The severe ramifications for Barclays Bank, following the theft of thousands of customer files, has forced the issue of how organisations protect confidential data high up the agenda for both businesses and consumers. Trust is the cornerstone of all relationships so if it becomes compromised customers waste no time moving on to a brand they perceive as more deserving of their time and money.
This being the case, data security executives the world over, responsible for protecting customers personal information, are facing increasing pressure to prove that they have the plans and processes in place to ensure that their employer is not next to have its data security vulnerabilities exposed.
Indeed, in today’s multi-faceted virtual world, system failure is just the tip of the iceberg for technology leaders whose data strategies must now also incorporate protection against risk from the ever moving feast that is cybercrime. With tactics ranging from pop-up adverts and spyware to capture web browsing habits to the insertion Trojans or use of cleverly crafted queries designed to steal passwords and log-in information, there is risk associated with every online touchpoint.
Three Key Vulnerabilities
To protect against these attacks, organisations must give due diligence to the three key vulnerable channels hackers can compromise online:
- People – the potentially dangerous people with whom users interact. The Barclays security breach highlights the vulnerability posed by people with the now infamous delivery to a national newspaper of a memory stick containing personal details of 2,000 customers.
- Places – the potentially dangerous destinations or URLs where users visit. The number of phishing campaigns worldwide increased by more than 20 percent in the third quarter of 2013, with crimeware (malware designed specifically to automate cybercrime attacks) evolving and proliferating, according to the Anti-Phishing Working Group (APWG).
- Things – the potentially dangerous objects/applications with which the user interacts. Every day, more than 100,000 web sites are running with the singular goal of spreading crime ware which can cripple the effectiveness of information security efforts.
As evidenced by the Barclays fiasco, firms might think they have done enough to counter the risk posed by online crime, but in reality most are really not doing enough to keep data safe. Clear too, judging from the volume and severity of online crime, criminals know where vulnerabilities exist and have altered their strategies to bypass traditional security measures. The fact is, in today’s sophisticated technology landscape, security needs to be intelligent, scalable, and always on high alert wherever end users happen to be.
The rise of phishing is a pertinent example of a form of cybercrime which indiscriminately attacks businesses of all sizes, wreaking reputations and destroying livelihoods. A common form of phishing involves using email addresses stolen from specific databases using ‘SQL injection’ to launch targeted ‘spear-phishing’ attacks against email users.
General phishing attacks target a wide variety of people, typically flooding thousands of inboxes, however spear phishing targets specific people or organisations. To mitigate against this, protecting your databases using properly configured web application firewalls (WAFs) is a no-brainer.
There are two basic rules, of equal importance, that organisations need to keep front of mind when developing, implementing and managing data strategy:
- Rule #1 for protecting your customers: Never lose their identity – ensure clear accountability for protecting individuals’ privacy at all times.
- Rule #1 for employees: Educate them to not put business related information at risk – continually consider and address privacy concerns.
An approach built on these two rules is the only way to stop malware, spyware, viruses, malicious content, and other threats in order to prevent hacking attacks.
For example, taking ‘spear phishing’ as an example, the attacker will research personal information about the individuals in order to make their messages sound more convincing. The availability of personal information via social media has made this process a lot easier for cyber criminals, stressing the importance of ‘The Rules at all times for employees and customers alike.
Anticipated or not, there will always be new and bigger threats to data to deal with. As technology and devices become ever more deeply embedded in our lives the volume of vulnerable data will keep growing and the threats to that data keep morphing.
A startling indication of the future scale of data security risk came recently in the form of an attack that exploited a key vulnerability in the infrastructure of the internet itself. Hosting and security firm Cloudflare said it recorded the “biggest ever” attack of its kind in February this year when hackers took advantage of a weaknesses in the Network Time Protocol (NTP) to flood servers with vast amounts of data. That same technique could potentially be used to force popular services offline.
Unfortunately, despite the NTP being one of several protocols used within the infrastructure of the internet to keep things running smoothly, it was designed and implemented at a time when the prospect of malicious activity was not considered. And there will be many other pieces of software or process so deeply entrenched in the way organisations work that unexpected risks will continue to emerge.
The fact is, above all else, the best organisations can do to protect their data is to stringently adhere to ‘The Rules’ – making sure that they, and their employees, always have data security front of mind in every process and interaction.