fbpx

Since the very first product transaction, customer information has been a valuable commodity.

Today we understand that personal information — so much more than we ever dreamed — IS the product for sale. Everything we do and every place we go can be captured and sold.

Information is so valuable, in fact, that it is targeted each and every day by bad actors with bad intentions.

For evidence of how common compromised personal information has become, look at HaveIBeenPwned.com, which has recorded more than 9.3 billion accounts exposed in the past 6 years (2 billion in 2019 alone).

But despite the overwhelming reality of the figures we face, many continue to misunderstand the vast risk landscape and the very definition of what it means to be targeted.

Whether it’s the innumerable accounts and profiles we need to function in today’s society, the third-parties encouraging us to share our locations, create digital libraries and offer up our DNA or just the need to access free Wi-Fi and charge our devices in public places, our data is at risk all day, every day.

Some people simply succumb to the belief that defense is futile, and they likely have already been exposed, while others fumble with a lack of knowledge on how to protect themselves. But regardless of whether you choose to fight it or ignore it, the truth is that the risks are VERY real.

Perhaps nowhere are these risks more evident than for employers trying to deal with their employees’ poor habits when it comes to cybersecurity.

No matter how much time and money is dedicated to systems and software, if human behavior is ignored, the problem will not only persist, it will intensify.

Here are some of the growing number of signs that the link bewteen individual behavior and cybersecurity is growing for 2020 and beyond:

1. More devices, more problems

The number of handheld devices — smartphones and tablets — in use has exploded.

Twelve years ago there were 120 million cell phones in use … today there are 5 billion! iPhones alone have added 2 billion devices.

Experts predict that this number will continue to grow with more than 30 billion devices to be deployed by 2025.

With this many devices, it is only natural that a huge increase in cybersecurity attacks and threats will follow.

2. False sense of security grows

There’s evidence to suggest that the growing use of handheld devices may be making individuals less vigilant about cybersecurity than in the past.

A 2019 Verizon report on cybersecurity noted the “visibility and accessibility of handheld devices are contributing to the problem” with user-friendly designs that do not encourage people to be cautious.

Because these devices are “designed to make us flow from one application to another naturally, and almost without thought” users may not be as wary of security threats as they had been with computers in the past.

3. Android and iOS are at risk

In December 2019, Google deleted seven malware-infested applications from their Play Store. The applications were pulled because they opened back doors that allowed malware to be installed from external locations.

Though they are no longer available for download, Google isn’t deleting applications already installed.

Which applications? Alarm Clock, Calculator, Magnifying Glass, Magnifier with Flashlight, Super Bright Flashlight, Free Magnifying Glass, and Super Bright LED Flashlight.

If you happen to have any of these on your devices, delete them immediately.

And don’t think iOS users are safe from this sort of exploit.

Hacker News recently reported over 1 billion malicious ad impression exploit flaws targeting Apple users.

In some cases, intrusive pop up ads can forcefully redirect users to malicious sites. Earlier this year, a campaign allowed successful bypass of ad blockers on iOS devices and highjacked 500 million mobile user sessions in just one week.

Finally, researchers also recently found 1,000s of Christmas-themed applications with significant security flaws across both platforms, so if you have lingering holiday applications on your device, you should delete those as well.

4. Text messages are growing targets

In December, USA Today reported a database housing millions of SMS text messages that were left open online for an extended period of time.

According to the report “the team was able to access the text messages because the logs were completely unsecured and unencrypted.”

Just a quick reminder that your text messages aren’t safe from harm either.

5. Your home is at risk, too

Our homes now have the same risk as businesses, without experienced staff.

In December, D-Link Routers published a list of known vulnerabilities but are not fixing them.

Home Networks include all kinds of devices, applications, and connections including firewalls, antivirus software, malware scanning, printers, phones, televisions, lights, doorbells, refrigerators, thermostats, cameras, personal assistants, etc.

These Internet of Things (IoT) devices all have default settings and passwords readily available on-line and routinely need updates and patches.

6. Data breaches continue the rapid growth

Data breaches again dominated the news for cybersecurity in 2019,  with a whopping 5,183 breaches in the past year according to MSN.

According to research from Risk Based Security, the total number of breaches was up 33% over the previous year and nearly 8 billion records were exposed in all.

