Target. Neiman Marcus. Other national retailers. Yahoo and other websites. And apps like Snapchat. All have been victims of cyber security attacks that have led to a data security breach and the exposure of personal information including usernames, passwords, credit card information, email addresses, and phone numbers.
The hacking of Snapchat, a popular photo-sharing application, resulted in the Internet publication of the usernames and phone numbers of roughly 4.6 million application users.
A security group based in Australia had contacted the organization, advising it that its app was vulnerable to a data security breach. After a few months and no response from the firm, the security group published its research just five days before the hackers released the stolen data.Internet security experts are more concerned with the organization’s seeming indifference to the security warnings than with the information that was stolen.
This relatively new application has quickly grown to nearly 20 million U.S. users.
The organization stated in recent blog posts that it has been working on “various safeguards” to increase the security of user information. It has also released an updated version of the app that allows users to opt-out of the “Find Friends” feature, which allegedly was at the center of the security breach. In addition, the organization has provided an email address for security experts to contact it with any vulnerability concerns, along with a promise to respond quickly. Barbara Ortutay “Snapchat says to make app more secure,” finance.yahoo.com(Jan. 3, 2014).
Research predicts the number of cyberattacks will continue to rise, and stories like these lend support to those predictions. Although financial institutions and the retail industry are common targets, any organization is a potential target. Organizations that collect personal consumer information or even simply retain sensitive personal data about its own employees need to address data security.
Employers who take a proactive approach to data security are in the best position to protect organizations from the high cost of a cyberattack. Your organization’s strong cybersecurity plan should include periodic assessments of the network, specifically seeking vulnerabilities that can be used to breach the system. Further, organizations need to take warnings from security experts and advisors seriously and quickly work to fix system concerns and weaknesses. A timely response can limit potential damage. Organizations should also educate employees on how to recognize a network breach and to report suspicious activity immediately. The sooner an infected computer can be taken off the network, the greater the likelihood of limiting damage.
The FCC offers the following practices to help secure your online presence:
- Train employees in security principles.
- Protect information, computers and networks from cyberattacks. Set antivirus software to run a scan after each update. Install other key software updates as soon as they are available.
- Provide firewall security for your Internet connection.
- Create a mobile device action plan. Be sure to set reporting procedures for lost or stolen equipment.
- Make backup copies of important business data and information.
- Control physical access to your computers and create user accounts for each employee.
- Secure your Wi-Fi networks.
- Employ best practices on payment cards. Don’t surf and make payments on the same computer.
- Limit employee access to data and information, and limit authority to install software.
- Require employees to use unique passwords and change them every three months.
Verizon does an annual analysis of worldwide data breaches, and they make the following eight recommendations:
- Eliminate unnecessary data; keep tabs on what’s left.
- Perform regular checks to ensure that essential controls are met.
- Collect, analyze and share incident data to create a rich information source that can drive security program effectiveness.
- Collect, analyze and share tactical threat intelligence, especially indicators of compromise (IOCs), that can greatly assist defense and detection.
- Without de-emphasizing prevention, focus on better and faster detection through a blend of people, processes, and technology.
- Regularly measure things like “number of compromised systems” and “mean time to detection”, and use these numbers to drive better practices.
- Evaluate the threat landscape to prioritize a treatment strategy. Don’t buy into a “one-size-fits-all” approach to security.
- Don’t underestimate the tenacity of your adversaries, especially espionage driven attackers, or the power of the intelligence and tools at your disposal.