HOW TO AVOID DATA BREACHES

A data breach is an event resulting in the exposure of sensitive or confidential data, outside of a trusted environment.

Every week, new data breaches are reported across the globe, many of which have far-reaching consequences for companies and their customers. Big multinational companies are often targeted, and hackers have repeatedly gained access to personal details including passwords, email addresses, credit card details and home addresses. This can have a devastating effect on consumer confidence. There’s no mistake about it: data breaches are extremely bad for business.

For criminals, hacking into sensitive or confidential data can be an easy way to gain large financial reward – and their job is often made easier if companies haven’t taken adequate measures to protect their data.

Despite the regular occurrence of data breaches, there are steps you can take to mitigate the risk. Although you may never be able to guarantee your security 100%, companies do have the power to protect themselves and reduce their vulnerability to attack. In this article we’ll explore how data breaches happen alongside the methods cyber-attackers have used to gain access to sensitive data, providing actionable insights and tips on how to avoid a data breach in the future.

In the case of an intentional data breach by hackers, the stolen data is often used for illegal profit. It may be associated with identity theft, allowing criminals to assume false identities to carry out illegal activities, or used by competing companies to gain insights into your business activity. Some hackers even hold companies to ransom, using ransomware to gain access and lock organizations out, in order to demand a payment in exchange for restored access to the IT environment. Hackers may be acting within the company, or outside of it.  In most cases this is a result of an APT (Advanced Persistent Threat) that succeeds in penetrating the corporate infrastructure.

Accidental data breaches may not be intended, but the end result may be just as harmful for business. This type of data breach may be caused by technical issues (if software is vulnerable to attack) or human error (if systems or security are incorrectly configured) on the part of the system administrator or DBA. A common example is the deployment of a cloud-based resource without either being aware of or following best practices.

Inadvertent data breaches differ in that they stem from mistakes or oversights that the users of data are responsible for as opposed to the admins.  Sometimes employees may unwittingly allow access to data to other employees that should not have access to perform their job but lost or stolen mobile devices, portable storage devices, errant e-mails, and hard copies are also equally common examples.  This attack can also be due to depraved indifference where users simply don’t care or assume “someone else will take care of that – not my job.”

• Spyware and viruses, where malicious software is installed in order to gain access to sensitive data. This can often be prevented using up-to-date anti-virus software, but cyber-attackers are always working to detect vulnerabilities and exploit them.
• Phishing and smishing. Phishing is a technique used to fool unsuspecting users into giving up personal information such as usernames and passwords. It’s commonly done using email, but smishing uses SMS text messages to achieve the same goal.
• Unsecured access points such as weak passwords or system structure failure. However diligent website administrators are, they are only human and may forget to secure back-end data. If someone really wants to hack into the IT environment, they will try hard to identify any of these vulnerabilities.
• System glitches. A bug in your code, or other problems within your IT system can leave it vulnerable to a data breach.

Because hackers are always developing new methods of attack, it can be easy to fall victim to a new scam. For example, Business Email Compromise (BEC) is a form of phishing that is now gaining traction among cyber-thieves. This involves the impersonation of a person of importance within an organization, by constructing a false email to lure an employee to give up user access credentials, or to click on a link which may deliver malware, a Trojan, or other malicious payload.

Sometimes, data breaches happen when companies are slow to respond to common vulnerability exposures (CVEs) or install the latest security patch. These breaches, known as CVE and patch exploitation, allow hackers to gain access through these security gaps in order to attack a company.

In 2020, phishing and malware are the two most common attacks attempted against businesses of all sizes, but other cyberattacks are close behind. You can use the analogy of holes in a boat – as one attack method is shown to work, it becomes commonly used – like water rushing to a hole. Hackers and cybersecurity bad actors typically take the easiest route in attempting to gain access or data from a target. Right now, phishing is a low work strategy with potentially high rewards: it is very easy to find millions of email addresses in the dark web, construct an email, and attempt to phish out information (such as access credentials) to unsuspecting targets.

