivirus software is important, it’s not enough. While website security is essential, it’s not enough. While good passwords are a must, still not enough. Hackers after your data are relying on the fact that you might be relying on just one or two layers of security between them and your data. Good security is about creating multiple security perimeters that convince hackers that you’re just not worth their time and energy.
It seems a no-brainer that the recent massive eBay data breach should be a much bigger story than the Target breach. After all, the Target breach “only” affected 110 million customers where the eBay breach impacted closer to 150 million customers.
It’s not often we get a chance to attend a security breach postmortem — a step-by-step, hack-by-hack, mistake-by-mistake account of what went so horribly wrong. The U.S. Commerce Department recently gave us such a chance with their report into all the mistakes Target made, and which could have avoided, in its recent massive data breach.
The report provides what’s referred to as an “intrusion kill chain” that highlights all the places Target had a chance to spot the breach and stop it. But missed. For example:
- The hackers were able to identify a potential Target vendor or supplier to exploit because Target made such a list publicly available. That was the starting point for the hackers.
- The vendor targeted had very little security in place. The only malware defense they appeared to have used to protect their business was free software meant for personal and not business use.
- The vendor’s employees had received little if any security awareness training, and especially on how to spot a phishing email. So the hackers used a phishing email to trick at least one of those employees into letting them in the back door.
- Once in the vendor’s systems, the hackers were able to use stolen passwords without the need for authentication because Target did not require two-factor authentication for low-level vendors.
- The hackers are suspected of gaining further access from the vendor by using a default password in the billing software the vendor used. If the default password had been changed, the attack might have stopped right there.
- There were few controls in place to limit access the vendor had on the Target network. Once the vendor had been compromised, Target’s entire networks were exposed.
- When the hackers installed their Point of Sale malware on Target’s networks and began testing the malware, that activity was detected by Target’s security systems but the alarms were simply ignored.
- When the hackers created an escape route and began moving the stolen data off Target’s networks, that activity triggered alarms too but once again, the alarms were ignored.
- Some of the data was moved to a server in Russia, an obvious red flag for Target security which once again was missed.
- The login credentials of the vendor were used throughout the attack, yet Target’s security system wasn’t able to detect that those credentials were being used to perform tasks they weren’t approved for.
We keep saying that every business large and small has important lessons to learn from Target. Don’t waste the opportunity. Double-check your own security and see if there are any obvious gaps you haven’t spotted but need to be sealed.
Every year about this time, Verizon comes out with an annual review of the results of its investigations into thousands of data breaches and security incidents from around the world.
The report can be very data heavy and even a little depressing, but we can learn great things from it. Here are just ten:
Speaking in a recent interview on CBS’ 60 Minutes, Tim Sparapani, a former privacy lawyer for the American Civil Liberties Union, commented “Most retailers are finding out that they have a secondary source of income, which is that the data about their customers is probably just about as valuable, maybe even more so, than the actual product or service that they’re selling to the individual.”
It was a chilling admission that the world has changed in ways most of us never expected, and that there may be more value in information about people than in selling goods and services to those people. Or stealing from them.
Of all the threats that could be stalking your business daily, it is most unpleasant to think about the fact that the biggest threat could already be inside your walls, maybe even on your payroll. Unfortunately there’s plenty of evidence to suggest that the biggest source and cause of security incidents is the humble employee.
The good news is that few of these incidents are deliberate attacks or frauds by your most trusted insiders. Instead they tend to be innocent mistakes which could easily be avoided but which are quickly taken advantage of by hackers.
The last 30 days could go down as some of the most important in the world of cybersecurity, and malware in particular. It wasn’t just the small window that revealed data breaches at Target, Neiman Marcus, Michaels Craft Stores and potentially dozens of other retailers. Nor was it the fact that this explosion in data breaches could all be the work of a seventeen-year-old.
With the Target data breach and its endless repercussion still on most people’s minds, next week’s Data Privacy Day (January 28th) is well-timed to pause and think about data privacy and what it means to your business and customers.
The idea behind Data Privacy Day has been around for a number of years, but began to really catch on in 2009 with the U.S. Congress declared the very first National Data Privacy Day. So every year around this time, privacy and security advocates use this annual event to raise consumer and business awareness about privacy, what it does and should mean to us, and why it’s so important for all of us to recognize.
It’s been less than a month since mega retailer Target announced that a little more than 40 million customer debit and credit cards had been stolen by hackers. Not long after that, we saw the first of those cards being sold a few hundred thousand at a time, in a variety of underground hacker forums. Although not that underground, since I was able to register on the most notorious hacker sites and see for myself how easy it was to buy an identity.