Throughout 2016, many organizations have fallen victim to sophisticated cyberattacks. According to the Identity Theft Resource Center, more than 35 million records have been exposed from 957 reported breaches as of December 2016. It’s no wonder why worldwide spending on cybersecurity is predicted to top $1 trillion for the five-year period from 2017 to 2021, according to the Cybersecurity Market Report. Examining the shortcomings that resulted in high profile cyber breaches can teach several cybersecurity lessons. As we enter the New Year, here are the top lessons learned from America’s most high profile breaches.
Lesson 1: Human error is the leading cause of breaches
In the spring of 2016, Snapchat was the victim of a phishing scam, where hackers posing as the CEO convinced an employee to email them the personal information of about 700 current and former employees of the organization.
What every business can learn from this is that regardless of how much you spend on security, you are still vulnerable to incidents that result from human error. According to Verizon’s 2016 Data Breach Investigations Report, human error remains the leading cause of cyber incidents, and these situations often result from an end user’s failure to follow policies and procedures. Every employee poses a risk, so training each individual is a critical element of cybersecurity. Employees need to understand how to identify risks and the appropriate individuals or departments where they should report findings. In addition, every employee should be taught best practices, like how to create stronger passwords or how to spot suspicious emails, so that they can use good judgement when online.
Lesson 2: Be careful what you share in a personal email
In September 2016, Yahoo confirmed that a breach occurring in 2014 resulted in stolen personal information from at least 500 million user accounts. Stolen information was believed to include names, email addresses, telephone numbers, passwords and in certain cases, security questions and answers.
When a personal email account is compromised, hackers have the ability to not only access information directly affiliated with that account, but also to reset the password for any associated accounts, like a bank account or online subscription. It is important that confidential company information is never accessed or transmitted using a personal email account. Online subscriptions or accounts should always be set up by employees using a work email address and should not include any secondary personal email accounts, even as a backup.
Lesson 3: Standardize your security strategy
In early 2016, the popular fast food chain Wendy’s began investigating claims of unusual activity on customers’ credit or debit cards and later announced that malware had been discovered on the point of sale (POS) systems of several hundred franchise locations.
This could have been prevented if this large corporation had standardized its security strategy across all locations and trained each member of the management team on these procedures. Doing this protects both your brand and franchisees. Large corporations that operate multiple independent stores or franchises need to establish a base-line framework of data security guidelines that can be implemented at the individual store level.
For more information: Having a proactive and robust cybersecurity strategy that is clearly communicated across your organization is your company’s best defense against cyberattacks. If you have any specific questions, comments or concerns about your company’s cybersecurity strategy, please contact a CBIZ Risk & Advisory specialist.