Lessons from recent data breaches and other security horror stories
(Last updated on July 30, 2019)
October is the month to get a little scared. Whether it’s a ghost story, horror movie, or haunted house, there’s always a way to get your Halloween fix. But, there’s something far scarier that may creep up on you, and not just in October – a security breach! To celebrate Cyber Security Awareness Month, we are sharing some tips and best practices from recent breaches and security incidents:
- Educate employees: To protect employees from the most common attacks, a security awareness training program is required. The program should be completed by all new employees, and followed up with periodic training on an annual basis. Moreover, if your organization is bound to compliance standards, the training should be designed with those requirements in mind. The topics should help users identify potential threats, such as phishing, and social engineering, as well as the steps to take when something seems suspicious.
- Go phishing: The Enterprise Phishing Susceptibility and Resiliency Report suggests that in 2016, 91% of cyberattacks began with a spear phishing email that appeared to come from a legitimate source. Aside from training your employees, test their security awareness with various faux phishing emails, and help them identify security red flags. Remember, prevention is better than cure. Barclays should serve as a cautionary tale for all organizations on phishing – the CEO clicked on an email posing as the chairman, which resulted in the entire email exchange being exposed.
- Have a good password policy: Passwords are inherently weak, yet remain the most widely adopted form of authentication. Fortunately there are measures that can limit the risks associated with them. A secure password policy that prevents users from using compromised passwords, while promoting longer more unique passwords, is essential. Want to know how the password settings in your organization compare to best practices? Use this free tool to scan your Active Directory, and see how your password policies measure against standards from Microsoft, NIST, PCI, and SANS.
- Secure access with two-factor authentication (2FA): 2FA is a combination of something you know (i.e. password) with an additional factor, such as something you have (i.e. mobile device), something you are (i.e. fingerprint). 2FA is effective in restricting access since obtaining an additional factor creates a hurdle for hackers. A hacker recently gained access to Deloitte’s privileged data by cracking the password on an admin account that wasn’t protected by 2FA. Something preventable has now caused irreversible damage. Organizations operating in highly-regulated industries are looking at regulatory fines, public relations costs, breach and protection costs, as well as other consequences as a result of exposing sensitive client data.
- Patch regularly: When a software vendor offers a vulnerability update – take them up on it! Ignoring such vulnerabilities can have serious security implications. The recent Equifax breach is a case in point – a software security vulnerability led the attackers to obtain personal information of more than 140 million Americans. The breach was caused by their failure to patch a two-month old bug in their Apache Struts platform. If this doesn’t scare you, we have another example – the Securities and Exchange Commission (SEC) breach. Hackers infiltrated the SEC database which allowed them to trade on insider information. How did this happen? You guessed it – a software vulnerability.