Data Security. So many businesses leave their data exposed, That doesn t mean you have to Computerbilities, Inc.

Transcription

1 Data Security So many businesses leave their data exposed, That doesn t mean you have to Computerbilities, Inc.

2 Table of Contents: 1. Introduction 3 2. Cybersecurity: The loopholes in the system 4 3. Danger: Cybercrime in progress 6 4. Complexity doesn t have to be complicated 7 5. Security Essentials 9 Computerbilities, Inc. 2

3 Introduction It s not a matter of if someone will attempt to breach your network, but when an attempt will occur. While technology may be developing at an incredible rate, the development of data security is usually slower, and many times only happens after we experience a disastrous data breach (such as with Target, Michael s and Neiman Marcus), or after we learn about a system bug (such as Heartbleed). But this isn t good enough anymore. Most of the world s financial and personal information is digitized, so any breach in data security is 21 st Century robbery, and any loss of data from mishandling or natural disasters is often catastrophic. We often think that these things will not happen to us. We will not experience a breach as destructive as Target and Neiman Marcus experienced, or be effected by a bug like Heartbleed. We reason that the smaller businesses are not as desirable to cybercriminals, but the fact is if you do not have any security measures in place, then your data may already be compromised. In 2013, Norton 1 reported that globally more than 1 million people were victims to cybercrime daily, which means that there are about 12 victims every second. This usually happens because network security is lax or nonexistent. Do not be like Target, Neiman Marcus and OpenSourceSSL and wait for a data security disaster to occur before you take action to protect your information; by then it will be too late. Learn from the mistakes of these large players and protect your data before a security breach or loss occurs. With this report, we will help you prepare by making you aware of the potential risks and how you can protect your data from them. 1 Computerbilities, Inc. 3

4 Cybersecurity: The loopholes in the system The past two years have seen significant breaches in cybersecurity. In 2013, Target and Neiman Marcus became victims to the largest breach yet, exposing over 110 million 2 customer s financial and personal data. This happened because of vulnerabilities in Target and Neiman Marcus cyber security. This was predicted in 2012 by Darryl Plummer 3, the Managing Vice President and Gartner fellow: He said that through 2016, the financial impact of cybercrime will grow 10% per year, due to the continuing discovery of new vulnerabilities. While Plummer didn t predict these specific events, he was dead right when he predicted that there would be an increase in the cost of cybercrime as we discovered vulnerabilities in our security systems. But what were the vulnerabilities at Target and Neiman Marcus? It is suggested that about two months prior to what would become known as the largest security breach to date, cyber criminals began sending out troves of phishing s. Later, they sifted through the collected information to find promising potential victims. One of these s made it to an HVAC firm connected to Target, where an unsuspecting employee opened the malicious allowing malware to infect the system. The malware eventually allowed the hackers to gain access to the Point-of-Sale devices and made off with the financial information and personal data of millions of unsuspecting shoppers. In July of 2013, Neiman Marcus 4 was similarly breached. Hackers gained access to their systems and continued to steal card information from customers until October 2013, when the breach finally came to light Info/cat /c.cat?icid=topPromo_hmpg_ticker_SecurityInfo_0114 Computerbilities, Inc. 4

5 Although hackers are responsible for these attacks, the attacks were also made possible by vulnerabilities in Target and Neiman Marcus cyber security. One report 5 stated that Target may have inadvertently made it easier for attackers by leaving massive amounts of internal documentation for vendors on its various public-facing Web properties that do not require a login. This means that Target allowed large amounts of sensitive information to remain on their public facing systems for significant amounts of time, without requiring users to log back in. This leaves data vulnerable and easy to access because the data is not encrypted during that time. So what were the vulnerabilities in Target and Neiman Marcus cyber security? It all comes down to negligence to their cyber security system. One of the first steps to having strong cyber security is being educated about the potential dangers to your data and knowing best steps for avoiding those dangers. It s impossible to know if the HVAC firm educated their employees on how to identify questionable s and links, but if you do take the time to educate your employees than you will decrease the risk of having your network compromised the same way Target s was. You have probably heard the saying Time is money, well, in this day and age, so is information. The breach cost Target $17 million 6 in expenses and caused their profits to fall by 46%, but it also cost many of their customers to lose money as well, which isn t good for customer loyalty. This is why it is critical for your business that you plan ahead by having strong data security measures in place. The time and money that you will put into data security will be far less than the time and money you could lose if your data is stolen or lost. Making sure you have excellent network security can seem daunting, because there are so many different levels to keeping your data secure, but it is quantifiably worth it in the end Computerbilities, Inc. 5

