Cyber criminals are searching for personal information in a variety of places. Logins, passwords, Social Security numbers and many other identity-threatening info thefts are top of mind for many malicious hackers in cyber space.
These gold mines of sensitive data are big concerns to organizations like yours as well. In fact executives—some from very visible companies— have been forced to resign over data breaches or attacks in the past couple of years as a result of poor management of sensitive data.
Of greater concern: the majority of crimes focused on pilfering and stealing sensitive information go unnoticed for weeks or months, leaving incredible numbers of clients, customers, donors and patients at risk of additional identity years into the future.
Because 2019 has been an incredibly awful year in terms of data loss, I want to step back and review some of the biggest ways criminals have been able to get your sensitive information over the past few years. The startling take home you’re going to see is that we haven’t been learning from our mistakes.
Misconfigured Cloud Storage—cloud attacks have become a growing concern over the past few years—accounting for nearly half of all attacks in 2019 (compared to a third just a couple of years ago).
The problem with cloud?
Most business leaders perceive cloud as being secure. It’s not onsite and is out of sight to many of us. What many do not realize is that cloud storage means moving that server (that might have at one period in time been stored and maintained at your office) to a rack in a data center. Someone still would have to make sure that updates have been applied to it as it would if it were in your server closet.
I am an advocate for cloud solutions, as they can save you resources, time and money, but realize that simply putting your data in the cloud does not automatically mean it’s secure. For example, over half of organizations that store data in the cloud fail to encrypt sensitive information, leaving it even more accessible to attackers if that server or data center were breached.
Cyber criminals are focusing their eyes on data centers because they store treasure troves of data, more bang for their buck than simply attacking one single network’s worth of data. Accessing the information through employee credentials, insecure infrastructures, or even data centers that are not complying with basic cybersecurity hygiene are leaving organizations less secure in the cloud than they’d hoped.
Negligent and careless third party cloud vendors have left the likes of Facebook, Microsoft and Toyota to massive data breaches, leaving millions of customers with released records. And despite these alarming incidents, many still remain convinced that cloud storage is the safer alternative. [Note: if you are concerned about your data being secure, most experts recommend a network security assessment to find out where your real vulnerabilities lie].
Dark Web—information on the Dark Web is only growing and the bulk of it is related to sensitive data from your users and clients. As of earlier this year when I last checked the totals, 2,692,818,238 passwords were completely exposed in plaintext on Dark Web pages. The likelihood of you or someone you know having exposed data is no longer miniscule. As your organization or someone you work with undergoes a data breach or cyber event recovery effort, the likelihood that information from sensitive databases being exposed is entirely possible.
How can you address Dark Web password issues?
Continuously monitor the Dark Web for any leaks and share any potential weaknesses with those within your organization that are involved.
Targeted password re-use attacks—where criminals take exposed credentials and reuse them on your corporate network or attempts on other accounts is one of the easiest ways for criminals to steal and breach networks today. While one exposed password may seem trivial, re-use attacks are strikingly efficient at getting attackers into new depths of your and your team’s personal and business accounts (over 60 percent of users admit to reusing passwords across personal and work accounts!).
How can you deal with this growing problem?
Make sure that your digital assets and accounts are visible and tracked. Get your employees to do the same with their personal accounts—ranging from social media to banks. Have an enforced password policy in place and get your team to understand the importance of choosing and maintaining their passwords wisely.
Abandoned and Unprotected Websites—it’s astonishing that in 2019 nearly 97 percent of banks are vulnerable to websites and web applications. That’s the banking industry that at face value seems to invest more resources in cybersecurity than any other industry.
Despite compliance pressures from PCI-DSS and others, organizations are failing when it comes to protecting their information.
How to fix problems like these?
Consider reviewing your website for areas of security concerns. Most importantly, focus on your external-facing sites and continue with penetration testing for critical web applications and APIs. Also make sure your team understands that not all websites are secure (and they should double think shelling out personal data to websites that they haven’t worked with before).
There are a ton of vulnerabilities out there and not all may apply to your network or organization. Keeping an eye on where attackers are focusing will give you a better understanding on where to best allocate your budget line items to get the most bang for your security bucks.
The first place to start if you’re not sure how to approach your cybersecurity efforts? Experts recommend first evaluating your network through a network security assessment and then prioritizing issues that will lead to an attainably securer environment for your team and your clients.