The biggest data breaches to date have affected giant multinational corporations including Microsoft, FedEx and British Airways. In 2018, Marriott Hotels revealed that personal data, including credit card details, belonging to up to 500 million guests had been accessed by hackers. Meanwhile, internet giant Yahoo! was breached on two separate occasions, suffering attacks that affected every one of its 3 billion users.

Data breaches aren’t always related to the security of your data right now. In September 2019 it was discovered that the phone numbers of 20% of Facebook users (419 million people) were freely available in a database online, having been gathered when developers had access to these details. This permission was revoked in 2018, but it shows how easily historical vulnerabilities can be exploited.

Every organization on the planet needs to have some sort of data security program in place. Whether they outsource the data security management to a MSSP (Managed Security Service Provider) or opt to host data security management in-house, it needs to be done. There are now too many ways in which sensitive or confidential data can be exposed when it should not be. Therefore, companies need to do more in their effort to protect the data.

Unlike most other solutions, comforte protects the most sensitive and valuable asset held by any company – their data. 

A data breach happens when sensitive data is found and exfiltrated (on purpose or by accident). Removing the word ‘sensitive’ and replacing it with ‘random’ produces a “data breach of random data”. Imagine the letters used in the board game ‘Scrabble’ dumped all over the floor, exposed for the world to see. This wouldn't be considered a data breach by data privacy regulations such as GDPR, nor by privacy professionals.

comforte’s data-centric solution does just that – it anonymizes and protects sensitive data, wherever and whenever it is used. Our universal solution transforms sensitive data – including names, social security or tax ids, credit card numbers, user ids and email addresses – into random characters which have no meaning. 

The value companies receive are two-fold: 

1. The rest of your company’s security layers immediately receive a reduction in risk. Anti-virus and spyware software solutions become stronger; anti-phishing and smishing solutions become stronger; firewall and perimeter defenses become stronger – because the small amount of risk that these solutions have (if and when an attacker is able to get past) are then protected by comforte’s second layer of sensitive data anonymization. Think of comforte as additional insurance for when your existing security layers fail.

2. This extra layer of protection enables companies to take a step towards meeting the compliance and regulatory requirements of data privacy laws and standards. At a minimum, data privacy laws and standards state that organizations must have ‘reasonable data security’ in place. Anonymizing sensitive data is more than reasonable – it is highly effective! 

The first-line defense against spyware and viruses is to install the best anti-virus protection software and the best intrusion detection system available. 

That being said, simply installing such software is not enough as both of these products may fail – for example, if a new virus bypasses the anti-virus detection, or if very sophisticated spyware manages to get past the intrusion detection software. If the data protected by such software is in clear text form, the attacker may be able to gain access to it.

To prevent this, comforte AG offers a solution which does not leave text in clear text form. Therefore, if (or when) a spyware element or a virus get past these security layers, sensitive data is still not exploitable by an attacker.

There are common-sense actions that companies can take to stop successful phishing and smishing attempts. These include using anti-phishing and anti-smishing products, as well as offering training classes to educate employees to be less susceptible to attacks. 

However, it’s vital to address what might happen if a phishing or smishing attempt does succeed. In the same way that comforte AG protects against spyware and viruses, we deliver a data-centric solution that protects sensitive data in clear text form. Even if a hacker gains access to your data, it can’t be exploited.

End-point-protection software solutions look to prevent malware or bad-intended code being executed on end-points, which can access sensitive data. As discussed above, comforte AG provides an extra layer of security beyond this, by ensuring that sensitive data is not stored in clear text form. If an attacker was able to take over an end-point and then request sensitive data held by a company, any data they received could not be exploited.

comforte AG does not put in additional controls at each layer of the cybersecurity defense landscape. Instead, our solution places protections on the data itself – adding an extra level of protection to ensure that sensitive data can’t be read or exploited, even if a hacker manages to bypass anti-virus software and other protective measures.

Data security across the globe

The United States is still the number one country in terms of targets, due to the amount of data requested and collected by many companies. However, no country is immune to attack. In September 2019, a data breach resulted in stolen data from citizens in Ecuador, and similar incidents have occurred in both Panama and Australia earlier in the year. No country is safe from hackers and bad actors in today’s cyber-world.

