December 28, 2015

Are You Prepared for These Kinds of Unconventional Data Breaches?

One of the major mistakes companies often make when creating a prevention strategy for data breaches is taking a one-size-fits-all approach, wrote Michael Bruemmer of Experian Data Breach Resolution.

Experts have found that not every data breach fits a standard pattern. It depends on why thieves want the information.

Here are a few examples of some of the different types of data breaches on the threat horizon today.   

  • Conventional: Information thieves launch a cyber attack and copy or transmit confidential data. Identity theft motivated 53% of these breach incidents in 2015, according to Safenet-inc.com, a data protection company.The most sought-after information is personally identifiable information (PII), which can be used to open lines of credit and re-direct tax funds. Thieves also sell financial information. While credit and debit card numbers are still being targeted, new EMV chip cards protect against the conventional data breach because the cards don't share account data or any personal information.  
     
  • Secondary: When there’s a ‘secondary’ motive, cyber criminals hack into a website and use malware with the intention that the true target will become infected. In effect, the owner of the website is just a stepping stone to the real victim, according to the 2015 Data Breach Investigations Report.
     
  • Embarrassment: Cyber thieves use stolen information to embarrass an organization or an individual. A good example is the high profile breach against the adultery website. Clients of the website were embarrassed by the affiliation.    
     
  • Activism: Issue-motivated attacks can damage an organization’s reputation too. The hackers of the adultery website actually wanted to shut it down. Any organization is at risk for this type of attack. Environmental extremists might target an energy company. ‘Hacktivists’ might expose a company’s labor practices. While customers are not a primary target, they are often affected because their information is exposed, said Bruemmer in a recent online blog.  
     
  • Harm: In 2015, ‘nuisance’ breaches accounted for a small but significant number of breaches. Information thieves stole seemingly innocuous information such as email exchanges – and then used it to harm individuals and companies. A survey from the Medical Identity Fraud Alliance found 45% of victims were harmed when their personal health conditions were exposed. Not only was it embarrassing but the information may have impacted employment and other opportunities.

Small and large organizations should be prepared for all types of data breaches. Here are best practices.  

  • Assess the types of customer records being stored and practice good data hygiene. Secure records that have obvious value to information thieves. Secure other records that may seem less valuable but if exposed could be used against the company or customers.  
  • Equip devices with the best safeguards including firewalls, multi-factor authentication, encryption and up-to-date anti-virus software.
  • Restrict access to sensitive data, and use a comprehensive document management process.  
  • Provide on-going security awareness training.
  • Update the incident response plan regularly – and practice it so everyone knows what to do when there’s a cyber attack.  
  • Partner with a document destruction company that has a chain of custody and secure on- or off-site destruction services for both paper and digital information.  

Implementing a clean desk policy can ensure your office place reduces the risk of internal fraud.