18 Apr How sure RU that your Data is Secure?
In today’s world your data is more important than it has ever been and we no longer can simply put it in a locked file cabinet to feel secure. Most people do not even choose to print out there important documents because there is often no need to do so and printing can be quite an expensive option. Also, it is estimated that today more than 89% of businesses are leveraging the cloud in one way or another. That means there are multiple access points to your data today, so it is vital you have a clear understanding of your security, both on-premise and off-site.
Each of the past three years, the reported data breaches have increased and will probably do so for years to come. That does not prove we are less secure today than we were in 2015, but it certainly does not proved the opposite either. In 2016 the business sector was hit the hardest, followed closely by the healthcare/medical industry. The education sector was a somewhat distant third, with government/military and banking/credit rounding out the top five industries. Hacking/skimming/phishing attacks were the leading cause of data breaches in 2015 and the previous 7 years accounting for over 50% of the overall breaches. Breaches involving the accidental email/internet exposure of information was the second most common type of breach at just over 9%, followed by employee error rounding out the top three at just under 9%. Social Security numbers are the biggest target of hackers year after year and in 2015, four breaches exposed over 120 million Social Security numbers to state-sponsored hackers and cyber criminals. While credit and debit cards numbers can be changed, Social Security numbers cannot. Therefore, monitoring and damage control become paramount in this fight to protect our data and identities.
Establishing effective cyber security defenses requires more than simply investing in next-gen fire-walling and security practices. In fact, most breaches today result from exploiting known vulnerabilities and/or configuration-related weaknesses; its reasonable to suggest that a more sensible strategy is to reduce one’s attack surface first, and then use an overlapping set of detection-focused countermeasures to mitigate the risk. Businesses and Organizations can not afford to stand still when fighting these cyber criminals, there IT teams need to keep pace with the constant changes around them by making changes of their own.
Establishing effective cyber threat defenses is not easy. Today’s threat actors have a seemingly endless capacity to advance their wares and only need to find a single weak spot. As defenders, however, IT security teams can only guess at hackers’ next moves and must provide coverage for every user, endpoint, server and application within and beyond the physical walls of the datacenter. Users are typically the weak link in this chain, often because of low security awareness. In second place is “too much data to analyze”, followed by “lack of effective solutions on the market”,”lack of budget” and “too many false positives”.
Which of the following security technologies are currently in use or planned for acquisition by your organization to guard against cyber-treats?
- Network-based antivirus
- Advanced malware analysis / sandboxing
- Secure email gateway (SEG)
- Secure web gateways (SWG)
- Web application firewall (WAF)
- Database firewall
- Database activity monitoring (DAM)
- Application delivery controller (ADC)
- Application vulnerability scanner
- File integrity / activity monitoring (FIM/FAM)
- Cloud access security broker (CASB)
- Data loss / leak prevention (DLP)
- Denial of Service (DoS) and distributed Denial of Service (DDoS) prevention
- Intrusion detection / prevention system (IDS/IPS)
- Security information & event management (SIEM)
- Security analytics / full-packet capture and analysis
- Network behavior analytics (NBA) / NetFlow analytics
- Next-gen Firewall (NGFW)
- Threat Intelligence service
- Mobile device antivirus / anti-malware
- Mobile device / application management (MDM / MAM)
- VPN to on-premise security gateway
- Network access control (NAC)
- Mobile device file / data encryption
- VPN to cloud-based security gateway
- Virtual desktop infrastructure (VDI)
- Containerization / micro-virtualization
What percentage of laptops used by your mobile workforce are backed up regularly to guard against data loss due to cyber threats? On a global basis, it is estimated that only one in five organizations regularly back up more than 80% their mobile workforce’s laptops. More than a third back up less than 40% of these highly exposed devices. Health care organizations lead other verticals, with more than a 1/4 regularly backing up more than 80% of mobile users laptops. Given the number of relatively affordable solutions available in the market today, this is ridiculous, IMO.
What percentage of your IT budget is allocated to information security? This is an area that is that is trending in a positive direction, with nearly a 1/3 of organizations now spending north of 16% on security. This is most likely due to the attention received at the C-level or board-level today at organizations of all sizes. An anomaly to this trend is the financial vertical that ranks among the lowest in security spending of the “BIG 7 industries” (education, finance, government, healthcare, manufacturing, retail and technology). The very largest organizations are spending proportionally more on security than their smaller counterparts by close to double.
How often does your organization conduct full-net activity vulnerability scans? Today it is estimated that organizations doing monthly scanning has inched upward from 38% to almost 44% and those scanning less than once a quarter dropped to 26%. The bad news here is more than a quarter of organizations seem to remain it the stone ages and conduct full-network scans at best twice a year.
