Recently, we looked at the real costs of a data breach; however, it’s important to look at some actions that businesses can (and should) take to prevent future data breaches. It’s not really a matter of “if” you will be targeted in a data breach anymore, so what can you do to prevent it.
Increased Online Presence
In 2020, due in large part to the COVID-19 pandemic, online transactions exploded to levels never seen before – they doubled. The reasons for the increased online activity varied but include such popular things as purchasing more goods and services, using telemedicine for healthcare consultation, ordering meal and grocery deliveries, distance learning – elementary, secondary and post-secondary – and of course the big one, working remotely from home.
But what this exponential increase in online activity did was create a target-rich environment for data breaches by cyber hackers. Many companies quickly made the choice to hastily create an online presence to understandably get their fair share of this new market, but in the process, many never took the steps to properly protect their network data, including their customer’s information. In one-third of the breaches the common information stolen included personal identifiable information (PII), date of birth (DOB) and Social Security Number (SSI) … among other information. In the U.S. alone, more than 1 billion records were compromised in 2020.
One favorite (and easy) target of hackers were usernames and passwords; in 2020, this alone increased 450% over the preceding year 2019. The main reason for the increase was with people on average doubling their exposure online, many used the same user IDs and passwords on multiple websites as a way to avoid having to keep track of a laundry list of login credentials.
In doing so however, many handed over the digital keys to their personal information and allowed hackers easy access to the websites using those credentials. Once in, hackers could steal data and other information, or insert malware, trojans and viruses that once activated would wreak havoc inside a computer network.
Identity and Access Management (IAM)
Large companies are normally better protected against cyber-attacks in general; many of them have whole information technology (IT) departments that do nothing but ensure their computer networks are protected by using and keeping up to date IAM best practices. However smaller companies without any IT staff – resident or on a consulting basis – do not have that same level of IAM protection. Some do not have any protection at all! Therefore, it did not take hackers long to figure out these small, less protected companies would be easier targets for their handiwork.
Zero Trust Architecture
One security strategy that is becoming a requirement in many organizations is zero trust. The zero-trust security model requires strict identity and device verification regardless of the user’s location in relation to the network being accessed. Once implemented, it not only protects information on a network, but also lowers the risk of a breach, improves network traffic visibility, and increases cloud environment control. It also supports microsegmentation. Microsegmentation enables IT personnel to create “walls” inside their networks, thus limiting a breach only to what is inside that specific wall breached and prevent the spread to the entire network.
Part of a zero-trust model verifies the authenticity of users and devices – not only during the initial log-on, but throughout the session, thus further mitigating risk. It also grants access only on a limited need-to-know basis and in the right context. In doing so, it prevents a hacker from gaining higher use privileges, which prevents unauthorized users from searching a network for valuable data – whether personal or proprietary to the company.
However, there is not a zero trust one-size-fits-all product. Rather it is a business mindset where an organization decides to make network security a priority and then puts the resources behind that decision to create and implement a zero-trust model that is tailored to and appropriate for their business. Smaller businesses might not require all the bells and whistles that a larger company may need. But, having some type of zero trust strategy in place is far superior than having nothing, which right now is what many businesses now have.
But Network Security Costs Money!
Yes, but breaches are costly too – lost time, trust and reputation. Many companies put insane amounts of money into marketing aimed at adding new customers to their customer base. But yet they spend little money to no money in protecting their existing customer’s data … and their own business information for that matter. Globally, 37.5% of the cost of a $4.54 million data breach in 2020 was due to lost business – or around $1.5 million.
Having some level of a zero trust-like strategy is no longer a luxury, but a necessity in today’s online business world. Whether in house or on contract, online entities need IT support that is appropriate and tailored to their business.