As 2017 comes to a close, we may be celebrating our wins and counting our blessings. It is certainly worthwhile to do so. However, the end of the year is also a good time to reflect on what we could have done better. Regarding information security, Verizon’s 2017 Data Breach Report is a valuable resource that reminds us how we can better secure our information going forward.
According to Verizon’s Report, 61% of data breaches occurred in businesses with under 1,000 employees. The fact that over half of reported breaches impacted small businesses underscores the idea that organizations do not have to be large and established to fall victim to an attack. Criminals will take advantage of the easy targets, regardless of the size of the organization.
Complacency within organizations regarding information security and the thinking that “it’s not going to happen to us” needs to stop. Do we really have our bases covered? We would benefit greatly by reviewing the basics, especially phishing (Verizon’s Report shows that 1 in 14 users were fooled into clicking on a link or opening an email attachment) and password strength (Verizon’s data shows that 81% of breaches were due to weak or easily guessed passwords).
Verizon’s 2017 Report points out that criminals have not changed their overall strategies. The data shows that 88% of breaches follow the nine patterns first identified in 2014. By reviewing these attack patterns, we can better plan where to commit resources so we can best defend our organizations from such attacks. We can also understand where dangers lurk, which is critical when developing a new app or creating a new process.
The data shows that attackers favor tried and true strategies which include offensive attacks such as malware, ransomware, and denial of service attacks. Software updates and security awareness training should be emphasized and done regularly. We can have DDoS mitigation services in place, but effectiveness of these services hinges on regular testing to see if they actually work.
Attackers also benefit from insider thefts, workers’ errors, and the physical theft or loss of assets. We can look for large data transfers as we monitor workers’ actions, establish processes and procedures to prevent data loss through errors, encrypt data, and discourage hard copy printing of sensitive information.
Point of Sale intrusions, payment card skimmers, and web application attacks round out the other attack patterns for 2017 breaches. To help prevent Point of Sale intrusions, we can deploy validated payment application and use certified personnel to deploy the POS software properly. Regarding skimmers, we can train workers to identify signs of tampering and implement video surveillance to monitor payment terminals. With web application attacks, we can deploy solutions to monitor for such attacks, limit what data can be accessed through such applications, implement security updates when released, and work with web application software vendors who are trained in secure web application development. In addition, we can encourage customers to use strong passwords for web application access.
Looking ahead, we must maintain activities that we have ideally cultivated into information security habits. These include monitoring log files for suspicious activity, training workers to identify warning signs that may lead to a breach, and limiting system access to necessary staff. We should also continue applying patches promptly, encrypting sensitive data, and using two-factor authentication. Lastly, we must include physical security in our efforts to safeguard our information as not all data theft occurs online.