While the technical aspects of data security are the same throughout the world, regulations differ from nation to nation. According to the United Nations Conference on Trade and Development, there is some form of data privacy legislation active in 107 countries worldwide, so it’s vital for companies to ensure compliance wherever they operate. Typically, regulations will stipulate that companies must inform individuals if their data has been breached. They may also be liable for a fine.

• Internationally, companies receiving payments must comply with PCI DSS, the Payment Card Industry Data Security Standard.
• In Europe (including the UK), companies need to be aware of and comply with GDPR, the General Data Protection Regulation.
• In the USA, there is no single piece of data protection legislation; companies must comply with multiple laws that are often sector-specific.

Data breaches in different industries

For a long time, the financial industry was the sector most targeted by cyber-attackers, due to the ease with which hackers and bad actors could gain access to credit card data. These days, it’s harder for cyber-attackers to achieve their goals, due to the rise of secure solutions for merchants and retailers, open banking applications and financial institutions.

Now, it seems that the healthcare industry is becoming the most targeted sector, due to the amount of personal data stored. This is attractive to hackers, who stand to gain access to names, addresses, birthdates, social security numbers, insurance numbers, payment information, data relating to family and relatives, and more. This information can be used for identity theft, as well as other forms of cyberattack.

How to avoid a data breach – actionable tips

In today’s world, technology is changing so fast that it may be impossible to guarantee that any company can avoid a data breach. The goal for companies must be to take steps to reduce the likelihood of this happening, by protecting their data as far as they can. For companies holding and processing large volumes of data, a big data security strategy is essential.

Data security best practices include:

• Putting in place a company-wide security policy, and offering staff training to ensure compliance. This should educate staff on issues such as phishing and make provision for remote working, mobile devices and the Internet of Things.
• Restricting access to sensitive data.
• Using a firewall and data encryption.
• Installing the latest anti-malware software and keeping this updated.
• Regular data back-ups.
• Implementing biometric security measures where possible, in addition to password protection. This multi-factor authentication approach will make it harder for unauthorized individuals to infiltrate your data.

Recently there has been a shift towards a Data-Centric Approach – the top focus for comforte AG – allowing organizations to protect the sensitive and confidential data itself, rather than simply putting security on the environments around the data. This involves tokenizing or encrypting sensitive or confidential data, so that even if a hacker bypasses a firewall and gains access to cloud-based systems, the actual data is still protected. This reduces the threat of a data breach incident because the data doesn’t get exposed to the outside world. 

How to identify if your company’s data has been breached

Your company may not be the first to know that its sensitive or confidential data has been accessed. Many past data breaches have been discovered by sources outside of their company – cybersecurity professionals, government agencies with a focus on cyber-protection, and sometimes white-hat hackers. Discovery of a data breach may not happen immediately, and could be several years after the event. However, there are steps that companies can and should take to detect cyber-incidents or data breaches when they happen. 

Monitoring and reporting with SIEM and SOC

Technologies that can identify a data breach usually have a Security Information Event Management (SIEM) component installed on as many end-points in their IT environment as possible. SIEM components report suspected security events to a central server, where a security team is monitoring. Companies may also have a SOC (Security Operations Center) which monitors security events, investigates possible threats to the company, and may even defend the company against cyberattacks. 

If a data breach is detected, it’s important that you act quickly to inform the individuals affected and to address the cause of the breach. Passwords and other access credentials should be changed, and you may need to freeze access to sensitive data such as financial information.

Act now - Get expert help to protect your data!

Has your company been hacked in the past, or would a future data breach have a devastating impact on your business? As we’ve seen, it is imperative for companies to act urgently to protect their data.

As well as the threat of a data breach and its consequences for business, companies must also comply with relevant data security and privacy laws. This may not be possible with your existing infrastructure, but you must take action to protect the company’s data or you could face potential legal action.

At comforte, our data security experts have been working to combat cyberattacks for almost a decade, and our customers include the two of the largest credit card processors in the world. We can help you protect your data!

Contact us for secure solutions, peace of mind and expert advice on how to avoid a data breach. Simply fill out the online form below and hit send or call one of our international offices directly today.