Data leaks: the threat does not always come from where you expected
Data protection is necessary for the reputation of every brand, and it is particularly topical for the companies that store private data of their customers. E.g., access to the mobile phone number may mean access to e-money. Data breaches in companies result in the shift of the customers to the uncompromised rivals. Losing data may lead to losing reputation, customers, partners, and in the worst cases the whole business. Make your company trustworthy by protecting it from data leaks. Today we will look upon the factors that put safety of businesses in jeopardy.
In this article, we won’t give you a manual on operating a shredder to destroy your white papers or speak about eavesdropping devices and similar old-fashioned methods. Cyber threats are our subject.
The costs of data breaches are increasing every year although data protection systems are constantly becoming more and more sophisticated. Even the best security software won’t protect you, if you fail to protect yourself. Leaving the laptop unlocked or writing down the password and keeping in on a sticker at a workplace — some people just don’t care until their accounts are captured and the data is stolen. Everyone is responsible for the security of his or her private data, while at work every employee is responsible for the security of the whole business. This is what we are going to speak about today — how to protect your data and what may threaten it.
You may invest in the best security protection technologies including firewalls and antivirus software, but your own employees are the vulnerable spot, especially if they are unaware about the threats. They may share the sensitive data on purpose or by accident or even exploit it.
Edward Snowden may have persuaded between 20 and 25 fellow workers at the NSA regional operations center in Hawaii to give him their logins and passwords by telling them they were needed for him to do his job as a computer systems administrator — Reuters reported.
There are both external and internal causes for data leaks, and they are closely interconnected. The social engineer attack is external, but if your employee has no idea about such attacks and how to deal with them — it is your fault. Mismanagement of business processes involving data exchange, storage and access may bring risks.
The security basics
Even if you have secured your business with the best software available, you should always remember the basics. Take the time to conduct a sensible conversation about security in your company. Oblige your employees to log out when they leave the workplace and turn off the computers at night and for the weekends. Explain which passwords can protect the data, and which would fail. Speak about responding to suspicious emails.
You may be a high profile company, but the negligence of a single employee may ruin your reputation. Are you sure that your priceless accountant with thirty years of experience is as knowledgeable in the field of cyber security as in finance? The awareness of the employees about security is especially important when they have the access to almost all the company data, even if they don’t really need it to perform their duties. Here comes another important point — analyze the system of access to your company data and allow access only for those to whom it is essential.
Who is in the risk zone?
Cyberattacks are not a problem of big companies only. Even small businesses may suffer from hackers and you should never underestimate the risks. Protect your fortress regardless of it’s size. Small companies may be even more appealing for hackers as they are usually less protected than big biz, but they still pose a considerable value.
According to Bloomberg, the industries that most often suffer from breaches are retail and merchant, financial and insurance services, technology and also government and military. Therefore, you should be especially concerned about data security if you represent one of them. Have a look at the full version of this beautiful infographic here.
What are the leading causes of data breaches?
The overview of the most common causes of data breaches is aimed at giving you the understanding of possible vulnerabilities in your own company or your private life. We have summarized the top reasons of leaks into a number of major categories. You are welcome to enhance our list with your experience and expertise!
We have also compiled a sample list of tips on how to protect yourself from these troubles — this is what our next blog post will be dedicated to. Subscribe to our blog to read it as soon as it arrives.
Internal threats
Careless or ill-informed employees may cause accidental data loss
Human error is often the root cause of security breaches. The employees may install malware, share work devices and data with unauthorized people and store the data that should be deleted. When the employees are unaware about the level of safety that different communication services provide, they may use publicly accessible space to share confidential information. There is also a possibility of unintended emailing or interacting with the people to whom the data is not intended. The employees may be attacked by phishers claiming to be a support service or a colleague from the IT department.
Public access
This may not only be the mistake of the employees — sometimes open access to cloud data storage is the way companies maintain their business. When the employer does not provide the people with proper working facilities including data security — the data is exposed to any violations.
Physical loss of the devices
Leaving a laptop on the loose makes it an easy target for intruders, as well as not protecting your mobile devices with passwords. Unlocked computer left in the office for the night may be inadmissible for you, but not for the lazy employees who are convinced that they have nothing valuable to hide. While it may be true for their daily business, they may be even uninformed about their own access to important shared folders.
