Capital One have made the news recently having suffered a data breach resulting in the loss of around 106 million data records.
The attack which happened in March 2019, was not picked up by Capital One until July. Among the data stolen were names, addresses, dates of birth, credit scores, transaction data, social security numbers and linked bank account numbers.
The data breach is believed to be one of the largest in banking history.
According to the formal charge, the hacker made use of a configuration vulnerability allowing her to find an opening in Capital One’s system. This allowed her to expose a weakness in some misconfigured networks to access the data which was stored on Amazon’s cloud-computing technology. Subsequently, US senators have been putting pressure on Amazon for answers to account for this security error. It is thought that the Capital One hacker was involved in security breaches of at least 30 other major US companies.
The reality of this breach is that it is far more complex than it may appear, as is often the case.
Outside of any questions about responsibility and the specifics of the technology involved, this breach and the many other breaches in the past few years really emphasise the need for extraordinary attention to detail where security is concerned.
If a company as large and as well-resourced as Capital One can suffer this sort of breach, then all companies regardless of size should be paying attention to security whether they use cloud services or not.
By having a plan in place to best mitigate the risk of cyberattacks, you’ll be able to protect your business from data breaches, keeping your business and customer data secure.
There are certain steps that can be taken in order to start making your business more secure.
Human error is the number 1 cause of security breaches, mistakes happen and hackers are resourceful. Try to minimise the risk of these errors by training your employees on what the most common forms of security breaches are, for instance recognising phishing emails and having strong, effective passwords. Passwords need to be updated at least every 6 months and the best practice is to create an unpredictable phrase that the user will remember. For instance, a line of a song or their favourite movie quote. This is infinitely more difficult to crack than words, numbers, and symbols.
Always make sure you and your employees keep business and personal emails and banking accounts completely separate, with unique passwords. If one account gets hacked, this way they are unlikely to be able to access your other accounts and steal your identity and potential customer data.
Unfortunately, most data breaches don’t happen due to a mastermind hacker finding a weakness, they are actually made through an employee breach, which is why education is paramount. A simple way to avoid these types of breaches is to limit access to sensitive data to relevant employees only. Also, remember to cut off staff access or change security details when staff members leave.
It may sound obvious, but make sure you have all the correct antivirus, anti-malware and firewalls in place to prevent unauthorised access to your systems. You also need to make sure your employees are keeping on top of any updates that may need to occur on their machines for these different software items.
Even the biggest companies (think Yahoo, Facebook, eBay) are at risk of being hacked. A cybersecurity specialist can be really useful to come in and look at best practices and how to make sure security is at the top of everyone’s list. They can even carry out risk assessments and an audit to make sure your systems are secure – just make sure they are National Cyber Security Centre (NCSC) accredited and a trustworthy company.
Specialists can also help to educate your employees about past data breaches and incidents that have occurred in other companies, to try and help prevent similar issues arising within your organisation.
If you’re not sure where to start The Financial Industry Regulatory Authority have created a free download checklist to work through. This can help companies’ identity and assess threats, detect when systems have been compromised, plan a response and even implement a plan to recover assets.
The NCSC was launched in October 2016 to address the UK’s need for a single point of contract for SMEs, larger organizations, government departments and the general public. They provide concise and highly informative information on security posture and best practices. There is a wealth of practical guidance to help assist users on how best to mitigate the risk of a cybersecurity incident.
At the end of the day, we live in a society where information and data is a more valuable commodity than oil or gold. Security is everyone’s responsibility, not just the IT department’s or the security guards’, and the sooner we start believing that, the more responsible we will all be for our data.