Every day, it seems there’s a new headline announcing another data breach. It’s easy to become desensitized and pass these articles by as just the “new norm” in the information age.
If you’re in healthcare, financial services, retail or any number of other industries where handling personal data is routine, that would be a mistake. In every data breach, there are lessons to be learned about weaknesses that may exist in your own systems – and about the approaches data thieves are using to exploit them.
To make my case, I took to Twitter this morning to get the latest buzz from the world of IT security. Here are the first three examples I found.
Twitter Sees Signs of State-Sponsored Attack – In an ironic twist to my experiment, the first incident I ran across was a data breach at Twitter where “attackers appear to have targeted a Twitter customer support API.” The company was alerted to the attack when they identified “unusual activity,” specifically, “a large number of inquiries coming from individual IP addresses located in China and Saudi Arabia.”
Lessons learned: It can be challenging to identify potentially malicious activity, especially when you don’t know what you’re looking for. I imagine Twitter has security experts monitoring their systems around the clock, but many businesses don’t because they can’t afford the expense or they have a hard time recruiting and retaining the right people. Outsourcing security and compliance to a qualified managed service provider can help you plug any holes in your defenses.
Related post: Benefits of Vulnerability Management in the Cloud
Attackers Using New Exploit Kit to Hijack Home & Small Office Routers – This one isn’t a specific attack, but I think it’s worth including because it shines a light on a common vulnerability. For a variety of reasons, many organizations are allowing, even encouraging, employees to work from home. As the article states, “Small and home office routers are becoming major targets for criminals seeking to steal banking and other online account credentials belonging to Internet users.”
Lessons learned: Advanced firewall protection is essential to keep home computers and laptops from injecting malware into corporate systems.
You’ll also want to establish strong guidelines about what can be downloaded onto a portable device or flash drive. The files of the OCR are filled with examples of fines levied against healthcare organizations that failed to ensure laptops carrying EPHI (electronic personal health information) were encrypted. Many of these companies had encryption policies, but they didn’t do enough to enforce them.
HIPAA Case: Hospital Fined for Ex-Employee's Access to PHI - In this example, a Colorado-based healthcare provider was fined $111,400 for failure to terminate a former employee’s access to patient data. There doesn’t appear to have been a breach, so this one could have been much worse.
Lessons learned: You can’t afford to overlook the need to revoke credentials when an employee leaves the company, voluntarily or involuntarily. Over the years, I’ve seen stories of organizations delaying six months or more before cleaning out their old credentials.
I’m not suggesting here that your ex-employees are the problem. (Although they can be.) The real challenge is that these credentials can be stolen. Since the system recognizes them as valid logins, you won’t be alerted. This is especially dangerous when the stolen credentials belonged to a system admin.
Not sure how to address a weakness in your security? Give us a call. We’d be happy to discuss how we might be able to help or point you in the right direction if it’s not in our wheelhouse.