There are too many to list them all, but even a small sample of these breaches serves as a stark reminder that attacks can affect businesses and organizations of all sizes:

  • Facebook recently announced 267 million Facebook accounts were compromised.
  • On Dec. 19, convenience store and gas station chain Wawa reported that all 800-plus locations were exposed to a data breach.
  • Cloud-based storage companies like Amazon Web Services and ElasticSearch repeatedly saw their names surface in stories of negligent companies in 2019, which left sensitive customer data unprotected in the open wilds of the internet.
  • 72 school districts across the U.S. representing more than 1,000 schools were breached in 2019. Schools are now second on the “most attacked” list behind cities and municipalities and just ahead of third-place, the healthcare Industry — which just saw a major blow when 15 million patients had their info stolen before LifeLabs paid the ransom to retrieve them.
  • Even locally in the Myrtle Beach area, healthcare organizations including Tidelands Health and Conway Medical Center, both experienced breaches announced in December.

7. Passwords remain the biggest problem

Password encryption continues to be a problem because individuals increasingly need many logins in their daily lives. Who can remember a dozen or more unique passwords?

Because of this, passwords are reused, rarely or never changed, or only slightly altered.

These passwords, which have likely been exposed by data breaches, can then be used to perform credential stuffing, an attack that gains unauthorized access to user accounts through large-scale automated login requests.

Microsoft reported that in the first three months of 2019 they found 44 million accounts reusing passwords found in breaches. In fact, 72% of consumers admit to recycling passwords up to 4 times.

According to the report, 90% of attacks start with individuals. Of those, 94% come from e-mail, and 45% from Microsoft Office attachments.

This fraudulent account takeover is responsible for millions of dollars stolen due to wire transfer account changes.

We have seen this at all levels, from public/private project owners to general contractors to subcontractors to employees and even human resources.

8. Antivirus protection is not enough

Only half of all malware is caught by antivirus software, according to 2019 reports. This is dramatically lower than the historical success of 67%.

Advances in attacks coupled with the volume of devices and applications are outpacing application defenses, which means just having antivirus software installed on your computer is no longer enough to mitigate your individual risk.

9. Biometrics is not the solution

If you think facial recognition or fingerprints is the solution, think again.

The Verge published an article recently reporting that security company Suprema fell victim to a hack exposing the fingerprints of over one million people.

Biometrics is a growing technology that can be effective on many levels, but when individual behavior in cybersecurity isn’t a focus, even the most high-tech companies can fall victim to breaches.

10. Things might get weird in 2020

A December ZDNet Article, warns about AI-powered deepfakes, as well as ongoing ransomware, IoT, and 5G as examples of how risks will continue to grow stranger and more diverse in the coming year.

Renown Tech analyst Forrester predicts deepfakes — which take a person in an existing image or video and replace them with someone else’s likeness  — could cost $250 million next year.

This risk comes not only through direct damage to individuals and brands but also in a toolkit for phishing gangs.

“AI tools are already available and in use faking the voice of company officers/executives, directing employees to fraudulently move funds,” the article states. “5G will serve to spread the disease and risk faster.”

So, what does all this mean for businesses?

If your focus is solely on systems, you are missing out on the fact that cybersecurity and individual behavior is as big a problem, if not bigger.

Your employees, your subcontractors, your suppliers (and their employees), are as much a threat to your business as unpatched servers.

The dollars spent securing your business data is at risk if all the users in your world are not protecting themselves.

In 2020 and beyond, cybersecurity must be viewed in much the same way as safety in the workplace was thirty years ago.

Zero tolerance must be the goal and incidents must be tracked, investigated, and remediated.

We’re moving on from 2019 and are saying goodbye to a decade that saw some of the largest cyber attacks on record, the rise of the Internet of Things, and ever-expanding budgets needed to stay out front of new cybersecurity threats like ransomware.

Looking forward, the year 2020 and the decade it kicks off sees the world of cybersecurity in a period of transition. As security incidents, breaches, and hacks garner more attention around the globe, awareness of cyber crime is at an all-time high. Businesses, governments, and other enterprises are beginning to ask the right questions about cybersecurity to begin proactive defense, rather than reacting following a security incident occurs close to home.

Kicking off the Year of the Rat, we anticipate that the cybersecurity world will still have to battle with ransomware, data privacy will become a much larger issue in the U.S., and data breaches will rock the headlines once again.

