By Miranda Alfonso-Williams, CIPM, CIPT, CIPP/E/US
56 million, 42 million, and 4.5 million– these numbers represent the impact of high profile data breaches. Home Depot is the latest major brand to be attacked. This breach represents the second largest of all time to impact the retail sector. TJX continues to hold the number one spot with over 90+ million impacted.
In August we learned that Community Health Systems was breached–4.5 million people were impacted. The news was disturbing—attackers were able to obtain names, birth dates and social security numbers of millions of patients. It’s clear that hackers are more skilled, the volumes of data is growing exponentially and the targets and industries are diverse.
Employee credentials were obtained in the attack that impacted eBay. The thieves, at a minimum, had access to and reportedly copied customer names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth. The type of information that is an identity thief’s DREAM! The obvious question, how were thieves able to gain access to employee credentials? The answer, it is not as hard as you may think! I have conducted many audits where I have found logon info and other credentials under keyboards, in unlocked drawers and pinned on bulletin boards.
Social engineering and phishing are also ways of tricking people to provide private information to gain unauthorized access to information or resources. It seems counterintuitive that unauthorized info would be readily provided, right? The fact remains that social engineering and phishing are very much alive. Think about the last time you received an email that looked like it was from your bank or an entity where you have a legitimate business relationship. It usually starts out with we need to confirm or some verbiage that requests your personal information (e.g. social security number, date of birth, address, etc.).
What can we do? We cannot thwart every attack nor stop an attacker that is motivated, determined and has the resources. However, we can be proactive and develop a good OFFENSE!
Does your organization provide data breach training? Do your employees know how to recognize a breach? How to respond? Who to notify? What to report? Data breaches have become more rampant– it is important that our employees are equipped with the knowledge and skills to address them and to appropriately respond. Our employees are on the front lines and in the position to provide the best defense. We must provide them with the tools required to accomplish this.
Has your organization conducted a risk assessment? How would you answer the following questions? What are our risks? Have these risks been prioritized? What are the consequences of a breach? Would we experience financial harm, regulatory consequences and/or fines? Irreparable reputational harm? Loss of business, customers? If unsure —a risk assessment should be conducted. This will help the business prioritize what needs to be managed, identify the appropriate controls/resources and develop an action plan.
Have we had an objective party audit our level of compliance? Do we follow our policies? Do we have policies? How about regulations and internal requirements? Oftentimes, we have tunnel vision when it comes to our own organizations and lack the objectivity to evaluate our own practices. Audits are an effective way to provide an objective analysis. The results can help us identify gaps, opportunities for improvement and best practices to help our program become more compliant.
We cannot avoid every risk or prevent all breaches. However, we have a duty to our customers, stakeholders and employees to do our part to manage and mitigate our risks. Remember the best defense is a good “OFFENSE”
To receive a free copy of our checklist on “How to conduct a risk assessment”, send a request to:
firstname.lastname@example.org. I can also be contacted if you have questions or feedback.