2017 was a banner year for cyber security breaches. Equifax, WannaCry, and NotPetya, not to mention the announcement that every Yahoo account was compromised—there was something major to announce about security breaches every month (and nearly every week). The year was undeniable proof that cyber risks are real, and we need to be paying more attention to them.
Addressing security risks is all the more important for businesses which, in the course of their daily operation, aggregate sensitive information from large numbers of people. With organizations as big as Yahoo and Experian (that are large enough to field their own InfoSec teams) suffering from data breaches, it’s imperative that businesses do what they can to mitigate the risks they face from hackers and other malicious users.
The first step to protecting your business is arming yourself with knowledge—knowledge of what the dangers are, and what you can do to defend against them. Not all of us can be PKI experts or penetration testers, but we can each learn a little more about what’s vulnerable in a given system, and what our responsibilities are in the event of a breach.
This guide is designed to help with that. Read on to learn what’s at risk, the true cost of a data breach, and how valuable preventive measures can be.
What Kind of Cyber Attacks are Used?
The ways hackers can gain access to your system are diverse and numerous, and new avenues are being found every day. Typically, you’re at risk of hackers using your website, your devices, and even your people to gain access. You’re also vulnerable to internal threats, both intentional and accidental.
Though the following list is fairly exhaustive, it’s in no way comprehensive. Listing and discussing every method of incursion would be difficult (and beyond the scope of this article). That said, we did want to give you a firm foundation of understanding, so that you’re better prepared to handle the most common threats that hackers employ.
Using Your Devices
From small startups to mega-corporations, companies need somewhere to store their data. Large amounts of sensitive information on a single device is exactly the reason why these machines become targets. From credit card numbers to login credentials, there’s a host of information hackers and criminals would love to get their hands on, and there’s a number of ways for them to get it:
- Computer viruses—malicious code that, when executed, infects your device, causes harm, and spreads itself to other devices.
- Software vulnerabilities—gaps in the security of programs and operating systems can grant backdoor access to those savvy enough to exploit them, revealing settings and files you’d rather keep private.
- Physical theft—determined hackers may resort to more direct methods of gaining access, such as stealing the device and cracking it at home where they can do it at their leisure.
A special note here goes out to ransomware, which doesn’t usually steal information, but does hold data and devices for ransom (hence the name). Usually exploiting a software vulnerability, it spreads like a virus, infecting every device it can, and encrypting the hard drive, locking you out of the device. This can be an effective—and very costly—tactic, and many people and businesses decide to pay the ransom to regain control of their device.
Using Your Website
Hosting an online presence offers additional avenues of entry to hackers who want access to your information. Some of these attacks are sophisticated, some are rudimentary, but all are effective if not carefully guarded against. Here are a few of them:
- SQL injection—this is when malicious users put an SQL command into a form field on your website, and then hit submit; the command queries your database and gives the user what they asked for (usually information they shouldn’t have).
- File upload attacks—if your website has a file upload option on it (for changing profile pictures, or for submitting resumes for a job application), hackers can upload a file that has commands embedded in them; when the file uploads, the command executes, allowing them to some serious damage.
- M-i-t-M attacks—it takes some doing, but hackers can, with some effort, insert their device between your server and a user, which is why this is called a Man-in-the-Middle attack; they fool the user and the server into thinking they have a direct line, when really, every transmission is routed through the hacker, giving them access to all of the user’s personal information.
- HTTPS downgrade attacks—HTTPS usually does a good job of preventing M-i-t-M attacks, but it can be defeated; if the hacker can force the server to downgrade back to HTTP—or even to an older, less secure version of HTTPS—they can then be successful at inserting themselves between the server and the user.
Like ransomware, DDoS (Distributed Denial of Service) attacks get a special mention. They’re not designed to steal from your system, but to crash it. Using an army of computers hijacked via malware (more on that later), they flood your website with simultaneous requests. This overloads your system and crashes it.
Using Your People
Sometimes, hackers don’t have to exploit technology at all to get the job done. They skip both the hardware and the software and shoot straight for the wetware, a term that refers to the soft, fleshy organism that sits between the chair and the keyboard. By manipulating employees at your company, hackers can get access to many things that are normally locked down.
- Malware—the heart and soul of wetware hacking, these are malicious programs that are disguised as something benign or desirable. While not as contagious as viruses, they can do a lot of harm to your devices; all that’s required is for a user to mistake the malware for something that’s safe to download and run.
- Phishing scams—some hackers aren’t content to sit and wait for their malware to be found. They get proactive and go on the offensive, sending emails that look like they’re from reputable or trustworthy sources that instruct the recipient to download the malware.