Ransomware will continue to expand

Ransomware took the world by storm in 2019, with attacks on government agencies, hospitals, colleges, and a wealth of other industries dotting the headlines. Municipalities like Albany, NY and Baltimore, Md. were hit individually, while more than 20 towns in Texas and multiple Florida cities paid out large sums, from hundreds of thousands of dollars into the millions, to regain access to their systems and data last year.

Cybercriminals won’t stray from what works, so expect even more ransomware attacks in 2020 – and not just large scale businesses. As governments and large enterprise begin to craft plans to prevent ransomware in their ranks, cyber criminals will begin to look at other vulnerable businesses. While the six-figure payout of a larger corporation is a great reward, there are plenty of “small fish” that are just as attractive as targets of cyber criminals.

Data privacy takes center stage

The California Consumer Privacy Act represents a radical shift in how companies deal with consumer data in the United States. With the new regulations, which go in place on New Year’s Day and will be enforced starting July 1st, companies must be more transparent with what consumer data they gather, how it is stored, and make “reasonable” efforts to maintain security measures.

Adherance with CCPA regulations will be buzzworthy early in 2020, as companies move to update privacy policies to reflect the new standards.

Read this blog for more information on CCPA.

Traditional passwords will begin to phase out

Passwords are an easy target for hackers, mostly due to the human element. People don’t want to create multiple complex passwords using a unique combination of letters, numbers, and characters. Passwordless authentication will be the next fad in the password world, replacing multi-factor authentication as the next buzzphrase.

Passwordless authentication can be made up of a variety of things, from hardware tokens to biometric authentication. One thing is for sure with the future of passwords – removing the human element will help secure the practice.

Third-party vendors cause multiple large data breaches for major corporations

This one feels more obvious than anything, as third-party vendors have caused some of the largest data breaches in history. Year after year, major data breaches happen because of vulnerabilities introduced by third-party vendors, yet major corporations continue to do a poor job of vetting their vendors.

According to the Ponemon Institute, third-party vendors account for more than 50% of all data breaches and a breach caused by an outside entity costs twice as much as an internally sourced breach.

In 2020, taking the time to vet your vendors and factoring their cybersecurity shortcomings into your risk assessment will be critical to keeping your name from the breach headlines.

With every passing year, society becomes more and more reliant on technology and we share an increasing amount of our personal data online. Of course, this means that now more than ever that you should be wary of how your data is being handled and that the need for secure networks and applications is at its peak.

As we are rapidly approach the end of the year — and the decade — we’d like to take a minute and look back at a few of the big stories that have dominated the conversation in the cybersecurity industry this year. From data breaches and new privacy laws to ransomware at the local government level and supply chain attacks here’s a look back at what made 2019 in cybersecurity such an interesting year.

1. Data breaches cause havoc

Again in 2019, a number of data breaches made news, both due to the high-profile companies they affected and the sheer number of accounts with leaked information.

According to the RiskBased Data Breach QuickView Report 2019 breaches as a whole were up 33 percent since last year, while the number of records involved in the breaches grew a staggering 112 percent to more than 7.9 billion records.

A few of the most newsworthy breaches involved companies like DoordashFirst American Financial, Epic Games — creators of the popular Fortnite video game.

The Fortnite data breach, which occurred Jan 12, 2019, involved a flaw in the login system, and gave hackers the ability to impersonate real people and make purchases for in game currency on their own accounts using someone else’s credit card information that was stored on their accounts and even listen in on their in game chat conversations. Epic Games, has not stated how many people were affected by said breach, but with over 200 million registered users and around 80 million users logging in each month that’s a terrifying number of individuals that could be affected.

Also, in late February, two cybersecurity researchers happened upon one of the largest non-password protected email databases on the web.

If all that has you a bit concerned about how you may have been affected by these breaches, you can do a quick search on the Have I Been Pwned website, and you will get a list of how many times your personally identifiable information (PII) has been found online.

2. New data privacy regulations

Potentially the biggest news in security and data privacy this year was the California Consumer Privacy Act (CCPA). Though it is not set to take effect January 1, 2020, security professionals and those throughout the technology space spent plenty of time and effort preparing for a sweeping new set of laws that affords its residents information on what personal information has been collected on them.

