Opinion The hidden data organizations don’t realize is vulnerable to hackers

Published
  • January 09 2018, 6:31am EST

Long gone are the days of the small cyberattacks carried out by college kids in their garages. Today, organized criminals and professional hackers are developing frequent, debilitating attacks targeted at companies. Businesses now need to accept that a cyberattack is not an “if,” it’s a “when.”

With the right preparation, organizations can reduce the risk of cyberattacks to a tolerable level with lower exposure. But how? This first step is understanding what vulnerabilities your company faces, including the data and technology you might not even realize is vulnerable.

So where are vulnerabilities hiding?

Critical Business Data

In the world of organized crime and international business, destabilizing businesses and conducting espionage can often be a business in and of itself. These attacks are typically targeted at sensitive information, often with the goal of gaining unauthorized access to intellectual property for purposes of selling to competitors.

From financial statements to emails, the insider threat risks of leaked critical business data can be catastrophic. Take the risks associated with M&A deals, for example. If information is leaked on a potential asking price, or even information on competitors’ existing bids, that could be hugely detrimental to all parties involved. Not only is the confidential information now out in the public, but also it presents the opportunity for competitors to gain further knowledge on the market landscape.

Personal Data

Phishing emails are virtually undetectable now, arriving in inboxes with proper formatting and very carefully crafted and grammatically correct English. From email addresses to social security numbers, the data derived from these types of attacks can be debilitating to retail consumers if not recovered.

Most recently, popular video streaming service Netflix was hit with an almost undetectable phishing scam. Demands for account information often top the list of email requests from hackers, as many Netflix users unknowingly provide personal details to a third party.

What are some common traits of a phishing email or scam? Beware of unknown senders or those that look familiar but are relaying urgency. Verify by hovering over the sender’s name to reveal the true email address. Remember the golden rule of security – always think and verify before you act.

IoT Device Data

Internet of Things (IoT) devices, such as internet cameras and programmable thermostats, can serve as an easy gateway into an organization’s back-end systems, enabling attackers to ultimately harvest and even alter data in other systems at will.

One of the latest IoT botnets has been dubbed Reaper. This botnet similar to Mirai, but with one twist. Reaper guesses the passwords of IoT devices; it also uses known security flaws to insert and spread itself within devices. As Reaper has already affected over a million networks, who’s to say that the next IoT device won’t be a part of a major organization?

To protect IoT data, avoid using IoT devices that are not regularly updated to ensure protection against connected device attacks, and beware of non-credible vendors that aren’t trustworthy. Use IoT that has been built and deployed with security in mind, and is security-certified by reputable parties.

Biometric Data

With businesses heightening physical security measures, biometric data only becomes more profitable to hackers. The price of fingerprint data cannot be exactly quantified, but when used maliciously, can be extremely detrimental to an organization.

One researcher has already claimed to hack through the iPhone X face scanning technology, and the phone has only been on the market for a few weeks. Hackers are becoming more resourceful, and if they are able to reproduce and alter physical appearances (as well as data), biometric data will be the next to fall victim to the black market. To protect biometric data, ensure that you are only gathering it on secure devices and ensure that it is encrypted when transmitted across networks.

Regulatory Data

Protection of regulatory information is increasing throughout all industries. With General Data Protection Regulation (GDPR) requirements less than six months away, all eyes are on global organizations. The effects of GDPR will be felt worldwide, since virtually all organizations are part of a global network. With four percent of a company’s annual turnover on the line, companies will start to move quickly to secure data for regulatory purposes.

Within organizations, reducing personal data to only the minimum required can prevent unnecessary leaks, including the elimination of non-essential stores of personally identifiable information (PII) data. Strong data encryption, coupled with following GDPR requirements, can help to improve and strengthen your data handling governance and processes.

Risk Assessment is Key

An attack will happen, but the severity will be determined by preparation. An initial risk assessment is necessary to understand what data you have access to and what may potentially be vulnerable. In many cases, you may have access to sensitive data that you no longer need in your system.

Taking holistic measures for cybersecurity will allow businesses of all sizes to better prepare for the inevitable. Building a program that makes sense for your business can protect your assets in a comprehensive way without over extending your team. There is no airbag guarantee; however, evaluating business goals, educating all employees and investing in the proper tools could mitigate the cost of a potential cybersecurity fender bender.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access

Nick Belov

Nick Belov

Nick Belov is chief information security officer at CGS, a business applications, enterprise learning and outsourcing services company.