Data Security: A Constant Threat (Part 2)

by Michael Lichtenberger

Threats of a Fraudulent Loss Creep into our Daily Business

Identity theft by Social Engineering is arguably the fastest growing crime – globally, and affects all of us. Social engineering fraud is a broad term that refers to scams used to compromise data by cyber-hackers. It refers to the manipulation of people into performing actions or divulging confidential information. Think in terms of, people being “tricked” for the purpose of information gathering, fraud, or system access.

Telecom Fraud is most common by imposters pretending to be government or some other official demanding payments for family members in financial need. Two well-known scams are IRS payment demands or family members traveling abroad and needing money for transportation home.

Others are email scams. Imposters create a scenario which seems to come from a legitimate source, and their stories are often plausible. We know these as phishing attempts. The emails often contain a link or an attachment that runs an executable file. Once opened, or clicked on, it secretly downloads malware and keystroke memory programs, for example.

Data Security Can Be A Science Project For Business

Businesses that have a well-communicated guide for handling sensitive information tend to have stronger security. They use such a guide to train their staff to recognize different types of fraud. For IT and Technology, for example, update network security and comply with the PCI DSS standards to identify vulnerabilities. Consider dual and even triple authenticity [user name, password, and image] for VPN and remote access. Require updates and changes to passwords at prescribed times and use secondary authentication for password resets. IT should require firewall settings, strength of passwords and failed attempts before granting network access. Develop a clearly defined policy on Bring Your Own Device [BYOD] and the use of personal computers. The policies should also define appropriate access points in areas with free Wi-Fi.

Safeguards for Business and Individuals

We have all received emails or phone calls with an offer that seems just too good to be true. Be sure to check the sender’s email and the URL to any links. Be vigilant and take time before opening any email and answering questions with personal information – even if it comes from someone you know! There are a lot of “don’ts” to protect your information.

If you receive an email message you weren’t expecting, or it is from an unknown source:

  • Assess domain names, subject lines, and content
  • Do not click on unrecognizable links or reply to emails from unknown people
  • Do not open any attachments
  • Do not reply or forward
  • Do not send money
  • Do not disclose personal information
  • Do not release business data
  • Do not send Identification Documents
  • Do not release details of bank accounts
  • Do not give out your credit card

What We Believe

Risks to your data and data security are real, and they are in real-time. Cyber-attacks are sophisticated and far-reaching. Breaches can and do occur and, more so, new threats occur before business are even aware of the risk [e.g., dwell time and zero-day attack.]
Yes! We have become complacent with our information. True! Businesses underestimate the scope of compliance. The three big things remain the three big things in exposed data:

  • Credit and payment card information
  • Medical and Personal Health Information
  • Employment and Personally Identifiable Information

You can reduce the risk of data loss. There is a greater need for diligence and compliance since Cyber-attacks have become so sophisticated. Strict regulations, such as HIPAA and HiTECH, and performance standards including PCI-DSS and Business Process Management, will remain complex.

While this article provides some practical advice and awareness, it is intended to explain the importance of protecting data and illustrate just some of the consequences when it is not. While we discussed safeguards, these are not all-inclusive or complete. The level of protection needed may be determined by your CIO and IT department and may include other operational safeguards such as Policies and Procedures, Training, Access Control and Enforcement, Assessing Network Hardware and Software, Securing Data Transmission and Encryption, and Auditing of events such as inappropriate and unauthorized access to information.

Related Articles