Does your organization embrace BYOD? It might seem counter-intuitive, but more organizations today are backing away from BYOD (bring your own device). Last year nearly a third of organizations were bullish on BYOD, but studies have indicated this trend is now close to a quarter. An obvious possible reason for this is the fact that they have realized BYOD programs are harder to establish, mange and secure than they originally thought. As you might expect government agencies are the slowest of the “BIG7” to embrace BYOD with 4 out of 10 indicating their organization has no plans for BYOD deployment. Larger organizations have been far more aggressive than their more nimble, smaller counterparts with BYOD adoption rates at 37%, compared to 25%.
What is the cost of a cyber security breach? According to IBM and Ponemon Institute’s “2016 Cost of Data Breach Study”, the average total cost of a data breach for the 383 companies participating in the research increased from $3.79 to 4 million. The average cost paid for each lost or stolen record containing sensitive & confidential information increased from $154 in 2015 to $158 in 2016. the cost of data breeches varies by industry. While the average cost was $158, healthcare organizations had an average cost of $355, educations $246, transportation $129, research $112 and the public sector was the lowest at $80. The average size of the data breech increased by 3.2%. Abnormal churn grew 2.9%, which is defined as the greater than expected loss of customers in the normal course of business.
Top 10 Biggest Data Breeches of 2106, according to CRN
- Yahoo – Yahoo had not only suffered the biggest breach of the year, but the two biggest. In September, it announced it had discovered a breech from late 2014 that affected more than 500 million user accounts. The data breach exposed certain user account information, including names, email addresses, telephone numbers, birth dates, hashed passwords, and in some cases, encrypted or unencrypted security questions and answers. Just a few months later, in December, Yahoo announced a second, larger breach that it said affected 1 billion user accounts. The second breach, which it said was separate from the first, occurred in August 2013, with an unauthorized third party stealing data that included names, email addresses, telephone numbers, birth dates and hashed passwords.
- Democratic National Committee – As the presidential election campaign came down to its final days this fall, thousands of leaked emails from the Democratic National Committee were published on Wikileaks. In October, the U.S. government said it believed Russia was behind the hacking of the DNC to steal the documents and emails in question.
- Myspace – In May, many users got a reminder that they still held Myspace accounts, as the social media network announced a breach that reportedly affected 360 million accounts. In a blog post announcing the breach, Myspace said it discovered that email addresses, user names, and passwords for accounts created prior to June 11, 2013 had been posted on an online hacker forum.
- Department of Health & Human Services – In April, a laptop and portable hard drives containing personal information was stolen from the Office of Child Support Enforcement in Washington, part of the U.S. Department of Health and Human Services. The devices were stolen by intruders who likely used a key from a disgruntled former employee, police said at the time. The devices contained personal information on as many as 5 million individuals, including Social Security numbers, birth dates, addresses and phone numbers.
- Verizon Enterprise Services – After a report emerged from security journalist Brian Krebs in March, Verizon Enterprise Services announced that it had been the victim of a data breech that affected more than a million of its enterprise customers. The breach allowed hackers to collect information on an estimated 1.5 million enterprise clients, including basic contact information.
- State Fishing & Hunting License Sites – In August, a hacker attacked the wildlife sporting licensing sites of four states, gaining unauthorized access to the personal identifiable information of more than 6 million people in Washington, Kentucky, Oregon and Idaho.
- Oracle Micros – In August, security journalist Brain Krebs reported that computer systems at Oracle had been hacked with attacks directed at the company’s Micros Systems credit card payment systems. Oracle Micros Systems is one of the top three point-of-sale systems in the world. The Krebs report said that a Russian organized cyber crime group “known for hacking into banks and retailers” appeared to be behind the attack that “breached hundreds of computer systems” at Oracle.
- Weebly – Web hosting service and website builder Weebly confirmed a hack in October that affected more than 43.5 million accounts, including user names, email addresses, passwords and IP addresses. The breach affected both the security of the users and the websites associated with them.
- 21st Century Oncology – In March, 21st Century Oncology, a Fort Myers, Fla.-based cancer care provider, announced that a data breach had exposed the information of 2.2 million patients based across all 50 states and internationally. Hackers broke into a company database in October 2015, the company said, accessing personal information of patients, including names, Social Security numbers, physician names, diagnosis, treatment data and insurance information.
- Hewlett Packard Enterprise Services – While not one of the year’s largest breaches by number of individuals affected, a Hewlett Packard Enterprise Services breach in October is of particular importance to the channel. In November, the Navy announced that in the month before, a laptop operated by an HPE Services contractor had information accessed by “unknown individuals.” The information included names and Social Security numbers of more than 134,000 current and former Navy employees.
While your organization might not seem to be a prime target of cyber criminals, like the top 10 above were, your data security is of utter importance to the health and stability of your business. And you do not need to be a victim of a cyber crime to have a security breech as indicated earlier in this blog. If you would like to have a security audit or just a discovery call, please contact us at – info@KloudTekConsulting.com. Our team of cyber security experts are globally located to meet your needs, and help provide you piece of mind needed when your data is concerned.