Not if, but When: How Data Breaches Effect Businesses
All businesses, big or small, are susceptible to a data breach. And, oh boy, there’s been some doozies recently. Yahoo (500 million accounts!), Target, Wendy’s, LinkedIn, Ebay, MySpace, the DNC, and the United States Office of Personnel Management have all had major data breaches in the last few years alone. Those breaches effected millions of people. Anyone reading this may have been effected and not even know it.
A data breach, for those who may not know, is a security incident wherein a company or individual has confidential personal information viewed, used, or stolen by an individual not authorized to access said information. What it means to be effected by a data breach is that there is a distinct probability that your information, whether email credentials, bank information, credit card numbers, etc. has been viewed/stolen by a hacker forcing their way into a secure system that houses your data.
In cases of large breaches, say Yahoo, Target or LinkedIn, millions of individual’s information was stolen. And, if your information was part of that breach, the odds that your information went on to be used in identity theft are pretty solid. According to a Javelin study on identity theft released in 2015, one in three individuals whose information was stolen had their information used in an identity theft crime. That is a massive leap from one in nine back in 2011, and accounts for billions of dollars stolen.
That may mean a few thousand from each individual. And if that’s me, I’m horribly upset about that. But for businesses, enterprises that have massive breaches, it could mean millions of dollars lost over a period of years.
Take the Target breach a few years ago for example. Around 70 million customers had their data exposed. That breach amounted to $162 million dollars in loss related to the expenses due to the hack. Those losses were recorded over 2013 and 2014. But that doesn’t include lawsuits filed by customers after their money was stolen because of the breach. Though Target is just fine now, their stocks tumbled after the data breach, and fell further still after they announced how much money it cost them. Fortunately, Target posted $21 billion in revenue that year. However, most businesses aren’t raking in that kind of money and could be absolutely crippled by a breach.
Like so many intrusions into secured networks—the best way to prevent a data breach is education and vigilance. It is much harder to brute force hack the way into a secure system, than it is to use actual verified credentials. So, hackers will use social engineering techniques in order to con individuals out of their username and password so they can go to town on a network.
Businesses must teach their employees security best practices. Such as never sending credentials via email. Employees should also be kept up to date on common social engineering tactics—phishing, spear-phishing, vishing, baiting. An informed workforce is much less likely to inadvertently give access to a hacker. Businesses can also force employees into security best practices by requiring passwords to be changed regularly, and mandating strong password requirements (alphanumeric, special characters, capital and lowercase letters). Also, segment network access. No employee should have access to network drives or information that are not necessary to their role in the company. These standards make it harder for unauthorized access to a network.
Beyond those common security basics there are steps businesses can take ahead of time to be able to more quickly mitigate a data breach if/when one occurs. First, check state and federal statutes regarding notifying customers/vendors of a breach of a system. For instance, in Minnesota, a business who has had customer’s personal information accessed by an unauthorized individual must make a disclosure “in the most expedient time possible and without unreasonable delay.” Though it will hurt the company’s reputation to admit a breach, it will hurt more if the breach is not revealed expediently and your customer’s sue you. People need to know as soon as possible so they can change their passwords or cancel credit/debit cards in order to not be taken advantage of.
Aside from knowing your legal obligations to customers, know who and what are accessing your systems. Log data—network traffic, firewall traffic, systems events. Save that data as long as possible. It may not be possible for some businesses to save terabytes of data like that, but logs of at least the last thirty days would be better than nothing. Many times, breaches aren’t detected until days after it occurred. Having logs of information like this will help understand what systems have been effected by a breach and when/how the breach occurred.
For example, the recent revelation that information from 500 million Yahoo accounts had been stolen in 2014. The mind-boggling part of this is that Yahoo had no idea they had been hacked until rumors of a hacker selling Yahoo data online surfaced in August. Then, in September, they released information about the hack after their investigation. Two years after the breach, and then two months after Yahoo was made aware, the general public was notified of the breach. Luckily, there was little to no financial information associated with the attack, but I’m still not sure if this has been the “most expedient time possible and without unreasonable delay.” This huge breach could spell trouble for Yahoo.
Of course, a business needs to have a plan to respond to data breach incidents. Feel free to look back at the DR and BCP blog for details on those plans, but when a breach occurs you don’t want employees running around like chickens with their heads cut off. The plan needs to be detailed enough so that anyone can run through it, but amorphous enough so that it can conform to each individual breach. Recently, businesses have been taking another measure to protect themselves from breaches. Though not technically preventative, cyberliability insurance has become a way for businesses to protect themselves financially. Cyberliability insurance is for companies of any size and is offered by many insurance industry giants. Policies are offered as standalones or parts of a suite of business liability coverages. Since data breaches have become more of a when than if event, it makes sense for all businesses to look into cyberliabilty insurance.
Then, test. Test employees and security with comprehensive security and risk assessments. This could involve a third party IT company or engineers posing as hackers to attempt to access the business’s system unbeknownst to the other employees. There are advantages of having an outside company test your security capacities and they may discover risks in your network that had never been addressed. But our CISO, Yan Kravchenko, knows your business can handle assessments internally. He promotes a DIY approach to risk assessment. And after you assess the business’s weaknesses, test your incident response plan. Run through the plan as if a data breach occurred. In doing so you may find holes in the plan, and that’s good. Practice makes perfect. So, when a data breach occurs at your company you’ll be as prepared as possible to mitigate the issue. And if you need a place to store your data securely, or backup your data for disaster recovery, you know who to call.