When it comes to data breaches, 2016 has been a record-setting year. Gemalto's Breach Level Index shows that the first half the year saw…
- 974 reported data breaches.
- 554 million compromised data records.
That's a 15 percent increase in breaches and a 31 percent jump in compromised records compared to the final six months of 2015.
Not scared yet? Maybe a look at these major data breaches from 2016 will do the trick. They may represent the future of cybercrime. Is your business ready?
1. Hollywood Presbyterian & the Ransomware Data Breach
The healthcare industry has been a regular target for cybercrime, but the hack at Hollywood Presbyterian Medical Center in February added a disturbing twist to the old routine. According to the Los Angeles Times, cyber criminals used malware to take control of the hospital's computer systems. Administrators couldn't regain access until they paid $17,000 in bitcoin.
Apparently, ransomware is trending in the cyber underworld. Cybersecurity expert and lead faculty member at Dr. Chirs denHeijer Colorado State University-Global Campus (@CSUGlobal) cites the fact that new types of ransomware grew 172 percent in 2016.
Protect your business: Dr. denHeijer recommends training all employees on cyber security.
"Each employee needs to know what to look out for," he notes. "There has to be processes and procedures in place so that employees know what to do if they see that suspicious email or notice something strange about their computer."
For training tips, check out "Want to Cut Business Losses by Three-Quarters? Try Security Training."
2. Trump Hotel Collection & the Malware Data Breach
The Trump Hotel Collection fell victim to a malware attack in May 2015, but the whopping settlement happened this year. According to Computerworld, someone with legitimate domain credentials planted malware in the hotel chain's payment system to skim customer credit card information.
Hotels get hit all the time, but the report notes THC made some big mistakes in protecting its systems and reporting the breaches. For starters, it…
- Knew about the breach in June but waited until late September to notify victims.
- Found another breach in March and failed to notify people until June.
- Delayed the implementation of two-factor authentication for remote access.
The result? Fifty thousand dollars in penalties and a promise to improve data security practices.
For reference, nearly every state requires businesses to report cyber breaches within a certain timeframe or face fines. The National Conference of State Legislatures offers a state-by-state rundown.
Lastly, malware data breaches aren't new, but according to Information Age, Check Point's latest Security Report found that 89 percent of organizations had downloaded a malicious file. That's a 63 percent increase from last year.
"It uses something that you know and something that you are," Guccione says. "For example, it would ask you for a master password and then maybe your fingerprint to log in. That adds a ton of protection."
3. The World Anti-Doping Agency & the Reputational Hack
According to the blog Dark Reading, last September, Fancy Bear, a hacker group allegedly tied to the Russian government, breached the World Anti-Doping Agency. The hack, however, had nothing to do with money or identity theft. All Fancy Bear wanted to do was to ruin reputations.
As the article points out, defending your business from an attack motivated by revenge is difficult. Before you can set up protection, you have to figure out what data a hacker might be after. It's also easy to assume no one would want to target you. But an underhanded competitor or a disgruntled customer could easily justify hacking away at your reputation.
"Being proactive rather than reactive is key," says Perry. "While no single strategy fits all, practicing basic cyber hygiene would address or mitigate a vast majority of security breaches."
According to Guccione, good cyber hygiene requires stronger passwords.
"Using weak passwords for logins and reusing those weak passwords on multiple websites and services is typically the main culprit in breaches," he says. "A password manager creates high-strength passwords for all of your websites and uses high-level encryption to protect all of the secret information stored in that password management application."
Get more tips for basic data protection in "The Good News: Congress Is Paying Attention to Small Business Cyber Security."
How to Be Cyber Ready
- Assessment. Berger says, "Most end-point solutions within network environments must be given the IP addresses of devices to monitor." So make sure your assessment identifies the "unknown" devices in your environment, as well as where valuable assets are stored.
- Monitoring. "With the number of vendors accessing our networks to complete tasks, it's essential to have an eye on when they come in and leave out," says Berger.
- Remediation. As you monitor, you may see ways you can improve your security. Some changes may be small, such as removing devices or strengthening passwords. Others might be major, such as creating a contingency plan. Being prepared to adjust your security improves your ability to be a contender in the marketplace.
We're adding one more tip for making your business cyber ready: purchasing Cyber Liability Insurance. When good planning fails, Cyber Liability coverage helps you survive the fallout. Learn more in "The Small Business Guide to Cyber Liability Insurance."
About the Contributors
Dr. Chris denHeijer is an expert in cybersecurity and project management. He is the lead faculty for the Management Information Systems and Business Analytics program at Colorado State University-Global Campus. Dr. denHeijer has worked in the aerospace industry for the past 30 years, with responsibilities including project management and cybersecurity. He lectures on a wide variety of information technology topics and is a published author who has written articles on malware and wireless technologies. However, his greatest pleasure is teaching as an adjunct professor and sharing knowledge.
Brian Berger is the executive vice president of commercial cybersecurity for Information Management Resources, Inc. based in Aliso Viejo, California. His 20-year career in security spans authentication, public key cryptology, industry standards to root of trust, data protection, network access control, and analytics. Berger thrives on ensuring companies are cyber safe because it's not "if" – it's "when."
Darren Guccione is the CEO and co-founder of Keeper Security, Inc. Keeper Security is transforming the way businesses and individuals protect their passwords and sensitive digital assets to significantly reduce cyber theft and increase online productivity. As the leading password manager and digital vault, Keeper helps millions of people and thousands of businesses substantially mitigate the risk of a data breach. Keeper is SOC 2 Certified and utilizes best-in-class encryption to safeguard its customers.
Braden Perry is a litigation, regulatory, and government investigations attorney with Kennyhertz Perry, LLC. Perry has the unique tripartite experience of a white collar criminal defense and government compliance, investigations, and litigation attorney at a national law firm; a senior enforcement attorney at a federal regulatory agency; and the chief compliance officer / chief regulatory attorney of a global financial institution. He has extensive experience advising clients in federal inquiries and investigations, particularly in enforcement matters involving technological and financial issues. He couples his technical knowledge and experience defending clients in front of federal agencies with a broad-based understanding of compliance from an institutional and regulatory perspective.