2017: The Year of the Cyber Attack

Cyber security problems will increase in 2017, warns Experian Data Breach Resolution, a branch of the credit reporting giant. In its 2017 Data Breach Industry Report, Experian noted it expects to see several new—and frightening—trends:

– “Aftershock” password breaches becoming more common
– Nation-state cyber-attacks moving from espionage to war
– Healthcare organizations becoming the most frequently targeted sector
– Criminals focusing on payment-based attacks
– International data breaches causing “big headaches” for multinational companies

“Aftershock password breaches” can affect organizations that have not experienced a breach of their own data. They occur when criminals use the passwords obtained in a data breech to try and break into other networks. Organizations that see repeated unauthorized log-ins need to notify their customers that their data might have been misused.

Action step:
Strengthen data protection and make unauthorized log-ins more difficult by using two-part or multi-part authentication protocols. As the name implies, two-part authentication requires more than a password. The user must provide something additional, such as a physical object like a bank card or USB stick with a code; provide secret information, such as a PIN or code from a text message; or match a biometric marker on file, such as a fingerprint, voice, eye iris, etc. Of course, these actions should be just a part of your comprehensive cyber security plan.

What Is Cyber Security?
Cyber security involves protecting your organization’s digital information by preventing, detecting and responding to cyber-attacks. Cyber-attack dangers include viruses erasing your entire system, someone breaking into your system and altering files, or someone using your computer(s) to attack others. However, the biggest cyber security problem that businesses and nonprofits face is protecting the personal identifying information, or PII, of their clients and prospects. Many organizations today use or store PII. PII is information that can be used to uniquely identify, contact or locate a single person. PII includes but is not limited to:

– Full name
– Social Security number
– Address
– Date of birth
– Place of birth
– Driver’s license number
– Vehicle registration plate number
– Credit card numbers
– Physical appearance
– Gender or race

When you store someone’s PII, and that information is stolen or compromised, you are responsible for notifying them of the breach. That costs time, money and reputation. If criminals use PII for identity theft, you could be liable for helping victims resolve the problem, a costly and time-consuming process.

The National Cyber Security Alliance (NCSA), a public/private consortium, reports that 69 percent of small businesses have “… sensitive information, including customer data.” Hackers are increasingly focusing on small businesses, knowing that they have fewer resources to protect with which to protect that data. The NCSA also points out that only half of small businesses (52 percent) “have a plan or strategic approach in place for keeping their business cyber secure.”

What Can You Do?
All organizations particularly organizations that use or store others’ PII, need a comprehensive data protection plan. The failure to form a system of prevention and a plan of action in the event of a breach, can result in serious liability exposures. At a minimum, you should be doing the following to protect your data:

– Make sure all company computers have the latest security software, web browsers, and operating systems to protect against viruses, malware, and other online threats.
– Turn on automatic software updates, if that’s an option. Many updates specifically address known security risks.
– Scan all new devices, including USB devices, before they are attached to the network.
– Use a firewall to keep criminals out and sensitive data secure.
– Use spam filters. Spam can carry malicious software and phishing scams, some aimed directly at businesses.
– Adopt a privacy policy and post it on your website and other online sites. Your policy tells customers what information you collect and how you use it.
– Know what customer PII you’re storing, including where you store it, how you use it, who can access it, and how you protect it. Delete any information that is not necessary.

If you’re not educating your employees on avoiding risky online behavior, your system is still vulnerable – regardless of the other security measures you’ve put in place. The Workplace Security Risk Calculator lets your employees gauge the level of risk their online behaviors pose. It’s available free at Staysafeonline.org.

If you don’t have the time or resources to create your own cyber security audit and plan, your ISP may offer specialized services for small businesses. The NCSA has a list of other resources available here.

No cyber security program is complete without insurance. Cyber insurance can protect your organization from the cost of correcting a security breach and notifying victims – and even help protect them from identity theft.

For more information, please either call or email Barker Phillips Jackson at: 417-887-3550 or ins@bpj.com.