6 Deadly Data Breach Prevention Sins
Cybercrime has become a worldwide issue, thanks to the growing sophistication of online techniques. In 2014 alone, the FBI’s Internet Crime Complaint Center received 269,422 complaints with an adjusted dollar loss of $800,492,073.
More than a third of financial services industry websites contain at least one serious vulnerability, such as data exposure, every single day, according to the Santa Clara, Calif.-based WhiteHat Security’s Website Security Statistics Report. Serious vulnerabilities give attackers the ability to take control over a website, compromise user accounts on a system, access sensitive data, violate compliance requirements and possibly make headlining news.
According to cybersecurity experts, there is no single fix – except for the awareness that cybercriminals continue to change their tactics and seek out the weakest defenses to compromise systems, and steal data and money.
To successfully fight off cybercriminals, credit unions must turn their focus to their most vulnerable areas, and be sure never to commit these six deadly sins.
Note: This list contains only a portion of the top cybersecurity sins; check out the full list in the June 3, 2015 issue of CU Times.
1. Not monitoring social media users. According to IC3, “social media has provided a quintessential goldmine of personal data for perpetrators.” Some of their social media fraud methods include click-jacking, concealing hyperlinks beneath legitimate clickable content, doxing, publicly releasing a person’s identifying information online without authorization, and pharming – redirecting users from legitimate websites to fraudulent ones for the purpose of extracting confidential data. Credit unions should impose restrictions on employees visiting external sites on organization-owned computers.
2. Overlooking threats from within. Insiders have access to vital data, already comprehend the credit union’s structure, and can circumvent security more effortlessly than outsiders can. Credit unions need to determine their level of exposure to insider threats, control inbound delivery methods, and aggressively implement administrative and technical solutions for controlling the potential damage an insider can cause.
3. Practicing employee negligence. According to IC3, the business email compromise scam continues to evolve, and in 2014, targeted businesses reported having their personal emails compromised and multiple fraudulent requests for payment carried out and sent along to vendors. In 2014, IC3 received 2,417 business email compromise complaints with a total reported loss of $226 million.
Criminals often revert to low-tech techniques such as phishing, which is very difficult to detect with a technology solution. User training combined with behavior analytics might be a necessary defense strategy, depending on the nature of the attack.
For companies with a BYOD policy, employees should be aware of using USB drives that are not encrypted or safeguarded, and leaving computers unattended when outside the workplace. Employees who use personal devices for company business are also putting their own information at risk.
4. Using weak passwords. Despite advances in security technology, passwords are still the first line of defense for most credit union PCs, laptops and mobile devices used for business. Members and staff invite trouble when picking passwords that are easy to remember and just as easy to decipher, such as their own, children’s or pets’ names; birthdays or a simple number sequence such as “123456.” A compromised password opens the door to email or online banking fraud.
“In the last 12 months, looking at how data is secured and how even employees are gaining access to accounts, how fraud can happen internally, how any sort of breach in and around extracting or accessing takes place, we think you will eventually see a move into having a place for biometrics,” Shawn Edmunds, North America vice president for the London, United Kingdom-based ValidSoft, which provides a voice recognition platform, claimed.
5. Not evolving protection strategies to fight malware. Dangerous new vulnerabilities continue to catch many IT departments by surprise. Dyre and Dridex are the top two financial crime attack toolkit platforms used worldwide in Q1 2015 (based on the number of incidents), Eward Driehuis, product manager for the Amsterdam, Netherlands-based cyber intelligence firm Fox-IT explained.
The Dyre Wolf scheme targets corporate banking accounts, and the organization behind the malware campaign consistently updated and maintained the malware, adding more tricks to further their deception. Dridex, the latest version of the Bugat/Feodo/Cridex banking Trojan, uses email campaigns that carry Word document attachments with built-in macro codes to download and execute the Trojans.
6. Slacking on training. This was a leading factor for 51% of respondents, according to the SANs report. Financial institutions tend to focus on transactional security compliance, but employees are just as vulnerable to hackers and data breaches in their day-to-day business operations. Training curriculums should cover techniques for creating secure passwords; ways to avoid keylogger scams and phishing cons; and information on how to protect devices against viruses and malware.