I resolve to… leave those security errors for good in 2021
27.12.2021
Back to blog listI resolve to… leave those security errors for good in 2021.
The resolutions for businesses to begin the New Year without old mistakes finally cleaning up the awareness mess which never seems to be untangled – see the list, crisp fresh as first snow at dawn, below.
I resolve to…
Stop blaming hackers for every incident that abashes a company
What seems to be an obvious hackers’ swoop first, might as well be an intricate fraud. This year Ubiquiti has stepped on a wrong track marking a breach as a hacker attack which later appeared to be a result of a dubious behaviour of the company’s employee who became the malicious cause of the incident, reported the details to Brian Krebs and got caught by the FBI when experiencing VPN issues and flashing his actual IP address to the investigators.
Investigate always, not after
Investigation is commonly the last and longest step an organisation makes, as it usually requires addressing third-party investigators. As far as any data breach demands prompt reporting, an organisation has to know what exactly happened, what assets were affected, which users were impacted or got involved as violators, how bad the situation is in general.
Don’t rush to pay ransom
Ransomware attacks have been on the rise this year. According to IDC, above 1/3 of companies all over the world became victims of ransomware hackers in 2020-2021. 13% of organisations refused to pay ransom when they got trapped in a ransomware situation. Many companies have already been criticised for paying huge money to get their data back or ensure stoppage of its further distribution, because sums exerted from victims are growing, and the more companies pay ransom the bigger and more frequent those ransom will become. Anyway, paying money doesn’t guarantee that the copies stored outside become deleted or that the stolen data doesn’t get shared with third-parties.
Government organisations just have to resolve to…
…enhance significantly the overall information security program. For example, in Australia, 2/3 of organisations reported data breaches in government sector were the result of user mistakes. The lack of understanding of processes related to digitalisation among government personnel seems to be the reason for so many security issues. In Canada, a government employee was arrested for the unauthorised use of a computer leading to the leakage of information about vaccine certificates and vaccinated individuals. In Dallas, a city IT employee took the data from the Dallas school system stored in the cloud and uploaded it to the city data center’s server, the employee deleted 22 terabytes of the school data. Organisations in public sector are still struggling to achieve the adequate level of information security and data protection measures. While businesses tend to care about their profit relying only on themselves, government-based organisations depend only on government financial and expert help or awareness.
Make sure that third parties comply
According to SecureLink, 74% of organisations eventually faced the consequences of a data breach due to excessive availability of information to third parties. Half of the respondents confirmed that they neglected evaluation of privacy practices and security policies exercised by third-party organisations, whereas 54% of companies granted full responsibility to third-parties after entrusting them with corporate information. 65% were incapable of knowing for sure which exactly third parties could access their sensitive documents.
63% had still not enough knowledge about who among internal and external users could access their networks which proves a serious lack of visibility.
Introduce former employee security policies
Former employee is a threat often discarded by companies, as they are more interested in what is going on today in their workflow, than worry about what might happen from afar if someone would make an uninvited comeback. The number of cases in which employees take with them sensitive data and give it to a company’s competitors, or take revenge on a boss attempting to sabotage processes or blackmail a colleague, or merely steal data and put it up for sale on the dark web is not diminishing. This type of a security incident is quite possible, and it is strongly advised to configure security policies regarding employees who are on the verge of quitting or being dismissed, so that the company could control a user and prevent a potential fraud.
Instruct your team and refresh your security habits as well
What can happen if a user doesn’t think of information security as of primary concern? He or she might end up calling a hacker to know more details about an occurred breach. This year, 90% of LinkedIn users have got their data compromised. The huge data leak affected 700 million accounts on the platform, whereas the total number of users amounts to 756 million people. The hacker was successfully reached by the RestorePrivacy and hid no details about how the data was pulled out by him – he exploited the LinkedIn API. The curious thing is that LinkedIn clarified that all the data couldn’t be available via its API, meaning that some information was obtained the other way and somewhere else. Meanwhile, the data could still be purchased from the hacker forum.
It seems easy to blame anyone else on not paying enough attention to properly securing the corporate systems, while the problem remains unsolved and requires a party who would be responsible for the case.
Also, 85% of data breaches are the cause of targeting people, not software.
According to Verizon recent report, the majority of data leaks don’t happen due to software undermining, but ensue from scam communication with employees.
The analysis was based on 655 data incidents and 472 breaches in the healthcare industry.
Most breaches resulted from interaction with external actors – 61% - rather than due to human error. Anyway, human error might include some episodes of communication with external violators, whether it’s because of negligence or as an insider’s intent.
