Read Time: 3 Minutes
Today, when all information is digital, the protection of customers’ and employees’ private data is a critical task for any organization – as critical as keeping the doors locked, if not more so. After all, you no longer have to have physical access to an organization’s premises to compromise its assets – you just need to find a hole in its protection.
Quite recently, we can find examples of how a security breach has ended up compromising huge amounts of personal data, for customers, users, and citizens. And each of these examples have led to the companies and organizations suffering from a lot of bad publicity as a result.
Japan’s government had to step in and try to reassure the public that their pensions were not at risk after 1,25 million cases of personal data were leaked as a result of an email virus – coming from a malicious mail attachment the pension employees opened. The leaks involved names, identification numbers, birth dates, and addresses. The breach was discovered on May 28, and analysts estimate that the incident could cause a risk to the currently robust ratings of Prime Minister Shinzo Abe.
In the IRS hack case, hackers broke into the IRS website, compromising the data of 100 thousand taxpayers. The thieves gained access to tax returns and other tax information on file with the IRS. Over $50 million in tax refunds was handed to the hackers before the attack was discovered this month. IRS suggests that the Russian hackers behind the attack used social media to figure out answers to security questions like the name of a first pet, or a mother’s maiden name, using data that people readily share today with friends on social media sites, such as Facebook.
The latest huge hack targeted US government workers. In what is suspected to be an attack by Chinese hackers, the attackers managed to breach millions of US government workers. The breach could potentially affect every federal agency.
Jarno Niemelä from F-Secure Labs explains: “This case once again proves that securing the perimeter or relying on network monitoring is not enough to protect against a determined attacker. Security must be built into all layers of the system, and while preventing the initial intrusion is most important, it is also important to build in security at the data layer. The mere attempt of trying to access such huge amount of data should have raised alarms.”
To be the target of a cyber-attack, you don’t need to be a big enterprise or a huge governmental organization either. The recent Grabit campaign targets small and medium companies, spying on them to steal sensitive data. Sensitive data is big business for cybercriminals — whether taken from high-profile firms or small companies. Grabit malware has been used to infect employees’ devices at small and medium-sized businesses primarily in Thailand, India, and the U.S. So far, the cyber-spying campaign has been able to steal about 10,000 files from small-to-medium sized businesses.
These, and many more attacks targeting sensitive, personal data prove that it is time for companies to take data protection seriously. Consumers are increasingly privacy-aware and ready to move their money to other suppliers that take data protection seriously. Also, with the forthcoming EU Data Protection Regulation, collecting customer data comes with certain responsibilities.
Make sure your company is protected – your security is only as strong as its weakest link. Use best-practices for security, secure your devices, software, and people to stay safe. You will find eight steps on how to prepare for a cyber-attack in our earlier post: Introduction to cyber security.