Much like the General Data Protection Regulation(GDPR), which was implemented by the European Union in 2018, this act will reach well beyond the confines of California and effect businesses across the U.S.

Compliance with the CCPA forces businesses with at least $25 million in annual revenue that earn more than 50% of business revenue from selling personal data to be more transparent with data collected on consumers. It also allows consumers to hold businesses accountable for their treatment of consumer information.

Learn more about CCPA and what you should be doing to prepare for it, by clicking here.

3. Ransomware attacks on local governments

Malware attacks are nothing new, but as ransomware attacks continue to grow the risk of these attacks has extended to new niches and different industries.

In, 2019 the poster child for the growth of this type of attack was the rise in notable incidents of ransomware being used against local government entities.

In all, there were more than 70 state and local government ransomware attacks this year affecting groups including Philadelphia Courts First Judicial District, Cleveland Hopkins International Airport and several municipalities in Florida and Georgia.

According to security giant McAfee this type of attack saw an increase of 118% in the first quarter of 2019 alone.

One of the highest-profile ransomware attacks this year and possibly in history is the ransomware attack on the city of Baltimore. Effecting the entire city of Baltimore’s police surveillance cameras, utilities payment systems, phone and email outages until the found a paper-based workaround, this attack showed just how crippling a lack of cybersecurity preparation can be.

4. Supply Chain Attacks

A relatively new type of attack that has risen to the forefront of cybersecurity concerns in 2019 are supply chain attacks, which targets third-party software vendors.

To users these attacks look like legitimate software updates from a trustworthy provider, but they are actually compromised and push out malware to users.

One of the biggest supply chain attacks is the NotPetya attack that occurred in 2017, targeting the Ukrainian government and costing the world over 10 billion dollars in total damages.

This year, two of the world’s top technology providers fell victim to supply chain attacks this year, with Asus and Microsoft infecting millions of customers through attacks where hackers used legitimate updates as the means of distribution.

Since 2018 experts have seen a 78% in this type of attack, which is scary considering there is no “quick fix” way to prevent these attacks — the only way to protect yourself is thorough vetting of your supplier network and even then risks still exist.

5. Android Malware

This year had its fair share of attacks on our devices, including a growing number on mobile phones.

Over the past year, experts have seen a 50% increase in attacks on mobile devices — with Android users being particularly susceptible to malware and other hacks.

Due to the continued growth huge increase in 2019, more and more hackers are using malware to try and steal banking information, login credentials, and even take over your phone.

‘Tis the season for holiday gatherings, work parties, and family obligations, making it all too easy to forget about cybersecurity.

During the hustle and bustle of the holiday season, cybercriminals are on the prowl, looking to dupe the unsuspecting masses with scams to steal personal information, financial data, and other sensitive information.

How can your organization and its employees ensure your holidays are happy and your data remains protected?

Don’t use public Wi-Fi for sensitive information

Wi-Fi connections that are public can be accessed by anyone, thus leaving those networks open for fraudsters to pillage your data. In the era of online shopping via cell phones and tablets, more personal information like names, addresses, bank accounts, and credit cards are shared without a thought of encryption or security. Don’t open your wallet to cybercriminals by using public Wi-Fi to transmit your most valuable data.

Only use verified websites

Website security is a critical component to keeping your data safe, regardless of what deal you’re hunting. Trusted websites should have “https” at the beginning of the website and a lock image near the address bar, showing that the page is secure and encrypts all information that it is transmitting. Without encryption, your data is an open book for hackers.

Change your passwords

This might seem like the simplest activity that doesn’t hold much weight, but your login credentials open the door for cybercriminals to infiltrate a network or open accounts in your name. Even if you haven’t been breached in the past, which is unlikely, using the same login credentials across accounts is a recipe for disaster. Work to have unique passwords for all of your accounts, using software like LastPass to help create and store information. Many hacks come from credential stuffing attacks, where a hacker will use information stolen from previous breaches to try and infiltrate other accounts.

Be suspicious of email links

Yes, everyone gets thousands of emails around the holidays with promises of big sales, epic savings, and an opportunity that is too good to pass up. How often do you check to see that the sender is actually a representative of the business? Oftentimes, phishing scammers can make an email look identical to a legit one from your favorite brand, then include dummy links that lead you away from the savings and sales. Be ultra-careful to avoid falling down a phishing hole this holiday season.