- Social engineering—breaking out the con artist skills, hackers can sometimes get what they want simply handed to them; by calling into IT and telling them “I forgot my password,” or similar tactics that manipulate a human being’s willingness to trust someone who talks like they belong.
Internal threats are ones that come from inside the walls of your business, namely, from your own employees. Not all are intentional, but all can be devastating:
- Installing risky software
- Insecure disposal/reuse of devices
- Unintentional distribution of sensitive information
- Stealing/manipulating sensitive data
- Sharing passwords/login credentials
- Using weak passwords
- Downloading malware
- Failing to update software
Employees at nearly every company make mistakes like this daily. Sometimes they get away with it. Sometimes it leads to business-ending catastrophes.
What are the Laws Regarding Cyber Security Liability?
Federal Privacy Laws
Thus far, federal regulations have been very “hands-off” with regards to privacy practices and cybersecurity law. The only major laws that protect people’s right to privacy are the Privacy Act of 1974—which governs how federal agencies handle sensitive information—and the Health Insurance Portability and Accountability Act (HIPAA)—which governs how healthcare providers and health insurance companies are supposed to protect patient information. You may not have considered HIPAA when it comes to cyber security, but 1 in 4 cyber attacks are aimed at obtaining healthcare records or infiltrating hospitals.
For the rank and file of businesses, there’s no federal law requiring particular privacy practices or notification policies. There’s also no particular law holding businesses accountable in the event that they’re negligent in how they protect sensitive information. With the wave of recent breaches, however, there’s no guarantee that it will stay that way.
Local Privacy Laws (Utah Specific)
Utah, like most states, has implemented its own regulations for data breaches (which can be found under Utah Code Ann §§ 13–44–101). It’s primarily concerned with what counts as “personal information,” what constitutes a breach, and in enforcing a notification policy in the event of a breach. Under the code, personal information is defined as a person’s name (first and last name, or first initial and last name), combined with one or more of the following:
- State identification card number (i.e. driver’s license number)
- Social security number
- Credit card number or financial account number, and any associated security code or password required for access
If an organization, institution, or company has reason to believe that the personal information of a Utah resident has been compromised, a good-faith investigation into the potential breach is required. If that investigation gives reasonable evidence that personal information has been misused, a notification to every affected Utah resident is required. Beyond that, there’s little accountability thus far in the law. Again, with so many Utah residents affected by recent breaches, it’s possible lawmakers will change that soon.
What’s the Cost of a Data Breach?
Depending on the size of your business, the average cost of a data breach can be catastrophic or merely a drop in the bucket. As of 2017, the average breach costs a company $3.62 million. Averages can be deceiving though, and it’s entirely possible for it to cost you much more. Here are some examples:
- IRS: the federal agency issued $39 million in falsified tax returns to criminals who defrauded victims back in 2015.
- Yahoo: the internet giant was in the process of selling the business to Verizon for $4.8 billion; the deal almost didn’t go through, and as it was, the sale price was slashed by $350 million.
- Equifax: the recent breach has cost the credit bureau $4 billion in falling stock values alone.
Clearly, a data breach is a misfortune that not every business can afford. That’s why taking steps to prevent an incursion is so critical.
How Do I Protect My Business?
Protecting a business from the dangers of data breaches is best done in a two-pronged approach: prevention, and response.
The key to prevention is identifying vulnerabilities before they are used against you and then closing those vulnerabilities. It starts by physically securing devices and instituting better company policies regarding employee logins, computer usage, data encryption, etc. Then you start getting proactive with cyber security audits. These security scans help pinpoint areas of weakness. For added levels of detection, take it a step further with penetration testing—this is essentially like fire drills for your cyber security; you hire someone to hack into your system, and when they’re successful, you identify the route they used, and close the vulnerability
This is where cyber security insurance comes in handy. Having a team of experts on retainer who can help you clean up the mess—and clean it up fast. Cyber insurance means you have help to close the breach quickly, to identify what was compromised, and to help recover from the damage and get your business back on its feet.
This dual approach is the kind of protection that Fibernet can offer your business. If you’re curious whether your company can benefit from expert-level protection and cyber insurance, start the process today by downloading the cyber security audit checklist today. Give it to your IT admin, and have them assess your level of security. Then, come to us with any questions or concerns you have, and we can help you get your business airtight.
A safer, more secure internet is everyone’s responsibility. It’s time we all started pitching in.
Did you find this article informative and helpful? Take a moment to share it on Facebook, Twitter, and LinkedIn.
Want to learn more about what you can do to protect your business? Contact Fibernet today for the peace of mind to know your protected from hackers.