Never Too Small for a Data Breach

It seems as though nearly every day you hear about a business that has fallen victim to a data breach or other cyber-related incident. Companies of all sizes and industries are falling victim to the increasing threat of cyber-related crime. This has largely been due to the vast amounts of valuable data available within the networks and programs of organizations. Cybercriminals are continuously learning and developing new ways to obtain confidential data at a pace much faster than business owners are adapting to the changing risk landscape. There are a number of methods attackers employ to infiltrate an organization’s systems to act maliciously. This makes deciding on the most useful tactics to mitigate the risk from the highest threat areas rather difficult. If you are a business owner, large or small, slow down and ask yourself if you have done everything to protect your organization, your data and yourself from the growing likelihood of a breach.

Last year alone, there were more than 1,300 data breaches reported publicly by large corporations. From only the sheer number of large organizations that have reported their breaches, this averages greater than three cyber-attacks per day. This total does not even consider the number of small to mid-sized organizations that have experienced a breach or larger organizations that have fallen victim but did not release this information publicly. The question of why these breaches and losses are becoming so frequent should be raised amongst management.

• Is this because of the growing knowledge base of malicious attackers who are finding an increasing number of targets to exploit?
• Is this due to a lack of employee understanding of cybersecurity practices and not realizing what is at risk?
• Is cybersecurity protection and loss prevention too expensive and time consuming to implement?
• Do business owners think they will not be targeted based on their size, business model complexity, and/or industry?

To be on the receiving end of a data breach is an unfavorable position and one every business owner would like to avoid. For every method used to gain unauthorized access to a business’ data, there are just as many justifications a business can give as to why the breach occurred. One of the first steps to mitigate these threats and avoid a breach is to recognize the means by which cybercriminals can penetrate your business.
In order to determine the methods to employ to reduce the risk of a data breach in your business, first obtain a better understanding of the leading threat actions. Based on statistics from the 2018 Verizon Data Breach Investigations Report, the top cybersecurity threats are as follows:

1. Hacking – A broad term to define the illegal usage of programs and tactics to obtain confidential and private user information including, but not limited to:
   1. Cookie theft where usernames, passwords, and other information from your browser’s history are stolen.
   2. Denial of service attacks where sites and servers are flooded with traffic and overloaded causing a crash.
   3. Keylogging where the activity, key strokes and sequences of your keyboard are monitored in an attempt to repeat a user’s keystrokes to obtain confidential information.
2. Malware – Malicious code that infects a user’s computer and allows a cybercriminal to gain illegal access to various functions. Two of the more common types of malware include:
   1. Computer viruses that replicate on the host system and infect programs, files and other data.
   2. Ransomware where company data has been compromised and is held hostage for a cash ransom by the malicious party.
3. Social Engineering – The most common being phishing, when a user is tricked into offering personal information to an unauthorized party through disguised email correspondence. More recently, phishing emails have embedded malware making it easier for the malicious party to gain access to confidential information.
4. Human Error – The unintentional act of losing or putting information at risk by allowing data to be obtained by unauthorized parties. This could be due to negligence, carelessness or lack of education on the subject.
5. Physical – The act of gaining confidential information through physical means such as: 
   1. Eavesdropping on conversations discussing private or confidential information.
   2. Observing a user access their workstation to obtain their login credentials.
   3. Unauthorized individual maliciously following an employee with special clearance into a restricted area
   4. Theft of unattended documentation from a user’s workstation.

There are various way to reduce the threat of a data breach, some of which are relatively easy and inexpensive. It’s important that management consider the most cost-effective solutions without losing sight of business continuity. The inclusion of new cybersecurity controls should not inhibit the efficiency and productivity of daily business practices. Some of the most cost-effective solutions to implement are:

1. Educational programs and phishing tests – Teach employees about the different types of social engineering tactics that will attempt to exploit their naivety on the subject.
2. Up-to-date antivirus software – Obtain updates periodically to protect against recently discovered vulnerabilities and other weaknesses that are being exploited.
3. Current firewalls – Check with your network protection provider regularly to ensure that your firewall is being improved upon and the most up-to-date version is available.
4. Continuously monitor and check for network abnormalities with your current network protection/firewall software in place; monitor events and activity to see if there has been an increase in unauthorized/suspicious traffic.
5. Have a third-party professional service perform a risk assessment surrounding your business’ current environment and infrastructure to identify where your business’ vulnerabilities lie. This independent third party may be able to spot weaknesses that have been overlooked by employees who are too close to company operations.
6. Data mapping exercises – Before a breach occurs, assess where critical and valuable data resides, flows to and from, and interacts with other systems. This will help you better understand where a malicious attacker could perform the most damage should a breach occur.

There are additional preventative measures that are more robust that you may want to consider, however, they can be more expensive. This includes tasks such as performing penetration tests; deploying intrusion prevention and detection systems; and applying enhanced network monitoring tools to track traffic, timing, frequency, and correlation of data and events.

Corporate culture has gone through a major shift in recent history; a large difference is in the way security surrounds our data. It used to seem as though our data was safe behind a password-protected user ID. Now we see large corporations fall victim to data breaches, jeopardizing the integrity of personal information. It is still commonly seen among small to mid-sized businesses that cybersecurity is not taken seriously. Therefore adequate cyber solutions are often not implemented, seen as cost-effective, or even considered. The size of a business does not guarantee any safeguard from cyber threats, and it is best to keep in mind that no matter the size of your business, you are never too small for a data breach.

PRTS Intelligence Newsletter - Q2 2019

• Robotics Process Automation (RPA) as a Service
• Never Too Small for a Data Breach