It’s not a matter of “if” but rather “when” your company will experience an attempt by a hacker to breach your security and access confidential and potentially damaging information. Their success will depend upon the proactive measures that you take now.
Two particularly telling findings from Verizon Business’ 2012 Breach Investigation report were that 96% of all attacks were not highly difficult and that 97% of the breaches they investigated were avoidable through simple or intermediate controls.
Hacking can be accomplished from nearly anywhere on the globe with Internet access and it can be quite lucrative. For these reasons alone, it can be expected that as a class of threat, hacking will not go gently into that good night anytime soon.
Some of the more prevalent forms of hacking include the exploitation of the default or “guessable” credentials, the use of so-called brute force and dictionary attacks (the use of combinations of numbers, and in the latter case, letters, to arrive at a valid login), the use of stolen login credentials, and the exploitation of insufficient authentication (such as when no login is required). Most hacking follows the path of least resistance, and hackers will almost always go for the “low hanging fruit” – those targets that are easy to penetrate because of a lack of even the most basic information security management program. Such patterns were borne out in the most recent Verizon report, which showed that target selection was based more on opportunity than on choice. Most organizations that were victimized in 2011 were found to have an exploitable weakness rather than because they were singled out ahead of time.
While at least some evidence of breaches often resides in logs and other records, victims do not always discover their own data breaches and if they do, it is usually a result of information supplied by third parties and pieced together. And that typically occurs weeks or months after the fact.
The Human Factor
Obviously, not all attacks on sensitive information are carried out without some form of human interaction. Most often, this takes the form of employees who become unwitting accomplices. Employees are especially susceptible to social engineering exercises such as phishing and spear phishing emails (such as those sent to employees from someone purporting to be from management, asking for passwords, etc.), the finding of misplaced or otherwise “lost” USB drives, and simple, seemingly innocuous acts such as granting physical access to the premises to unauthorized people. Social engineering is often the first step a hacker employs to gain information and/or access. That makes a regular, ongoing employee awareness training program a key ingredient in any overall security strategy.
Here are a few recommendations from the Verizon report to mitigate your risk:
- Eliminate unnecessary data; keep tabs on what’s left.
- Ensure essential controls are met; regularly check that they remain so.
- Monitor and mine event logs.
- Evaluate your threat landscape to prioritize your treatment strategy.
In today’s IT climate, it is unrealistic to think that your organization will simply be overlooked by those bent on pilfering sensitive information, be it from hacking, social engineering, simple physical theft, or some combinations thereof. Just as there are many forms of attack, there is no single magic bullet that can prevent or deflect them all. That is why preparing your company for a data breach should be a multi-layered, concerted effort. Taken together, the steps above can help to reduce your business’s information security risks.