PROTECTING YOUR CUSTOMER DATA FROM CYBER CRIMINALS
The
“bad guys” go where the action is. They surf the web looking for
winners of contracts for government agencies or companies. They
actively track and profile companies, prominent political figures,
celebrities, and people of financial wealth for ill-gotten gains. They
exploit weaknesses, not just in our technology protection, but also in
our human nature.
Cybercreeps
and cybercriminals are experts at understanding what makes a person
click on a link, open an attachment, or visit a particular website.
They target their victims by mimicking day to day tasks and trap them
into letting them into their devices, computers and networks. It used
to be that if you put in place the best, leading edge technology that
you could fortify your network and protect your digital assets and then
you were “safe”. That is no longer the case.
The
points of entry are increasingly sophisticated. Our point of view is
that they have the advantage of potential anonymity, scale of attack,
time to prepare, and the element of surprise in their favor.
We
have seen cybercriminals that use sophisticated spear phishing, a
focused email scam, to target a specific person or entity. We have also
watched some cybercriminals hijack press releases of legitimate
companies and convince you to click or download information. Another
set of cybercriminals are particularly expert at poisoning search engine
results. Cybercriminals are fond of using current news events to set
their malicious software trap. Any hot news topic, from the death of
Morgan Freeman (who is not dead) to the exploits of Julian Assange at
Wikileaks, presents perfect opportunities to poison search results.
Google reported that 1.3% of their search results are infected. So, if
you get 100 potential hits for your search request, that means 1 of them
could be a trap.
So what can you do to protect your customer data?
1. Educate your staff on the risks and the threats. Just a conversation about a news headline helps with awareness.
2.
Provide them with written guidelines such as "Never put customer data
on a thumb drive" or "Ask someone else at the company before you click
on a link in an email and give up company data".
3.
Practice a disaster - "Today, we found out that a cybercriminal made a
copy of our customer data and is selling it online....what would we do
in the next 60 minutes to recover?"
4.
Create a written policy about confidentiality of customer data and ask
your employees to sign it annually. The policy should include:
a. not talking about customers by name or industry online or offline
b. not sending customer data to personal email accounts
c. whether or not it is okay to have customer data on portable media
We
have been advising our customers for over 4 years about the risks of
social networking. Not only do some entities accidentally let the bad
guys in but often their staff also provides too much information to the
bad guys. 67% of people polled by Sophos, a software security company,
said they had been spammed via social networking. Facebook seems to
have a scam story or survey regularly. In addition, we have been able
to reconstruct our client’s whereabouts, company habits, and company
information using social networking sites such as Facebook, LinkedIn,
Twitter, and FourSquare as well as messaging boards like Microsoft and
Cisco. 57% of businesses polled by Sophos said they think their
employees share too much online but they do not know how to teach them
not to, or how to write policies that would enforce keeping company
secrets a secret without encroaching on First Amendment rights.
Even
though cyberspace can be unsecure, there are several tactics and
strategies that can protect people and entities from cybercriminals that
want to conduct any or all of the following activities: steal
sensitive information, take intellectual property, commit
cyberhactivism, launder money through accounts, take over identities,
commit attacks hiding behind your computer, and/or steal money.
A
recent Verizon study revealed that 87% of breaches could have been
avoided had adequate security controls been in place. Our aim is to
prevent your company from becoming a part of that statistic. We find
that implementing current policies and procedures and providing
education and awareness training are two critical pieces in protecting
you against the bad guys.
No comments:
Post a Comment