6 Danger: Cybercrime in progress Protecting your data against cybercrime is only one aspect to data security. Data can also be exposed or lost due to bugs, negligence, because of a lost or stolen device, or even because of a natural disaster. Data loss is data loss, and the cost is just as steep, no matter if it was stolen by cybercriminals, misplaced or destroyed in a disaster. In the 2013 Cost of Data Breach study, it was reported that negligence and system glitches together accounted for 64 percent of data breaches last year. These can include employees mishandling information, violation of industry and government regulations, inadvertent data dumps, stolen laptops, and wrongful access. Heartbleed, a bug found in OpenSourceSSL in March 2014, is one such system glitch. OpenSourceSSL is a free cryptographic software library. The code in OpenSource is the foundation for about 2/3 of all websites. In 2012, the Heartbleed 7 bug, which is a piece of faulty code, was introduced to the system allowing an unwanted third party to access sensitive information (such as certificates, usernames and passwords, s and documents) without you ever knowing that your data security had been compromised. This was not an attack. It was not planned by cyber criminals, it was, simply an accident. However, it was an accident that exposed 2/3 of the web to high risk. Picture this: While a bank is being built a tunnel is mistakenly included in the blueprints and added to the building. This tunnel allows direct and unobserved access to the vault. Anyone who knows where to find the entrance to this tunnel can now waltz right into the vault and take whatever they like, without anyone every knowing. Heartbleed was like that tunnel, and while Heartbleed has been patched, it doesn t mean that this cannot or will not happen again. The best thing you can do is stay informed on the latest breaches and bus. That way, you will be able to act quickly when you need to. 7 Computerbilities, Inc. 6

7 What should we learn from Heartbleed? In their annual 2014 security report, Cisco 8 summed it up nicely: There should be an assumption by all users that nothing in the cyberworld can or should be trusted. You should never assume that an application you are using has all of its glitches and vulnerabilities worked out. But you should assume that something will go wrong eventually. So plan for the future. This way, you will be ready and the likely hood of your data being exposed will be exponentially smaller. Sometimes, it is an accident or disaster that exposes your data. It was reported by Aon Benfield 9, that the global cost of natural disasters to businesses totaled $192 billion 10 in In the US alone, we have seen an incredible amount of natural disasters in , including earthquakes, tornadoes, and massive snowstorms. Chances are that your business will be affected by a natural disaster at some point, and it is best to be prepared. Accidents that leave your data exposed can happen at any time. Work phones or laptops can be stolen, lost or broken, causing exposure of critical data that could be taken advantage of by cybercriminals or a disruption in business continuity costing you time and money. Complexity doesn t have to be Complicated In the past year, reporters have started to use words like cybergeddon or digital apocalypse to describe what the last two years have been like for data security. Sometimes it feels like it is impossible to guarantee the safety of our sensitive and critical data. How can you possibly protect yourself against cybercriminals, system glitches, negligence and natural disasters all at once? In some sense, it is as simple as this: be prepared. Learn about the various risks to your data, and stay current on security risks and best practices. Some people were exposed longer by Heartbleed because they had no idea it existed. For example, about 900 social insurance numbers were accessed from a Heartbleed breach at a Canadian Revenue agency. The hackers had access to the data for six hours before anyone found the breach, which is why they were able to get so many social insurance numbers Computerbilities, Inc. 7

