Just last week, there were announcements of three large data breaches from well-known companies -- Panera Bread, Hudson’s Bay Company (Saks Fifth Avenue and Lord & Taylor), and Under Armour (MyFitnessPal). All these breaches come just after the news of ransomware attacks on Boeing and the City of Atlanta.
While many businesses may ignore these announcements with the thought that because they don’t use these sites or services as part of their business workflows, they don’t have exposure -- and this thinking could be a big mistake.
Two of the common uses for the information captured during a breach are (1) identity theft and (2) user credential theft.
Identity theft is pretty straight-forward -- someone impersonates you to make purchases at your expense or signs up for other services and credit lines with your name and identification. We normally think of this as a risk to an individual that can be mitigated, but not prevented, by leveraging credit and identity monitoring services.
User credential theft on the other hand is a significant issue for businesses. What if one of your staff used their business email address as their login ID to order take-out from Panera? And what if they used the same or similar password for their Panera online account that they use to login to their office computer, or their Office 365 email, or your online accounting package, or your bank...and the list goes on.
Instead of waiting for the world to crash down around you, take preventative measures:
- Educate your staff on appropriate data and IT security concepts and procedures. Internal security training programs that cover the basics of security including passwords, phishing and social engineering attacks add significant benefit to the business, as well as the individual in their personal life.
- Equip your staff with the tools that enable them to secure their accounts. Secure password management applications help users create complex, unique passwords for all systems, apps, and sites. Additionally, multi-factor authentication systems provide another layer of protection which exponentially increases your login security.
- Limit access to only the data and apps that people need. The days of every user having access to all data and every application are over. Even if you don’t think the information you have is sensitive or confidential within your organization, all of the data that a user has access to is exposed to a ransomware infection. Default everything to “no-access” and give users access only if/when needed.
- Monitor your systems and exposed data. Early warning and detection of exposed data or unusual activities within your environment can help prevent or mitigate the impact of a breach. Most IT management systems and services monitor your technology assets for performance health statistics, but they don’t look for changes, anomalies, and threats. At the same time, dark web monitoring services help you understand what user credentials may have already been exposed via a breach or malware infection. Yes, you can monitor the dark web and take action accordingly.
This may seem like a lot to absorb and to address -- and it is. But we have spent the last few years evaluating systems and vendors and developing our managed security services to help combat the increasing level of threats that target our clients.
Part of the reality is that IT support costs are increasing, and a larger portion of your IT budget will be spent on security.
Historically IT security budgets were focused on preventing those ubiquitous “hackers” from getting into your systems and stealing your data. You gauged your exposure and potential pain (expense) based on how valuable you thought your data was. Today, the greater risks that you face are the loss of your ability to conduct business, the loss of your reputation due to a ransomware infection, and the potential for financial loss through impersonation events like “CEO fraud.”
As your IT partner, CoreTech is here to help you navigate the current threat landscape and determine what needs to be done to mitigate your risks. Security is not a cookie-cutter business, so we will work with you to figure out what approach is most prudent for your organization.
If you would like to have a conversation about your thoughts and concerns on security for your organization, call us now, at 402.398.9580. Let's start implementing security procedures and safeguards to keep your data and business safe.