It’s been 10 years since Verizon issued its first Data Breach Investigations Report (DBIR). Unfortunately, not much has changed when it comes to cyberattacks against companies around the globe, according to the 2017 report.
Unfortunately, that’s not good news. Criminals are still incredibly successful with the same type of attacks that afflicted businesses 10 years ago, revealing the vulnerabilities companies still have with cybersecurity initiatives.
Here’s what a Verizon official had to say about the research: “If you have read the last 10 reports, it will be obvious to you that things like phishing, malware and credential theft still work.” Gabe Bassett, Verizon’s senior information security data scientist, told eWeek.com that ransomware is also an ongoing threat.
The 2017 report also revealed that attacks, while predominately financially motivated, vary from industry to industry. For example, the manufacturing industry is more susceptible to espionage-type breaches while financial services companies are more prone to botnet-related attacks.
Data security weaknesses
Even after a 10-year period and increased awareness about cyberattacks, companies remain vulnerable because of insufficient security measures. As a result, Bassett said, there are too many easy targets for cyber criminals. He said that a data security strategy could help companies remove themselves as easy targets.
Many data center breaches could be avoided if it were not for human error, for example. Another Verizon report, revealed that 63 percent of intrusions resulted from weak, stolen, default or easily guessable credentials. With two-factor authentication, those risks could be significantly mitigated.
However, those type of security measures are not undertaken by many companies and industries. In the retail industry, for example, only 29 percent of employees could identify the best practices that would deter common cyberattacks and data privacy incidents, according to the 2017 Privacy & Security Security Awareness in Retail Report from MediaPro. The results indicate that security measures are low in an industry that regularly has access to customers’ personal information.
The survey, which gathered responses from 850 retail employees, questioned their basic knowledge about various security topics, including how to identify phishing attempts, the safe use of social media, and incident reporting. Most of the respondents scored poorly in many risk areas, according to MediaPro.
The healthcare industry also reported a hike in reported breach incidents, with attacks increasing by 22 percent in 2016, according to Symantec’s 2017 Internet Security Threat Report (ISTR). That puts the healthcare industry second to business services as having the highest number of events in the services industry.
8 musts of data security
Companies can diminish their risks of data breaches by taking steps to minimize risks. Here are 8 measures you can take to implement a comprehensive data policy.
1. Establish secure access. Even with security measures in place to protect your IT network, you need to take the extra measures to determine who has access to the area. Ideally, it should only be the people critical to IT functions. Determine access controls that ensure that the area is secure — minimizing any exposure to your company’s sensitive data. Traditional methods of security measures should also include encryption and data masking.
2. Train your employees. Don’t take for granted that your employees are familiar with data security best practices, even if you went over them during a training session before. Repetition is often required before something sinks in. Impress upon your staff the importance of data security, providing updates on breaches in the industry at regular intervals. Also, reinforce the importance of creating and using strong passwords, recognizing phishing attempts, and taking proper safety measures on mobile devices.
3. Establish security guidelines for vendors. As with employees, clearly set guidelines for vendors working with your company. Set your expectations for security measures in a written policy. Specify the consequences of breaking the terms in a service level agreement (SLA).
4. Update your inventory of sensitive data. This is another area of risk for many companies — not knowing where sensitive data is located. Only 12 percent of organizations reported being aware of where all their sensitive data was located, according to a 2016 study conducted by Ponemon Institute, Scale Ventures and Informatica. In the event of data recovery, this could prove to be a major blow to a company’s operations. It is recommended that companies do a monthly check of sensitive data location and risks. However, 54 percent of organizations reported they had not set a schedule for assessing those type of risks even though the amount of sensitive data collected by organizations grows on a daily basis.
Jonathan Gossels, president of SystemExperts, said one of the biggest mistakes companies make when securing data falls in this area. “They don’t have controls in place to ensure that all categories of data are handled appropriately,” he told DataGuardian.
However, those issues can be addressed if a company establishes a policy requiring data that contains personal information to be labeled as “sensitive” and therefore must be encrypted both in transit and at rest, he said. Also, if “the company has implemented technical controls to enforce that policy, it is very likely that the data set is safe,” he added.
5. Set up automated detection systems. Another area that addresses both data security and data recovery is the use of automated detection that alerts your IT team when there’s unusual activity around sensitive data. Systems can also be established to initiate automated remediation immediately.
6. Maintain software and security updates. To keep up with the increasingly sophisticated avenues used by cyber criminals to test your systems for vulnerabilities, make sure that your team is keeping up with security patches to address new methods of attacks.
7. Maintain compliance. Compliance with regulations like HIPAA, ISO and DSS provides another level of data security companies must consider. The best practices provided under these guidelines lay out the standards your company must use to provide security. Ensure that your company is properly following compliance guidelines when it comes to protecting sensitive information, including credit card and health data.
8. Create a response plan. Unfortunately data breaches can happen, no matter how many steps you take to establish security measures. That’s why it is also essential that you establish a data breach response plan to lay out the steps you will take in the wake of an event. Again, identifying the most sensitive information is key to determining where to focus your efforts on. It’s also important to include a communications plan as to how you will alert staff and customers of any threats involving their personal information.
With data security policies and strategies in place, along with continual monitoring and updates, companies can take significant steps in building up a defense against cyberattacks.