‘Tis the Season… for a Data Breach

The leaves are changing color and falling to the ground, pumpkin spice is on nearly every store shelf, and the air is chilly—Yes, the holidays will soon be upon us. Before you start your holiday shopping or bring out the decorations, it’s important to remember that the holidays are prime time for data breaches and cyber theft.

The Cybersecurity and Infrastructure Security Agency (CISA) defines a data breach as the “unauthorized movement or disclosure of sensitive information to a party, usually outside the organization, that is not authorized to have or see the information.”[1] Each year, many large companies experience a data breach. You may not think this could happen to you, but the truth is that every company is vulnerable to hacking. According to Risk Based Security, a cyber vulnerability intelligence, data breach, and risk ratings company, the first two quarters of 2021 had 1,767 breaches. These breaches led to approximately 18.8 billion exposed records between January and June.[2] Data breaches can become very expensive. On top of ransom demands, you also have investigation, mitigation, and legal costs. But the biggest cost often is the loss of consumer confidence or closure of the business entirely.

So why do attacks often occur during the holidays? One reason is that companies often operate with a skeleton crew making it difficult to communicate with IT staff. This leads to longer response times in an attack, which allows damage to extend much further compared to an attack during normal working hours. These attacks can come in many forms so it’s important to know what they look like in the event you come across one.

Types of Data Breaches

Here are a few of the ways hackers may gain access to your information:

1. Phishing Scams. Phishing happens through emails or messaging applications that appear to be legitimate and attempt to exploit your trust. Examples of phishing include:

• • Email phishing is one of the more well-known cyber-attacks. Attackers impersonate brands and send emails that lead victims to click on links or download malicious content that installs malware on the victim’s device.
  • Spear-phishing is a targeted attempt by a person disguised as a trusted individual, such as a friend, co-worker, or family member, to obtain sensitive information (think account credentials, money, or financial information). Attackers often target their victims by   looking at the victim’s personal information available on the internet, such as social media websites. The attacker requests the victim perform an unusual task hoping the victim has enough trust to perform the task without question.
  • Whaling is similar to spear-phishing except it involves supposed “senior officials” at a company. In this type of phishing, scammers imitate a senior staff member after using the company’s website to obtain names and email addresses. These emails are sent to unsuspecting subordinate staff with a request, such as transferring money or reviewing a document that contains malicious content. If you don’t typically receive emails or messages from company higher ups, this should be a red flag.

2. Ransomware. Ransomware is malicious software that targets a company’s data by blocking access to their systems. According to Fortune.com, ransomware attacks grew by 150 percent in 2020. Given this increase, Fortune.com estimates damages from cybercrimes may reach $6 trillion in 2021. The FBI and CISA have noted that hackers are increasingly deploying ransomware during holidays when offices are often closed.[3] As the hackers’ thinking goes, holiday attacks maximize damage and companies caught off guard will have little choice but to meet their demands.

• • Non-secure Wi-Fi Connections. Since many companies still have employees working remotely, connecting to secure Wi-Fi is especially important. You should warn your employees about using public Wi-Fi connections where cyber criminals can intercept communications or setup up Wi-Fi connections that appear legitimate, but are fake and used to steal information. Employees should be extra diligent during the holidays when accessing their email or company systems remotely.

How to Protect Yourself

The reality is that we are all at risk of data breaches and cybersecurity issues; however, there are some things you can do to protect yourself and your consumers. Here are a few key examples:

1. Education. Training your employees about the importance of cybersecurity is just as important as other IT maintenance and document management protocols. Set aside some time for employee refresher courses on the importance of not opening emails, attachments, or clicking on links from unknown sources, not sending sensitive documents through personal email accounts, using secure Wi-Fi connections, and keeping track of company devices.
2. Investing in cybersecurity software. The return on investment could be exponential. Also, keep all software up-to-date. Software that is out-of-date may contain weaknesses in which hackers may take advantage of. Software updates and patches work to repair these vulnerabilities and protect your data.
3. Implement a strict password policy. Strong passwords should be used by everyone, whether you’re an employee or a consumer. Do not reuse passwords or use passwords that contain information that can be public knowledge (for example, your birthday, a pet’s name, or a child’s name). Passwords should contain a variety of characters, numbers, and upper and lowercase letters.
4. Use two-factor authentication, especially for remote access. Two-factor authentication provides another security layer that makes it more difficult for hackers to login and use your accounts because the hackers will need another piece of information other than your username and password. This often comes in the form of an SMS code sent to your phone or a code provided by an authenticator app.

Conclusion

Holidays are great; we all want to enjoy them. After all, who doesn’t love shopping and decorating while sipping on a hot pumpkin spiced beverage. But a data breach may put an end to your holiday spirit. Educating yourself and your employees about ways to prevent against cyber-attacks is not only the best defense against such attacks, but also the best way to and ensure peace of mind during the holidays and beyond. Contact Zasio today to explore the software and consulting solutions we offer, to address your information governance needs.

 

[1] Cybersecurity and Infrastructure Security Agency, National Initiative for Cybersecurity Careers and Studies, Cybersecurity Glossary, available at: https://niccs.cisa.gov/about-niccs/cybersecurity-glossary (accessed October 21, 2021).

[2] Risk Based Security. “2021 Mid Year Report.” 2021, https://pages.riskbasedsecurity.com/hubfs/Reports/2021/2021%20Mid%20Year%20Data%20Breach%20QuickView%20Report.pdf

[3] Alsever, Jennifer. “Why company hacks tend to happen over holiday weekends.”6 July 2021, https://fortune.com/2021/07/06/why-company-hacks-tend-to-happen-over-holiday-weekends/

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.