Keep Your Organization Out of the News

It’s really just another normal day at the office when we hear that another data breach has occurred or that a fresh batch of sensitive data has been found for sale on the dark web. A greater focus should be on what we can do to protect our organizations and ourselves from this onslaught of cybercrime.

Sometimes it is helpful to know what the thieves are after. It includes information of all types. Often it’s called “confidential” or “sensitive.” Both categories are valuable to identity thieves and those wishing to part you or your organization with its money. Some of the information they seek includes:

  • Names
  • Addresses, physical and email
  • Social security numbers
  • Financial accounts and other related data
  • Debit and credit card numbers
  • Online login credentials for any account
  • Security questions and answers
  • Birth dates
  • Driver’s license numbers

This list can get lengthy, but all of it has some value on the dark web. For example, it is suspected that there are groups that collect data and put it together to sell to identity thieves. You may not think there is harm in advertising your title on social media, or other sites, but spear-phishers use that information to do a variety of things such as business email compromise (BEC). The FBI warned that the dollar figure in losses due to this type of fraud surpassed the $3.1 billion over the last three years!

What can you do to prevent theft of this information?

While this list can also get long, let's start with these items:

  • Create policies and processes regarding performing financial transactions and proper data handling.
  • Train employees on security and how to form and maintain safe data handling habits. Train them about phishing, strong passwords, and the importance of following procedures when it comes to financial transactions and data handling.
  • Require your vendors and contractors to abide by your policies and include penalties for non-compliance.
  • Enforce your policies.
  • Create and perform an annual review of your security and security response plan. Make adjustments as needed.
  • Create a patching schedule and plan so that all systems can be kept up to date.
  • Ensure that all systems in your organization have anti-malware software and that it is kept updated.

The cyber criminals use a variety of methods to get into a network and they don’t necessarily limit themselves to one way at any given time. They often combine phishing with malware attacks, or online advertising with malware called malvertising. In addition, ransomware and scareware are also lucrative methods for hackers to get information and money from victims. However, do not pay to get data back. Instead, put a good backup process in place so you can restore from a recent backup, should ransomware strike.

Don’t forget that accidental release of information is also a way that data gets into the wrong hands. Lost and stolen laptops and portable drives are one way. A few years ago a field was littered with sensitive and confidential information on dental patients with no real explanation as to how it got there. Not so long ago, medical records from a radiology center were found scattered along a freeway when a waste disposal company did not properly follow processes for caring for the documents.

Even simple mistakes such as a typo in a web address can lead to a serious data breach. So take some time to make sure your organization is not the next one in the news headlines putting others’ information at risk for identity theft.