8 There are also a few relatively simple things that you can do to make sure your data is secure. First, always use a complex password 11. This means that your passwords should have a combination of upper and lower case letters, numbers, and symbols. By always using a complex password, you will be increasing the complexity of your password when it is stored and encrypted, making it harder for hackers to break your password and gain access to your information. Passwords are the first line of defense, so you need to make sure your defense is strong. The next line of defense is data encryption. One of the reasons hackers were able to steal so much data from Target was because of the lack of encryption. With most business services, there is a timed log-out setting. This means that if you are inactive in your for a while, the software will automatically log you out. This is a great security measure because it means your data is encrypted again after a set amount of time. Target didn t have this feature on their public facing web properties, so customer data was left exposed, and could easily be stolen by cyber criminals. It s not only important that you have encryption, but it s important that you determine the level of encryption. 256-AES is currently the highest encryption standard. With 256-AES, it would take a supercomputer longer than the age of the universe to crack the encryption (which is longer than 149 trillion years). Eventually, someone will probably find a way to crack 256-AES encryption, but in the meantime, it will take a cybercriminal an annoyingly long time to break the encryption and steal your data, so they would likely move on to someone else. If a cybercriminal does break your password or gain access to your device through a phishing or a watering hole website, then they will use viruses or malware to begin siphoning out your data. The best way to protect your data against computer viruses and malware is to install antivirus software, such as 11 Computerbilities, Inc. 8

9 Vipre 12, McAfee 13, or Symantec 14. And these companies can secure all of your devices, including your mobile devices, making sure that your data is secure no matter which device you are accessing it from. While these steps can help insure that your data remains secure and exactly where it should be, they will not help maintain business continuity should a breach, disaster, or accident occur. If something should happen and you should lose your data for some reason, having backup redundancy or a Business Continuity Plan may be the only thing that keeps your business going. There are several different kinds of backup: image, tape, hard drive and cloud are a few. They each have their strengths and weaknesses, and they will all fail you eventually. That is why backup redundancy is so important. You should always have both on-site and off-site backup, and several different forms of backup. If one backup fails or is destroyed, you will have other options. Security Essentials No matter what business you are in, you have a network that contains data which is vital to the continuity of your business. This is why it is essential that your data stays secure. You will need to have protection in place in the case of a security breach; negligence or accidents; and natural, or man-made disasters. Many aspects of data security are relatively simple, such as using complex passwords, making sure your cloud service uses AES- 256 bit encryption, having redundant backup, and using antivirus software. But data security also requires that you stay up to date with the latest security breaches, bugs, and best practices so that you will know when you need to update your security system. Do not be like Target or Neiman Marcus and wait for the cybergeddon. Act now so you do not have to spend more money later Computerbilities, Inc. 9

10 To help make this easier for you, we have come up with 5 Security Essential: 1. Backup Before you do anything, you need to backup your network. If you lose your data for any reason, having backups will allow you to get your business back up and running. 2. Security Audit If your IT support has not done a security audit on you network in a while, this is a good place to start. A Security Audit will let you know exactly where the holes in your data security are. If you don t have IT support but would like to know how secure your network is, we will come and give you a free security audit just call us at (919) Antivirus Antivirus software will seek out and remove, or sometimes quarantine, potentially harmful programs on your network. If you don t have antivirus software set up on your computer, set it up now, and if you already have antivirus software, make sure it is kept updated. 4. Firewall A firewall will help prevent unwanted third-parties from getting in. Unlike antivirus, firewalls do not actively seek out and remove harmful programs, instead it filters programs before they enter your network and only let those that you allow or are secure in. 5. Spam Filter A spam filter will check all incoming mail for viruses and spam, keeping both out of your inbox. Make sure that your has a spam filter because it will help protect you against attacks, such as phishing scams, and viruses. This list is not exhaustive but it is a good place to start when setting up data security on your computer network. Computerbilities is dedicated to providing accessible, understandable, and, most importantly, preventive IT support. If you have any questions about data security, please do not hesitate to contact us at (919) , or by visiting our website: Computerbilities, Inc. 10