When the laptop is left in a public place or stolen, the contents of the files is sometimes incomparably more valuable than the device itself.
Password hacked or revealed
While some employees may entrust their passwords to social engineers, the others may use the passwords that can be hacked easily. In both cases, the employees have no intention to do harm, but when it comes to data security, the actions, not the intentions matter. Apart from setting poor passwords, people may use the same password in different systems and never change it. The hackers may not only guess the passwords, but also use special programs for it, which may try different combinations of dictionary words or collect the user’s keystrokes. Some companies use their own names as passwords and then they are surprised when their intellectual property is stolen. Sharing passwords with co-workers is also a common practice that puts data at risk.
Malicious insiders may be acting on their own or on the side of the competitors
The insider scheme has long been in the service of humanity. You can hardly find the ill-minded person within your company, as it is their job to be just like everyone else and mind their business quietly. In this case, the leaks may be constantly affecting the performance of your company.
Using vulnerable and uncertificated software
Saving the money on antivirus and office software may lead to even bigger expenses after the data of the company is compromised. Dealing with untrustworthy providers is putting the data at risk.
As the majority of employees use corporate computers for personal affairs, they may install unauthorized programs both for business and for personal issues without the permission of the IT department. And here comes the next reason of breaches.
The lack of monitoring
When the control over the information flows inside the company is poor — the leaks may be left undetected for years. The employees may reach the parts of the company’s networks that they are not supposed to know about. If the access is open — then there is no guarantee that no one will be curious enough to discover more. Are you sure that you know where your company’s intellectual property is stored, who may view and copy it and to whom it may be passed?
External threats
Theft
The data of the company may be physically stolen when the hard drives are stored unprotected. Thumb drives are even more vulnerable as they are often lost or forgotten. If the data is stored on a single data bearer — then tampering means it is lost forever.
Hacking
When the system is exposed to unauthorized access and the data is fruitful — the criminals may hack it and exploit the information. If there is no encryption — the revelations make the news. Malicious attacks are reported to be the most costly for the companies. The breaches are followed by investigations, reputation expenses and the maintenance of security.
Viruses and malware
Malicious software can be installed by frauds or unintentionally downloaded by the employees. These applications may grab different kinds of data including the passwords, performing half of the job for the hackers that aim to explore the system from inside.
Frauds
Frauds use various techniques to gain access and exploit your data. The easiest way is phishing that accounts for 20% of recorded incidents in 2015 so far, according to Verizon 2015 Data Breach Investigations Report. Sometimes the hackers may be hired by the competitors or even by the government. Cyber criminals may want to benefit from selling the company strategy to rivals or from blackmailing.
Social engineers may manipulate the people inside the company via e-mail, social media, corporate or mobile phone etc. They pretend to be trustworthy and eligible to possess the data, sometimes they may offer help with the computer and name themselves as coworkers. The people who used to have the access earlier can perform the attacks as well when they have the reasons for it.
Ex-employees seeking to ruin their former employer
This is not a tech case, but make sure that your ex-employees are satisfied with the terms of leaving your company. Those who have the grudge against the employer they may try to take revenge. For example, they may copy important databases and use them for their own purposes or pass it to rivals, to headhunters, to journalists etc. Make sure to close access to the working files for ex-employees and to change the passwords that they possessed. Sadly, it is still quite common for employers not to change the passwords because of ‘convenience’.
When a person who is no longer representing your company still has an opportunity to speak on behalf of it — you can only pray that he is a noble man who won’t abuse power. Even if the name of the malevolent person is revealed — sensitive data disclosure may seriously damage the company’s reputation.
Contractor computers may be compromised
While the security within the company may be strong, your contractors may be less concerned about it. The frauds attack the weakest points in the system.
The attack may be also targeted at your business partners or at the provider of the service, which you use for certain tasks.
Cloud applications may be convenient, but unprotected
Cloud storage is convenient, popular and sometimes even necessary. But are you sure that you are the only one who has the access to your data? What about service providers?
In our next blog post, we will speak about combating the breaches. We would be glad to hear about your data protection experience!
VIPole offers end-to-end encrypted messaging and collaboration solutions for teams and enterprises dealing with commercially or personally sensitive information, and individuals wishing to protect themselves from hackers, identity thieves and malware. More at www.vipole.com
