TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | Why SMBs Need To Worry About the Next Big Data Breach Related reading: Demystifying cloud computing

rss_feed

""

56 million, 42 million and 4.5 million—these numbers represent the impact of high-profile data breaches. Home Depot is the latest major brand to be attacked. This breach represents the second largest of all time to impact the retail sector. TJX continues to hold the number one spot with over 90+ million impacted.

In August we learned that Community Health Systems was breached and 4.5 million people were impacted. The news was disturbing—attackers were able to obtain names, birth dates and Social Security numbers of millions of patients. It’s clear that hackers are more skilled, the volumes of data are growing exponentially and the targets and industries are diverse.

Employee credentials were obtained in the attack that impacted eBay. Thieves, at a minimum, had access to and reportedly copied customer names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth. The type of information that is an identity thief’s DREAM!

The obvious question here is, how were thieves able to gain access to employee credentials? The answer: It is not as hard as you may think. I have conducted many audits where I have found log-on info and other credentials under keyboards, in unlocked drawers and pinned on bulletin boards.

Social engineering and phishing are also ways of tricking people into providing private information to gain unauthorized access to information or resources. It seems counterintuitive that unauthorized info would be readily provided, right? The fact remains that social engineering and phishing are very much alive. Think about the last time you received an email that looked like it was from your bank or an entity where you have a legitimate business relationship. It usually starts out with "We need to confirm" or some verbiage that requests your personal information; e.g., Social Security number, date of birth, address, etc.

What can SMBs do? We cannot thwart every attack nor stop an attacker that is motivated, determined and has the resources. However, we can be proactive and develop a good OFFENSE!

Workforce Training

Does your organization provide data breach training? Do your employees know how to recognize a breach? How to respond? Who to notify? What to report? It is important that our employees are equipped with the knowledge and skills to address them and to appropriately respond. Our employees are on the front lines and in the position to provide the best defense. We must provide them with the tools required to accomplish this.

Risk Assessments

Has your organization conducted a risk assessment? How would you answer the following questions? What are our risks? Have these risks been prioritized? What are the consequences of a breach? Would we experience financial harm, regulatory consequences and/or fines, irreparable reputational harm, loss of business or customers? If you’re unsure, a risk assessment should be conducted. This will help the business prioritize what needs to be managed, identify the appropriate controls/resources and develop an action plan.

Audits

Also, ask yourself, "Have we had an objective party audit our level of compliance? Do we follow our policies? Do we have policies? How about regulations and internal requirements?" Oftentimes, we have tunnel vision with our own organizations and lack the objectivity to evaluate our own practices. Audits are an effective way to provide an objective analysis. The results can help us identify gaps, opportunities for improvement and best practices to help our program become more compliant.

We cannot avoid every risk or prevent all breaches. However, we have a duty to our customers, stakeholders and employees to do our part to manage and mitigate our risks. Remember the best defense is a good OFFENSE.

To receive a free copy of our checklist “How to conduct a risk assessment,” send a request to malfonsowilliams@wam-consulting-group.com. I can also be contacted if you have questions or feedback.

photo credit: elhombredenegro via photopin cc

Comments

If you want to comment on this post, you need to login.