We hope your holidays are a wonderful time spent with friends and family, not trying to recover accounts, change passwords, and replace compromised cards. Take an extra step in your security and enjoy the most wonderful time of the year!

The popular food delivery service, DoorDash, uncovered "unusual activity" with a third-party vendor and found that some of its user data were breached.

Outside security experts confirmed to DoorDash that nearly 5 million consumers, independent contractor drivers, and retailers who used the platform on or before April 5, 2018, were affected by the breach. Data accessed could include profile information like names, email addresses, delivery addresses, order history, phone numbers, and some password information. Additionally, the last four digits of credit cards used by consumers were exposed, but not the entire card number.

Drivers and retailers on the platform also had the last four digits of their bank account number exposed, but the information is not sufficient to make any changes to an account. Approximately 100,000 drivers also had their drivers' license numbers exposed in the breach.

DoorDash has taken steps to increase its overall security and has added additional layers of security to improve protocols around user data.

Using outside vendors within your business can open you up to different vulnerabilities that can lead to breaches and other security issues. When vetting vendors, establishing a baseline of security is a critical step to ensure your business, data, and customers are protected.

January 2020 will bring changes to data privacy and security rules for businesses operating within, or interacting with residents of, the state of California.

The California Consumer Privacy Act is the first of its kind in the U.S. It represents a sweeping set of laws that affords its residents information on what personal information has been collected on them, with whom it has been shared, how to delete it, and how to prevent the sale of such data. Compliance with the California Consumer Privacy Act will force businesses to be more transparent with data collected on consumers while simultaneously allowing consumers to hold businesses accountable for their treatment of consumer information.

What is the California Consumer Privacy Act? 

Although it’s called the California Consumer Privacy Act (CCPA), the regulations have wide-ranging impacts in the United States and beyond. Much like GDPR in the European Union impacted American companies and consumers, so too will the California Consumer Privacy Act.

To fall within the jurisdiction of the California Consumer Privacy Act, businesses must work in the state of California or collect personal information on residents of the state. Additionally, businesses must fall under one of the following criteria:

  • Have at least $25 million in annual revenue
  • Possess data on more than 50,000 consumers, households, or devices
  • Earn more than 50% of business revenue from selling personal data

Those businesses not meeting the above-listed criteria will not be largely impacted by the CCPA, but those meeting even just one of those have a lot of work to do.

The California Consumer Privacy Act is broad in scope, substance, and enforcement, covering new forms of data like internet browsing history, metadata, and IP addresses. It also redefines what a sale of data “looks” like, stating that data does not have to be given in exchange for money, but expands the definition to include anything “valuable” to the holder of the data. Essentially, trading data for goods or services are covered under the California Consumer Privacy Act.

Companies looking to comply with the California Consumer Privacy Act will not find a wealth of information within the act itself. In fact, there is no roadmap to compliance given by the state, rather just some general ideas of what businesses will be required to do and timeframes around those actions.

What does my business need to do?

First: don’t panic.

The California Consumer Privacy Act goes into law on January 1, 2020, but you’ve got plenty of time to determine what compliance looks like for you. Six steps are recommended for immediate implementation in order to make compliance easier:

  • Update Privacy Policies
    • Much like the rush of updates and emails that came after the European Union’s GDPR regulations took effect in 2018, privacy policy updates and their accompanying notification emails will likely flood our inboxes in 2020.
    • Update your privacy policies and notices to account for the necessary additions of what personal information is collected or sold, along with providing information about opt-outs from the sale of personal data.
    • Create either a policy to specifically cover California residents to couple with current policies; or create one wholesale policy to cover all consumers.
  • Update Data Stores and Business Processes
    • Included in the California Consumer Privacy Act regulation is the requirement to maintain a data inventory to track data processing activities such as:
        • Business processes
        • Third parties with data access or transferal of data to third parties
        • Products, devices, and applications that process consumer personal data
    • The data inventory or database must track every consumer right’s request.
  • Implement Procedures to Maintain Consumer Rights
    • Certain consumer rights have been guaranteed by the California Consumer Privacy Act, including the rights of access, request, notice, and knowledge about personal data gathered by businesses. Consumers will be afforded the power to see and remove:
      • personal information collected,
      • the sources from which the information is gathered,
      • the purpose for gathering the information,
      • the categories of other parties with which the data was shared, and
      • the specific personal information gathered about the consumer by the business.
    • Businesses may provide personal information to a consumer at any time but do not have to provide requested information more than twice in a 12-month time frame.
  • Update Security Measures
      • An easily overlooked regulation of the California Consumer Privacy Act is the responsibility of the business to protect personal data with “reasonable” security. For many organizations, this includes performing a risk analysis and remediating high-risk vulnerabilities to maintain a baseline of security.
  • Make Changes to Third-Party Agreements
    • Third-party data processing will need an updated contract with requirements including:
      • creation of vendor data inventories,
      • use of due diligence questionnaires,
      • providing records of the processing; requiring the syncing of consumer response processes; requiring onsite assessment and auditing; and requiring mapping of the specific data elements shared with each third party, including designating those transfer that qualifies as selling.
  • Train Employees on the New Regulations
    • At a minimum, any employee handling consumer inquiries for data collection and personal information must be informed of all requirements.
    • It is recommended that more in-depth training on the California Consumer Privacy Act occur at all businesses dealing with the new regulations.

Penalties for Non-Compliant Businesses 

Under the California Consumer Privacy Act, penalties are based upon unauthorized access incidents – be that breaches, exfiltration events, theft, or unauthorized disclosure due to poor security procedures and practices.

Fines will range from a maximum fine of $2,500 per violation for non-civil cases and a maximum of $7,500 for each violation in suits brought by the California Attorney General.

The intent is a critical component of each fine category, as the $2,500 fine is for non-intentional violations, while the $7,500 would be the maximum for intentional actions.

What are my next steps?

The California Consumer Privacy Act is more intensive than GDPR, requiring companies to take additional steps to ensure customer data is secure.

Most companies will need to consult with experts in data management, cyber security, and network security to ensure all aspects of the California Consumer Privacy Act are met before the regulations go into place.

The penalties and potential for embarrassment from a breach are strong and place an extraordinary amount of responsibility on businesses to keep data safe.

A partner like Archetype SC, with expertise in data, cyber security, and database management, is an excellent resource to answer questions and provide consultations on California Consumer Privacy Act compliance.

Data breaches are everywhere.

Go to your favorite news site, tune in to the national news on TV, or simply Google it – you’ll find thousands of results breaking down breaches from phishing attacks, employee negligence, or a host of other brute-force methods. Attacks are happening with more frequency and increased complexity, raising more questions than can be answered.

One of the main questions that business owners should ask is this: “Am I liable for a data breach that happens within my business, even if it’s not directly the fault of my business?”

The short and simple answer is probably, though regulations vary from state-to-state.

Your clients, customers, and users expect your business to protect the data they have entrusted to you, be that as basic as names and addresses or as personal as Social Security numbers and banking information. Even if a vendor you hire to work for you is at fault, your name is the overarching company of record. Remember, the Target breach of 2013 came about due to a hacker stealing credentials from a third-party vendor. Nobody remembers the name of the vendor and the fines were levied against Target for the breach. Even more recently, Capital One fell victim to a breach by a former employee of a third-party vendor.

How can I protect my business before a data breach happens?

As a business, failing to test your systems for security flaws through security assessments or having a security professional hack your network to find vulnerabilities leaves your ‘Open’ sign on all day and night for cyber criminals who are after your most precious resource – your data. Something as simple as using the same password for multiple accounts can lead to the loss of a wealth of data and an embarrassing and expensive recovery process.

While there may not be an automatic liability for your business if a breach occurs, there are some steps that can be taken against your company if you are the subject of a data breach lawsuit.

First and foremost is negligence. Simply, what would a reasonable person or company do to lessen the chance of a data breach? Did your business take steps to shore up holes or vulnerabilities? Is your company aligned with best practices in the industry? If your company is found to be grossly under-prepared for a breach, some financial responsibility will be pinned to you.

Another avenue of finding fault for your company is in your breach response. Did your company do enough to stop the breach once it was found; did you quickly notify affected parties of the breach; did you immediately begin an investigation to find and incorporate remediation steps?

Businesses can face backlash from government agencies, heavy fines, and legal action following a breach.

