The average cost of a data breach in 2017 was $3.62 million with 5,076,479 data records stolen on average every day. In order to protect your company and not fall into one of those costly statistics, it is important to know where the danger lurks. Below we will discuss the ways breaches happen and what steps you can take to try and avoid a credit card data breach.
A Data Breach
It is imperative for companies to protect the data that they collect from their consumers, failing to do so results in a data breach. According to Identity Theft Resource Center, there have been 8,909 confirmed data breaches since 2005, resulting in the exposure of 1,078,783,151 records. The ITRC defines a data breach as an incident in which an individual name plus a Social Security number, Drivers License number, medical record or financial record (credit and debit card included) is potentially put at risk because of exposure. Breaches are broken down into five categories, as follows: business, financial/credit/financial, educational, governmental/military and medical/healthcare.
How Breaches Occur
Hackers
There are several ways in which consumer data can be snatched by unauthorized personnel. In order to know how to protect yourself, you need to know how breaches are possible. The most common kind is hacking and computer intrusion. A hacker is a person or group of people who gains access to a company’s data, especially sensitive credit card data, by exploiting gaps in cyber security. For example, a recent breach occurred in the consumer credit reporting agency Equifax, hackers discovered a weakness in a software tool used to build web applications. The slow reaction time of the company allowed hackers to target and access the data of 143 million consumers.
Phishing
Hackers are creative and resourceful, but most hacks are not that sophisticated. A common method for hackers is to send an email, seemingly from a reputable source, attempting to have employees release sensitive information. This method is known as phishing. Hackers use this method as a way to get employees to reveal login information, allowing the hacker to gain further access to company documents.
The social media company Snapchat was the victim of a phishing email scam recently. The email was sent to an employee during tax season by someone impersonating the CEO of the company. The email asked the employee to forward payroll information for all of the employees. Unaware that this was a phishing attempt, the employee released that information only to realize later that this was not the CEO. [Read this article for some tips on keeping your identity safe especially during tax season]
Malware
Another possible outcome of opening harmful emails or visiting certain websites is the accidental download of malicious software. Malware, aka malicious software, is a general term for any software used to access a computer system without the owner’s authorization. There are quite a few different types of malware that can be used in a data breach. One of the more common and well known types is a trojan horse. This type of malware is again usually planted as an email attachment in an effort to have an unsuspecting employee open it. Once opened the malicious code of the trojan horse can be used by a hacker to steal information from the company.
Blended Threat
Something called a blended threat combines the characteristics of viruses, Trojan horses, and malicious code with server and Internet vulnerabilities to initiate, transmit, and spread an attack. By using multiple methods and techniques, blended threats can rapidly spread and cause widespread damage. Characteristics of blended threats include the following:
- Launches a Denial of Service (DoS) attack at a target IP address, defaces Web servers, or plants Trojan horse programs for later execution.
- Scans for vulnerabilities to compromise a system, such as embedding code in HTML files on a server, infecting visitors to a compromised Web site, or sending unauthorized email from compromised servers with a worm attachment.
- Injects malicious code into the .exe files on a system, raises the privilege level of the guest account, creates world read and writable network shares, makes numerous registry changes, and adds script code into HTML files.
- Continuously scans the Internet for vulnerable servers to attack.
- Takes advantage of known vulnerabilities, such as buffer overflows, HTTP input validation vulnerabilities, and known default passwords to gain unauthorized administrative access.
Insider Wrongdoing
Data breaches not only come from outside the company but can also come from within. These breaches are often due to an employee accidentally passing on the data, but data is sometimes taken by ex-employees, too. There is also the possibility of a dishonest employee using their own credentials to gain access and steal consumer information. Breaches have even happened because of lost or stolen hardware such as mobile devices.
Preventing Data Breaches
Bring in a Specialist
It could be beneficial for your company to bring in a cybersecurity specialist for consultation. A specialist can provide insight into how to best protect your business and keep security at the top of everyones mind. There are plenty of examples of breaches from the past thirteen years or so. The most useful thing you can do is educate yourself on recent incidents and make sure the correct protection is in place to prevent the possibility of a similar data or credit card breach. The last thing you want is for a hacker to commit fraud and damage your company in any way.
Train Employees Well
Next, as a business owner or manager, one of the biggest ways to avoid data breaches is to train your employees well. A large number of threats still rely on people accessing malicious files, attachments or websites. Being able to run interference on these threats will decrease the chance of them taking shape. In addition to following the PCI DSS, establishing a written policy about privacy and data security and communicating it to all employees goes a long way. It is also important to educate employees about what types of information are sensitive or confidential and what their responsibilities are to protect that data.
Protection from Phishing
Another part of training employees well has to do with making sure they recognize malicious emails. Guarding against phishing can be as easy as training employees to forward all suspicious emails to one person. Most will probably be false alarms, but it gets employees to be on the lookout and question potential scams in the future. Employees are still people though and people make mistakes. Thats why keeping all software up-to-date and using proactive web filtering services are the most effective way to combat phishing. Phishing attacks attempt to exploit software vulnerabilities, which can be fixed usually with the latest update. You could also add another layer of security by setting up two-step verification for logins. You sign in with a password and then a code is sent to your phone to verify the login attempt.
