Avoiding Common Hacking Schemes to Protect Company Data
Avoiding Common Hacking Schemes to Protect Company Data
Since 80% plus of hacks are the result of human error, it never hurts to remind people of basic security best practices that can result in the opportunity to be hacked.
Join the DZone community and get the full member experience.Join For Free
Learning by doing is more effective than learning by watching - that’s why Codebashing offers a hands-on interactive training platform in 10 major programming languages. Learn more about AppSec training for enterprise developers.
According to a 2016 study from IBM regarding the costs of data breaches and loss, the average consolidated cost moved from $3.8 million to $4 million. On a granular level, the study also found the costs for each lost or stolen record containing sensitive and confidential information increased from $154 to $158. The stakes are indeed high for companies to properly manage their data, as loss and data exposure can effectively ruin a company’s reputation with customers and partners.
Here are seven ways individual employees and IT are causing companies to lose data, and some best practices for preventing crippling data loss.
Changing advanced settings. The “advanced settings” feature on computers is not there just for show. It’s a serious warning to the user that they better know what they are doing before they start making system changes. A frequent example of such a setting involves the BIOS (Basic Input Output System), which is the chip that instructs the computer on the next steps to take after power-on. Changes to this setting can be made with the best intentions, but they might expose the machine to data loss or theft. Advanced settings adjustments are best handled by IT in controlled environments in order to greatly reduce the chances of local data loss.
Downloading fake software. There were more than one million downloads of a fake WhatsApp app via the Google PlayStore in November of 2017, reflecting the ease in which rogue developers can create fake software. This problem is especially prevalent with anti-virus software, where hackers will build what looks like a legitimate anti-virus tool and offer it for free, when in fact it’s a conduit for accessing systems.
Exposing the company to ransomware. With this summer’s cyber-incidents in mind, most should be aware that ransomware is a hacking scheme that involves taking over a person’s computer files, encrypting them so they appear as garbled text/images and then asking for a ransom to pay for the encryption key. Some might not be aware, however, that hackers typically gain access through email attachments or by guessing passwords, which further reinforces the need for complex passwords and a company-wide reminder to be very cautious when opening email attachments from non-colleagues and clients. Data loss comes when the hackers steal valuable information during the ransom period, or if the ransom isn’t paid, the hackers will typically leave the data encrypted or destroy it beyond repair.
Falling for Phishing Schemes. A phishing scheme is an attempt by a hacker to create messaging that resembles communications from a legitimate company as a means of gathering personal or corporate information. For example, there’s a well-known phishing scam involving Netflix, where a user will receive an email that looks like an official Netflix email stating that their account has been suspended. The recipient will be urged to click on a landing page, which then asks for personal data, including credit card info and sometimes even SSNs. And the landing page will also resemble Netflix-branded content and be set up to avoid most website and spam blocking tools. These phishing sites also frequently contain malware such as keyloggers which can create data loss exposure to people that access the phishing site through their work computers.
Clicking on hijacked ads. Cybercriminals will often place banner ads on legitimate websites in order to entice business or personal users. Once the link is clicked, the malware goes into the user’s system undetected, giving the criminal inside access to take data or hold the company hostage. Many banner ads are bought directly by hackers, or they hijack the ad server and redirect the ads. To combat this issue, companies should teach staff members to not click on any banner ads. If the employee wants to learn more about a company or offer, they should simply search for and proceed to the company’s own verified URL.
Not managing ex-employees and vendors. A common data loss scenario involves an ex-employee or contractor who accesses information without proper authorization. In many cases, data breaches can occur years after an employee leaves a firm because the business does not have in place access controls to revoke their login credentials. Outside IT vendors are also another culprit, as they employ staff members who might need temporary access to a company’s systems. Both of these sets of people are a considerable risk factor for unauthorized access.
Using improper backup procedures. A very common reason for data loss (especially among smaller companies) is to store data locally, experience a failure event, and not have a data backup. It’s 2017, and data storage is very inexpensive, both for physical drives and cloud storage. Especially when doing a risk/reward analysis where you compare the downside of losing data with the costs of storage. Businesses should instill strict backup procedures for their corporate data, including processes for individual employees and departments. Moving data to the cloud is an ideal choice, as it removes content and potentially confidential files from laptops, thumb drives, or other more exposed storage methods.
Companies should also make “backups of the backups” due to cheap storage. Smaller firms can move data to the cloud and also backup to external hard drives and store them at a different secure location.
Opinions expressed by DZone contributors are their own.