Now that we’re in 2016 its worth taking a moment to review the major data breaches of the past year and see what lessons can be learned about cybersecurity for small business and individuals to better secure their computer systems in the coming year.
2015 was a banner year for cybersecurity breaches; amongst the victims most visible were Ashley Madison, Office of Personnel Management, Anthem, and the IRS. According to the Identity Threat Center some 178 million records were compromised in 2016 and with a cost between $155-$363 per record lost, it’s a huge financial impact.
Last year also saw the rise of a blackmailing attack called Ransomware, an exploit carried out by malware that encrypts the contents of a server or PC holding the owner’s data hostage until the victim pays the hacker (usually in untraceable Bitcoins) for the decryption key.
While many serious cybersecurity issues in both hardware and software were revealed over the course of 2015 one of the potentially most far-reaching was discovered in December that had allowed hacker’s backdoor access into Juniper switches for something like three years. It will take years to determine how damaging this has actually been as it has affected not only private business but also US government sites including military and cybersecurity systems.
Not surprisingly, the tried and true Denial of Service attacks that have been part and parcel of online hacker attacks appeared throughout the year affecting hundreds of Web sites and services taking down, for example, Proton’s email service for a week which I wrote about in November. Another hacker favorite, phishing, was widespread in 2015 with financial services and medical industries in particular experiencing endless phishing attacks.
Visualization of breaches
If you want to see the bigger picture of the major data breaches over the past 10 years check out Information Is Beautiful’s data visualization.
Surprisingly with the incredible scale of the breaches in 2015 and the resultant economic impact, a number of politicians and the Director of the FBI called for “backdoors” into encryption systems further weakening our cybersecurity, which I pointed in an earlier blog post was a really bad idea.
So, given the backdrop of 2015’s cybersecurity chaos, what can we predict for 2016 and how can small businesses and individuals better defend themselves?
Azstec’s Seven Cybersecurity Must-Do’s
Logins and passwords
The single biggest threat to companies and individuals continues to be the lack of robust passwords and logins. Why is this? Simply put people reuse poor passwords and think they are safe since they have not suffered a breach, and let’s face it many of us find the task daunting so we take an easy approach, or think were clever with a “special” password. (we’re not when it comes to passwords) If we try to make passwords memorable with the 10-30 different websites and logins each of us has, it becomes an impossible task so we reuse them making us even more vulnerable.
A different approach using a “passphrase” was suggested by Edward Snowden in an interview last year, which according to Wired is only partially secure. (for me it seems a bit daunting if a supposed cybersecurity expert gets it wrong) I don’t have space in this blog to describe how to make a secure passphrase but you can find one here that supposedly even the NSA can’t crack if you follow their advice. In my opinion, the only safe way to use passwords that are complex enough to not be easily cracked is to use a password manager. A review of the best ones can be found here, and if you are not using one for your website and other critical login passwords you are making a huge mistake.
In Azstec’s docNCRYPT we keep an encrypted database that stores passwords for easy retrieval, but we have found our customers have developed unique ways to manage their customers and clients passwords. If you are interested send me an email and we will be more than happy to give you some practical advice on how to use our solution in protecting your confidential information for your email and documents.
Encrypt disk drives and folders
At Azstec we believe all of your confidential emails and documents should be individually encrypted with keys for these items held by you or your customers or clients, but encryption should be used in other areas in your computer systems also. Disk drives in your internal servers or local storage should be encrypted if they hold any confidential information. This may not completely protect the data if a hacker gets into your system, but it will help slow them down and provide you with another layer of protection. Disk encryption is a must for laptops that will likely be outside of your organization in case they are stolen or lost.
Encrypt individual confidential files
If you use a cloud service for your company (like we do) you should individually encrypt the confidential files stored there and make sure that YOU own the keys to this data. There are many cloud services that will tell you that they encrypt their data, which they may, however the only way your data is 100% secure is if you own the keys. We are introducing a desktop/web version of docNCRYPT that will allow you to manage the keys to all of your Office documents stored in the cloud for this reason. As an example on how important this is, apparently in the Ashley Madison breach the hackers obtained a text document with the credentials to their servers which allowed them to get access to all of the databases. Had these documents been encrypted it is likely that this major breach may never have occurred.
Encrypt your sensitive email
All sensitive and confidential email should be secured and encrypted and of course we recommend docNCRYPT. Microsoft and Google both announced they are using TLS to encrypt in-transit email, unfortunately you cannot be sure that your email traffic stays within the confines of TLS secure transport channel, which is why you need to encrypt your confidential information. docNCRYPT also addresses the problem of data at rest, which TLS and other “in-transit” solutions like Proton Mail do not.
Protect against Ransomware
Earlier last year the FBI issued an alert that ransomware was on the rise and financial and other businesses should be vigilant. Small business and individuals are particularly vulnerable to this type of attack since they may be seen by hackers to be more willing to pay the fee to get their data back. One way ramsomware gets into a network is through unsolicited email; with fake invoices, links to pretend login accounts, so particular diligence should be given to you and your staff on opening up emails, even if they appear to be from someone in your organization as hackers can spoof email addresses.
Andy Sawyer, the Director for Security at Locke Lord said in a cybersecurity presentation in Houston last November that they were getting over 2 SUCCESSFUL ransomware data hostage attacks a week last year at Locke Lord and after they eliminated webmail at their offices it virtually stopped. I have linked his presentation for anyone who is interested as there is lots of practical cybersecurity advice in it, but if you run a business you should consider not allowing your employees to use personal webmail when logged into your computer systems.
Update your security plugins on your website
Your website likely contains customer information and this is the first place hackers will be trying to enter as it is exposed to the Internet and readily accessible. You should make sure that the backend of your website is based on a robust and reliable developer and also install a third party security solutions that monitors and provides alerts should your website become under attack. It is also important to make sure these all are kept up to date with security patches.
2016 will see the rise of hacking of the Internet of Things (IoT). As more and more electronic devices develop connectivity and controllability via the internet these devices will become prime targets for hackers. For those who are not aware the Target breach in 2013 started as a result a small heating and air-conditioning supplier to Target who itself was hacked which gave access to the hackers into Target via the VPN the company used to get access to their device (and the Target network). As more and more of IoT devices are installed in small business and homes it opens up thousands of entry points for hackers.
So what should an individual or small business do to protect itself from IoT attacks? First take a look at what you already have potentially in your business already. What might that be you ask? Well that printer sitting next to your desk! Wired did an article this year how a drone and mobile phone combined could be used to hack into printers located in a skyscraper. PC World did an excellent article this year on how to protect yourself from printer threats that is worth a read and implemented within your office.
Cybersecurity is a process
Finally, there are lots of other cybersecurity threats that I have not mentioned in this post, but hopefully you have found some information that may help keep you and your company safe in 2016. As Bruce Schneier has pointed out, security is a process not a product. Security starts with being aware of the threats that may target you or your business and put in place processes that help protect you from the inherently insecure world of computerization. All of this may seem daunting to a small business owner, but knowledge in this area starts by reading some of the blogs of the top cybersecurity experts in the field and staying up to date with what is happening in the field. Some of our favorites are: 1) Bruce Schneier 2) Graham Cluley 3) Security Magazine 4) Krebs on Security 5) SearchSecurity 6) Information Week Security There are many others and all you need to do is to search “top cybersecurity publications” or “security blogs” and pick out a few that you like and check them out weekly. An hour a week of just reading about what threats are happening could save you and your company a lot of money and headaches from a data breach.
The Azstec team wishes you a safe and secure 2016.
When not pretending to be a Cybersecurity Oracle David Griffith is the CEO of Azstec LLC, the creators of docNCRYPT, the incredibly simple document security solution for everyone. If you have any comments or questions, email David at dgriffith [at] azstec.com and follow the Azstec Blog or on Twitter or LinkedIn.