Avoiding Malware
A combination of knowledge, awareness and monitoring will help your business avoid malware on computers and mobile devices. Since malware can be installed through phishing emails we will once again stress the importance of training employees to spot malicious emails. Risk management firms will always recommend not clicking on links or attachments in emails you don’t recognize. It is also essential to install protective firewall, anti-spyware, and anti-virus software across your network and update regularly. In addition, check your software vendors’ websites for any updates concerning vulnerabilities and associated patches. Finally, do not use your browsers auto-save function for passwords and login information. That is an easy way for unauthorized personnel to access sensitive data.
Here are some ways to avoid malware from emails:
- If an email is from an unknown source, delete it. Do not open it.
- If you receive an email from a known source but are unsure of it, contact the sender before opening the email to see if it is a legitimate email. The sender could have a virus that attached to their address book and sent out the virus to all people in the senders address book.
- If an email looks like it could be from your bank, an airline, Fed Ex, etc. but you did not do business recently with them, it is likely malware or spam. Look very carefully at the email address to insure it is legitimate before clicking on it.
- FedEx, UPS, DHL, and banks will never send you a .ZIP attachment or ask for your password. These emails are typically filled with malware and are harmful to your computer.
- Be aware of emails that send you links to other websites. These links will be underlined and in blue. If you weren’t expecting one, do not click on it.
Some tips for avoiding malware from internet browsing:
- In general, when performing a search (ie: Google), the first page or two of search results that are displayed are generally legitimate websites. Avoid anything that is not on pages 1 & 2 of the search results.
- Avoid any URL that does not end in .com, .us, .edu, .gov, or .org unless you are absolutely sure of the validity of the URL.
- Watch out for pop ups. Never click I agree or OK on an internet pop up. Look for the red X in the upper right hand corner and close the pop up.
- Don’t install free software unless you know it is safe. Free software is one of the top ways malware spreads.
Limit Insider Wrongdoing
One way companies are attempting to protect against insider wrongdoing is through controlling the access employees have to specific data, for example through implementing permissions and policies. Only giving employees access to as much data as their jobs require is important. By doing this, businesses arent needlessly releasing valuable data, and therefore have more control over their sensitive information. This might limit the risk of the data falling into the wrong hands and reduce the threat of an internal data breach. Train employees to never leave laptops or PDAs unattended. Restrict telecommuting to company owned computers. Require the use of strong passwords that must be changed on a regular basis. Don’t store personal information on a computer connected to the Internet unless it is essential for conducting business. These are all good practices to limit breaches from inside your company.
Is Your Credit Information Secure?
In addition to maintaining PCI compliance, these are some further ways to make sure your credit information is secure:
- Conduct an inventory of every place sensitive information might be stored, including computers, laptops, mobile devices, flash drives, disks, home computers, digital copiers, and other equipment. Also keep in mind that your business probably has information come through sources other than digital ones. No inventory is complete until you check everywhere sensitive data might be stored. It is a healthy security practice to track personal information through your business. You should be aware of things like who sends sensitive personal information to your business, how your business receives personal information, what kind of information you collect at each entry point, where you keep the information you collect at each entry point, and who has or could have access to the information.
- Scale down what is stored and keep only what you need for business. If certain information isn’t needed don’t keep it or even collect it. If you have a legitimate business need for the information, keep it only as long as its necessary. In terms of credit card information, don’t retain the account number and expiration date unless you have an essential business need to do so. Keeping this information, or keeping it longer than necessary, raises the risk that the information could be used to commit fraud or identity theft.
- Protect the information that you do keep. For physical copies of sensitive information, keep it in a secure and locked location and limit who has access to it. For digital security make sure to encrypt sensitive information that you send to third parties over public networks (like the internet), and encrypt sensitive information that is stored on your computer network, laptops, or portable storage devices used by your employees. Consider also encrypting email transmissions within your business.
- Have a plan in place for when security incidents might occur. In a perfect world following everything outlined above would be enough to never experience a data breach. This isn’t a perfect world, so knowing what to do when it does happen can help you limit the harm a security breach has on your company. You should investigate security incidents immediately and take steps to close off existing vulnerabilities or threats to personal information. Have on hand a list of who to contact inside and outside of your company including consumers, law enforcement, credit bureaus, and other businesses that may be affected by the breach.
There are many good practices to keep your business safe from hackers who would steal information from you. Hackers are constantly evolving how they acquire credit card data from businesses, so your company should constantly be researching and evolving how you protect yourselves from those attacks. If you take the proper steps to avoid a data breach, you will significantly limit the opportunities hackers have to slip past your security.
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.
Resources:
https://www.pcisecuritystandards.org
https://www.ftc.gov/tips-advice/business-center/guidance/protecting-personal-information-guide-business
https://www.key.com/about/security/protect-business-from-malware.jsp
https://support.symantec.com/en_US/article.TECH98539.html
https://dmctechgroup.com/dmcblog/best-practices/
http://www.central-insurance.com/docs/tips-DataBreach.htm
https://www.idtheftcenter.org/Data-Breaches/data-breaches