For businesses that collect and store data, living with the expectation that someone is always trying to hack your systems will help maintain an edge against cyber attacks. There is no way to be totally immune from a cyber attack, but having a solid cyber security plan and incident response guidelines in place can help to reduce the impact on your business.

The role of third-party vendors

Many businesses employ third-party vendors to perform services, which increases breach risk due to the unknown element of the outsiders’ security policies and practices.

It is often a business norm for a third-party vendor to support core business functions and to have access to your data and internal systems.

While it may be the norm, it is still inherently unsafe as 63% of all data breaches can be linked to third-party access.

Using a third-party vendor may be critical to your business operations, but doing so without vetting their security posture can lead your business down a troubled path.

What steps can you take to protect your business?

A security assessment can help give you peace of mind about your business’ own security posture and making an assessment a frequently required piece of each vendor contract you have in place will help to secure your operations from the ground up.

In many instances, a security assessment should be part of your vetting process when selecting a vendor to work with your business. When it comes to cybersecurity, there is no such thing as being too cautious.

Archetype SC’s SRVA is a great starting point to determine your current security posture, find vulnerabilities, and create a remediation plan to protect your business.

Additional steps, including employee training and security process updates, can help lessen the likelihood of an attack by educating your resources on what to look out for and the proper steps to take if they recognize a cyber attack.

First American Financial, one of the country's largest real estate title insurers, potentially exposed personal information in hundreds of millions of documents dating back to 2003.

A Fortune 500 company, First American is one of the most widely-used companies for title insurance and real estate closings, with hundreds of millions of records in its databases.

In this instance, First American's databases did not require any authentication for access, allowing anyone with a valid link to the database to simply change a numeric code to find additional documentation. Due to the nature of the incident, it is unknown how many of the 885 million digital records stored by First American were breached.

Within the digital files were wire transfer records containing banking information for the seller and buyer, mortgage information to include names, addresses, Social Security Numbers, and a litany of other personal information. The database has been active since 2017 and contains files dating back to the earliest online transactions - document 000000075 - in 2003.

First American issued a statement to KrebsOnSecurity.

“First American has learned of a design defect in an application that made possible unauthorized access to customer data.  At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information. The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed.”

Due to the lack of authentication, First American cannot speak to who accessed the database or for what purpose. The company is facing a lawsuit in California over security concerns in what has the potential to be one of the largest data breaches on record.

Cybercriminals would have found a virtual treasure trove of information in the database, allowing for more targeted phishing, ransomware, and wire-fraud to steal from the unsuspecting masses.

Businesses that deal with personal information have the added need for strict cybersecurity measures to ensure that data is not compromised. Archetype SC's security engineers have decades of experience working in some of the largest businesses in the world to help secure data, respond to breaches, and ensure proper access for users. Keep your data under lock and key by working with Archetype SC.

In late February, two cybersecurity researchers happened upon one of the largest non-password protected email databases on the web.

Bob Diachenko and Vinny Troia of the website SecurityDiscovery.com, found the online database of email addresses and personal information with more than 150GB of data, totaling over 800 million records with limited-to-no security. Their astounding find rooted back to the email validation service company Verifications.io.

In the database, Verifications.io had three folders titled "businessLeads," "Emailrecords," and "emailWithPhone," with each making up millions of records. "Emailrecords" had nearly 800 million alone, while the other two folders had more than 4 million and 6 million, respectively. In addition to email addresses, "Emailrecords" also contained zip codes, phone numbers, addresses, gender, and date of birth information.

Diachenko alerted Verifications.io of the breach via a ticket on the company's website, which prompted the removal of the database from the web and a response from the company stating no personally identifiable information had been included in the records.

Verifications.io is an email validation service for marketing companies, which works by keeping records of deliverable emails and vetting addresses against a company's email list. The service will send an email to an address to see if it will be delivered or bounce back, then keep a record of active addresses for companies to utilize with marketing email campaigns. These services keep marketing companies from being flagged as spam by sending multiple emails in a short timeframe.

Protecting your email address is as simple as routinely changing the account password with a strong credential, using a secure email service, and selecting obscure (or false) information about yourself for security questions.

If you have concerns around business email security, contact Archetype SC's security team to set up a consultation for SRVA, our security assessment tool that can scan your network for vulnerabilities that could be exploited by cybercriminals.

