2017: The Year of the Cyber Attack
Cyber security problems will increase in 2017, warns Experian Data Breach Resolution, a branch of the credit reporting giant.
In its 2017 Data Breach Industry Report, Experian noted it expects to see several new—and frightening—trends:
- “Aftershock” password breaches becoming more common,
- Nation-state cyber-attacks moving from espionage to war,
- Healthcare organizations becoming the most frequently targeted sector,
- Criminals focusing on payment-based attacks, and
- International data breaches causing “big headaches” for multinational companies.
“Aftershock password breaches” can affect organizations that have not experienced a breach of their own data. They occur when a data breach and passwords from first-hand data breaches become available to criminals and hackers, who then use them to try to break into other networks. Organizations that see repeated unauthorized log-ins need to notify their customers that their data might have been misused.
Action step: Strengthen data protection and make unauthorized log-ins more difficult by using two-part or multi-part authentication protocols. As the name implies, two-part authentication requires more than a password. The user must provide something additional, such as a physical object like a bank card or USB stick with a code; provide secret information, such as a PIN or code from a text message; or match a biometric marker on file, such as a fingerprint, voice, eye iris, etc. Of course, these actions should be part of your comprehensive cyber security plan.
What Is Cyber Security?
Cyber security involves protecting your organization’s digital information by preventing, detecting and responding to cyber attacks. Cyber attack dangers include viruses erasing your entire system, someone breaking into your system and altering files or someone using your computers to attack others. However, the biggest cyber security problem that businesses and nonprofits face is protecting the personal identifying information, or PII, of their clients and prospects.
Many organizations today use or store PII. PII is information that can be used to uniquely identify, contact or locate a single person. PII includes but is not limited to:
- Full name
- Social Security number
- Date of birth
- Place of birth
- Driver’s license number
- Vehicle registration plate number
- Credit card numbers
- Physical appearance
- Gender or race
When someone’s PII you have stored is stolen or compromised, you are responsible for notifying them of the breach. That costs time, money and reputation. If criminals use PII for identity theft, you could be liable for helping victims resolve the problem, a costly and time-consuming process.
The National Cyber Security Alliance (NCSA), a public/private consortium, reports that 69 percent of small businesses have “…sensitive information, including customer data.” Hackers are increasingly focusing on small businesses, knowing that they have fewer resources to protect their data. The NCSA also points out that only half of small businesses (52 percent) “have a plan or strategic approach in place for keeping their business cyber secure.”
What Can You Do?
All organizations particularly organizations that use or store others’ PII, need a comprehensive data protection plan. Lack of a plan and systems in place can create serious liability exposures.
At a minimum, you should be doing the following to protect your data:
- Make sure all company computers have the latest security software, web browsers and operating systems to protect against viruses, malware and other online threats.
- Turn on automatic software updates, if that’s an option. Many updates specifically address known security risks.
- Scan all new devices, including USB devices, before they are attached to the network.
- Use a firewall to keep criminals out and sensitive data in.
- Use spam filters. Spam can carry malicious software and phishing scams, some aimed directly at businesses.
- Know what PII you’re storing on your customers, including where you store it, how you use it, who can access it, and how you protect it. Delete any unneeded information.
No matter what firewalls, software and authentication protocols you’ve installed, your cyber security system is vulnerable if you’re not educating your employees on avoiding risky behavior online. The Workplace Security Risk Calculator, available free at https://staysafeonline.org/stay-safe-online/resources/workplace-security-risk-calculator, lets your employees gauge the level of risk their online behaviors pose.
If you don’t have the time or resources to create your own cyber security audit and plan, your ISP may offer specialized services for small businesses. The NCSA has a list of other resources available at https://staysafeonline.org/business-safe-online/implement-a-cybersecurity-plan.
No cyber security program is complete without insurance. Cyber insurance can protect your organization from the cost of correcting a security breach, notifying victims and even help protect them from identity theft. For more information, please contact us.
[return to top]
In this issue:
This Just In...
2017: The Year of the Cyber Attack
Don’t Get Shaken by Lack of Earthquake Coverage
Service Animals, Assistance Animals, Therapy Animals—What’s the Law?
Climate-Change Disclosures Recommended