Why Your Business Requires Security

The States and Federal Identity Theft and Privacy Protection Laws now require businesses, agencies and organizations of all sizes to protect all personal information they store, and report to all their customers whenever a breach occurs. The financial ramifications after having a data breach can be very substantial to both present and future business. In some many cases a company never does recover from a breach and is forced to close down. Currently, the average cost on a company is $3.7M per incident.

Protecting Your Company From An Online Data Breach


Why do data thieves attack corporate computer networks? Well, to paraphrase Willie Sutton, it’s because that’s where the data is. As I said in a previously blog, a data breach is usually done in one of two ways.

A data thief will either employ physical means, such as dumpster diving, social engineering or a simple break-in; or via the internet. No business today can afford to be left behind technologically, meaning that in every corporate environment there are computers, networks and electronically stored information.

Electronic files are highly sought after by would-be data thieves for the wealth of personal information they contain. There are HR files, accounting information, customer and vendor lists; the list goes on and on. All of these kinds of records are full of sensitive information which can be exploited for personal gain by data thieves.

As a business owner, you are already aware of how to protect your company from a break in; however, these electronic attacks are not as well understood or protected against by the majority of companies. The alluring elements for a data thief regarding online data breaches are:

1. The thief need not be anywhere near their victim; they can even be on another continent.

2. Just about any information you would need to commit identity theft can be readily found on the web (We will not tell you what these sites are since we discourage the practice).

3. Most companies keep a large amount of sensitive information on file; much of this data is poorly secured.

4. Computers can be an easy entry point to your data, since thieves only need to find one weak point to get into your system.

Here are some of the more common computer data attack techniques used by data thieves:

1. Phishing emails – These are emails pretending to be form a legitimate company, usually asking the victim to verify personal information.

2. Spear phishing – These are emails which are sent to employees of a company purporting to be from management, asking for passwords or information about projects they may be working on.

3. Zombie computers or networks (zombies) – These are compromised computers and networks which contain software which permits data thieves access to the system. These computers may be linked there together to form what is called a botnet.

4. Botnet – Once linked together, these botnets are used to perform attacks like denial of service, pay per clicks and spam email. In many cases, the owner of the compromised systems may not know that their system is being misused this way.

5. Bogus websites – Websites which pose as legitimate sites and attempt to trick visitors into handing over personal information; this data is then used on the real site by the data thief.

6. Crackers – Programmers and other highly skilled computer experts who use their abilities to break into networks to find weaknesses to exploit.

7. Wireless network snooping – When using unprotected wireless routers, such as are often found in coffee shops, airports and some homes, hackers may be able to pry into your computer.

8. Cookie sniffing – Hackers will use cookie sniffers to examine all of the cookies you have used and will send this information (useful since people generally use the same password for many different sites) to their own systems to use this information.

9. Malicious Software – These are various types of software: hijackers, adware, Trojan horses, etc. which act against specific operating system functions, send your personal information to someone outside your system, direct you to bogus websites or any number of other malicious actions.

10. Web Page Hijackers – A small program which redirects your browser to a site other than the one you wanted to visit. This may be to a bogus website attempting to capture your personal information or an annoyance such as being redirected to a pornographic website.

11. Piggybacking Access – This is the practice of breaking into a poorly secured computer on an external network and using this access to break into another network using a legitimate connection between the two networks.

12. People Research Sites – For a fee (usually $40-$80),you can obtain personal information on nearly anyone.

13. Dictionary attack – One of the easiest ways to guess a password. A dictionary file is loaded and since no language has an unlimited number of words, this can often generate the password with relative ease.

14. Hybrid attack – A more sophisticated variant of the dictionary attack, this takes dictionary words and combines them with numbers and/or symbols in an attempt to crack a password protected system.

15. Brute force attack – A brute force attack is one in which a program systematically works through every possible combination of numbers, letters and symbols. The amount of time need to find the password all depends on the number of characters used in the password.

16. Keyloggers – A type of spyware which records every keystroke made on a computer and sends this information to a remote user. These programs are very difficult to detect with most virus and spyware scanners.

17. Network Sniffers – Applications used to capture network traffic without the knowledge of users on the network. Sniffers are helpful to hackers in finding network weaknesses; which helps them to plan other attacks on a network.

You should be aware of the risk of data breaches, but you needn’t be paranoid. There are plenty of steps you can take, such as bringing in outside IT security consultants to work with your IT department to assess your security and work to improve it. You should also make sure that all of your software is kept up to date.

Your sensitive data should be encrypted to better protect it from prying eyes. You can use security tokens in your system, such as smartcards for accessing your network and workstations. You should also make sure that each and every one of your employees is properly trained so they know what to keep an eye out for to prevent data breaches.

Comments are closed.