More than $800,000 was stolen in a hack of the banking account information at Cape Cod Community College in Massachusetts, showing yet again that data breaches happen to businesses of all sizes, not just large enterprises. 

On Friday, Dec. 7, school president John Cox informed faculty and staff of the breach, saying that many computers in the Nickerson Administration Building were hit with a phishing attack that used malware to infiltrate the school's accounts. The malware was used to steal banking information and transfer money away from the institution.

According to the Boston Globe, the school has recovered about $300,000 of the funds, working with TD Bank and law enforcement officials. Other attacks on the school's network have been prevented by school officials, who have also replaced all infected hard drives from the breach.

The attack started with an Internet outage that the school believed was an issue with its provider. 

To protect against future attacks, "Four C's" is working with local and national law enforcement to trace the roots of the attack, upgrading security measures campus-wide, and offering more training to employees on what to look for in a hack.

"This attack on our College’s security demonstrates the power and danger of modern cybercrime," Cox wrote to faculty and staff. "Despite ongoing cyber security training and continuous upgrades to the College’s network security, those with the power to execute a sophisticated malware attack found a way to do so."

Cox's email states that no personally identifiable information or records were impacted and all financial services are still fully operations.

Data breaches come in many forms, with some recent attacks using phishing, password reuse, and database hacking. Over the past month, large companies have been hit, affecting millions of users, but small businesses and even colleges are under constant threat of breach. If your business hasn't had a cyber security assessment or audit recently and uses the Internet, you are susceptible to an attack. 

Consider a SRVA by Archetype SC, which includes an internal scan on-site, a qualitative assessment of security practices, and an external scan from our offices. A deliverable report highlighting critical vulnerabilities will be provided to you, with a remediation plan to remedy any gaps uncovered in your security efforts. 

Email srva@archetypesc.com to schedule your assessment.

On Friday, Nov. 30, mega hotelier Marriott announced a massive data breach affecting as many as 500 million guests who made reservations at the company’s Starwood properties since 2014.

In one of the largest data breaches on record in which a third party gained unauthorized access to a database which contained guest information such as name, email address, mailing address, passport number, date of birth, and, for 327 million, payment card information. While the payment card information was encrypted, Marriott cannot confirm that hackers did not also access the decryption key in the four-year attack.

The attack represents a total failure on the part of Marriott to secure personal information for its guests over an extended period. The company has set up a website to answer questions for those who may have been impacted by the beach, which states “Marriott values our guests and understands the importance of protecting personal information. We have taken measures to investigate and address a data security incident involving the Starwood guest reservation database.”

The Marriott breach shows the importance of proper cyber security measures, which can help uncover and identify holes in a network that could be exploited by a cyber criminal.

Archetype SC’s SRVA – a vulnerability and risk assessment tool – can help uncover potential issues in a network that could be exploited by a hacker.  With a SRVA scan, Archetype SC delivers a personalized report providing information on vulnerabilities broken down by severity, with a remediation plan to shore up any issues.

On Monday, Dec. 3, Quora, a question-and-answer website where users can post and respond to inquiries with other users, announced it fell victim to a data breach where the personal data of up to 100 million users was accessed.

The breach follows a string of hacks over the weekend, with Marriott’s Starwood properties being the largest affecting as many as 500 million users.

Quora CEO Adam D’Angelo spelled out the company’s breach and response in a blog post, where he said the company was “very sorry for any concern or inconvenience this may cause.”

Some of the information accessed in the Quora breach includes account information such as names, email addresses, passwords, and data from linked networks like Facebook and Twitter. Additionally, public content and actions, like questions and answers, comments, and upvotes; and non-public content and actions like answer requests and direct messages, were included in the breach.

The company is working to investigate the root cause of the breach to avoid future issues with cyber security.

“It is our responsibility to make sure things like this don’t happen, and we failed to meet that responsibility. We recognize that in order to maintain user trust, we need to work very hard to make sure this does not happen again,” said D’Angelo in his blog post.

For your business, Archetype SC’s SRVA help to shore up security concerns by providing a comprehensive report of your network security, allowing your teams to easily understand potential threats. Our team of security experts works directly with your IT and management to remediate issues ensuring your security posture.

Contact us for a SRVA today.

cross
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram