Cyber crime is only likely to increase, despite the best efforts of government agencies and cyber security experts. Its growth is being driven by the expanding number of services available online and the increasing sophistication of cyber criminals who are engaged in a cat-and-mouse game with security experts. With the right level of preparation and specialist external assistance, it is possible to control damages, and recover from a cyber breach and its consequences.
Two security firms, Dr.Web and Emsisoft, suffered DDoS attacks at the hands of cyber-criminals who attempted to bring down their websites as payback for meddling with their illegal activities. The first attack hit Russian security firm Dr.Web, who revealed over the weekend that a DDoS attack hit its Russian and Ukrainian domains (drweb.ru & drweb.ua). According to the company, the attack arrived at a rate that ranged between 200,000 to 500,000 packets per second, and it lasted for over two days until its engineers managed to keep it under control and restore full service to its servers.
Santa Rosa-based internet service provider Sonic is suffering from a distributed denial of service attack that’s causing connectivity problems for its customers in San Francisco, and elsewhere around the Bay Area. It’s unclear how widespread the outage is, but several San Francisco residents have tweeted that they are experiencing connectivity issues in Hayes Valley, the Lower Haight and the Richmond District, among other neighborhoods.
Staff is taking to the dark web to leak corporate secrets for cash, research reveals. Hackers from US-based risk management outfit RedOwl and Israeli threat intelligence firm IntSights worked their way past the interview process to access the private dark net property Kick Ass Marketplace, where they found evidence of staff selling internal corporate secrets to hackers. In some cases staff even collaborated with blackhats to infect their company networks with malware. Staff at an unnamed bank were also found to be helping hackers maintain a persistent presence on their corporate networks.
The personal details of 2.5 million PlayStation and Xbox users have been exposed following a hack on two popular gaming forums. The ‘XBOX360 ISO’ and ‘PSP ISO’ forums, places where gamers were provided with links to free downloads of games for each console, breached by hackers in 2015, but details of the hack have only just come to light. According to security researcher Troy Hunt, who owns the website ‘Have I Been Pwned’, the compromised the email addresses, account passwords and IP addresses of 2.5 million games.
Prevent Employees from Leaking Data
- Look beyond it security when assessing your company’s data breach risks.
To eliminate threats throughout the organization, security must reach beyond the IT department. A company must evaluate employee exit strategies (HR), remote project protocol, on- and off-site data storage practices, and more—then establish and enforce new policies and procedures and physical safeguards appropriate to the findings.
- Establish a comprehensive data loss protection plan that will enable decisive action and prevent operational paralysis when a data breach occurs.·
Your efforts will demonstrate to consumers and regulators that your organization has taken anticipatory steps to address data security threats. Disseminate this plan throughout the management structure to ensure everyone knows what to do in the event of a breach.
- Educate employees about appropriate handling and protection of sensitive data.
The continuing saga of lost and stolen laptops containing critical information illustrates that corporate policy designed to safeguard portable data only works when employees follow the rules.
- Conduct a periodic risk assessment.
Business models and operational processes change and might alter risk levels and liabilities. Determining if you’ve acquired new areas or levels of risk can be accomplished through both internal audit and specialized external resources.
- Provide training and technical support to mobile workers.
Ensure that the same standards for data security are applied regardless of location, by providing mobile workers with straightforward policies and procedures, ensuring security and authentication software is installed on mobile devices and kept up-to-date, and providing adequate training and technical support for mobile workers.
- Retain a third-party corporate breach and data security expert to analyze the level of risk and exposure.
An evaluation performed by an objective, neutral party leads to a clear and credible picture of what’s at stake, without pressuring staff who might otherwise worry that their budgets or careers are in jeopardy if a flaw is revealed. Furthermore, research shows that organizations with a strong security posture or a formal incident response plan in place prior to the incident can reduce the average cost of a breach as much as $21 and $17 per record, respectively .
- Don’t rely on encryption as your only method of defense.
Encrypting data in transit and at rest is a best practice, but, when used alone, it can give businesses a false sense of security. Although the majority of state statutes require notification only if a breach compromises unencrypted personal information, professionals can and do break encryption codes.
- Hold vendors and partners to the same standards.
It’s important to define your security requirements upfront with vendors—third-party service providers may be required to maintain appropriate security measures in compliance with certain state and federal regulations. Ensure that your organization maintains control of data at all times, especially with offshore data storage or services.