Unconventional Data Breach Preparedness
One of the major mistakes companies often make when developing a data breach plan is taking a one-size-fits-all approach, wrote Michael Bruemmer of Experian Data Breach Resolution.
Experts have found that not every data breach fits a standard pattern. It depends on why thieves want the information.
Data breach prevention strategies should take account of all the different types of data breaches on the threat horizon today. Here is a review:
- Conventional: Information thieves launch a cyber attack and copy or transmit confidential data. Identity theft motivated 53% of these breach incidents in 2015, according to Safenet-inc.com, a data protection company.The most sought-after information is personally identifiable information (PII), which can be used to open lines of credit. Thieves also sell financial information. While credit and debit card numbers are still being targeted, chip and pin cards protect against the conventional data breach because the cards don't share account data or any personal information.
- Secondary: When there’s a ‘secondary’ motive, cyber criminals hack into a website and use malware with the intention that the true target will become infected. In effect, the owner of the website is just a stepping stone to the real victim, according to the 2015 Data Breach Investigations Report.
- Embarrassment: Cyber thieves use stolen information to embarrass an organisation or an individual. A good example is the high profile breach against the adultery website Ashley Madison. Clients of the website were embarrassed by the affiliation.
- Activism: Issue-motivated attacks can damage an organisation’s reputation too. The hackers that targeted Ashley Madison actually wanted to shut it down. Any organisation is at risk of this type of attack. Environmental extremists might target an energy company. ‘Hacktivists’ might expose a company’s labour practices. While customers are not a primary target, they are often affected because their information is exposed, said Bruemmer in a recent online blog.
- Harm: In 2015, ‘nuisance’ breaches accounted for a small but significant number of breaches. These breaches involve the theft of seemingly innocuous information such as email exchanges – which is then used to harm individuals and companies. One example includes the theft of medical records, harming victims when their personal health conditions are exposed. Not only is it embarrassing but the information can impact employment and other opportunities.
Small and large organisations should be prepared for all types of data breach. Here are some best practices.
- Assess the types of customer records being stored and practice good data hygiene. Secure records that have obvious value to information thieves. Secure other records that may seem less valuable but if exposed could be used against the company or customers.
- Equip devices with the best safeguards including firewalls, multi-factor authentication, encryption and up-to-date anti-virus software.
- Restrict access to sensitive data, and use a comprehensive document management process.
- Provide on-going security awareness training.
- Update the incident response plan regularly – and practice it so everyone knows what to do when there’s a cyber attack.
- Partner with a document destruction company that has a chain of custody and secure on- or off-site destruction services for both paper and digital information.
Implementing a clean desk policy can ensure your workplace reduces the risk of internal fraud.