Yahoo recently announced that at least 500 million user account credentials were stolen from the company’s network in late 2014. Earlier this year, MySpace reported that 360-million user accounts were compromised in 2013. And even though it wasn’t reported until May of this year, more than 167 million account details were stolen from LinkedIn in 2013.
Breaches of this type justify the security concerns of hundreds of millions internet users about the safety of their identity data, including names, dates-of-birth, addresses, social security numbers and credit card details, collectively known as "sensitive information."
Data security
So how about you? Do you have concerns that hackers and identity thieves may steal your sensitive information? If you didn’t have concerns about such things you wouldn’t be normal.
But now for a little "rubbing" on my part. How concerned are you about hackers and identity thieves breaking into your own business network and stealing sensitive information from your corporate software?
Sensitive Information
Do you have employees?
If so, chances are your business computers contain their names, date of birth, addresses (with zip codes), and social security numbers.
Do you purchase products from vendors?
If so, odds are your business has that vendor’s name, address and federal tax identification number in your records somewhere.
Do you have customers?
If they pay you with anything other than currency, your network may contain a wealth of names, addresses and credit card numbers, even card expiration dates.
What about your company’s own identity information, including your federal tax number?
I would guarantee it's on one of your company's computers somewhere.
But if you're a small business owner, you maybe telling yourself, that no hacker is going to spend time worrying about your small business. You have so little in the way of sensitive data to offer, hackers are going after the big guys with hundreds of thousands of records.
What you don't realize is that hackers spend their time producing various forms of malware that they can broadcast across the web. Their aim is not just your little business, but the tens or hundreds of thousands of little businesses like you.
If they can pick off five, 10 or even 20 records from a 100,000 companies. They have an almost limitless source of income. You see, according to the FBI, the average value for any sensitive information on the black market is $10 per hit.
They may only make a couple of hundred dollars by selling your records, but the same program that hits your network is gleaming thousands of other sensitive information records each worth $10.
We'd like to think that our networks are secure. That we have a good firewall on our internet access. That our accounting software contains passwords and encryption functionality. But are they enough?
You can bet that the firewall Yahoo had before their breach is about a million times better than the one on your little business network, and yet the hackers still broke in.
If someone hacked into your system and stole your employees’ social security information, are you prepared for the consequences?
How about if your network is breached and every customers’ credit card data is hacked? Do you have some liability protection covering that?
Over the past several months, the QuickBooks forums have been full of people complaining about recent changes, enhancements and improvements to QuickBooks (desktop) security measures. These measures, taken to help expand the protections for sensitive data, have caused quite a stir. In fact, they made a lot of people down right angry.
Some QuickBooks users don’t like the inconvenience of having to setup passwords or change them on a regular basis. They're offended by the fact they can’t decide for themselves if they need to password protect their data with complex-passwords. They seem almost willing to go to war over the fact they could possibly be locked out of their own data when they fail to protect the sensitive information contained within their not-so-secret place.
Merchant Behind Bars
In many cases I wondered if these people really even have a clue as to what would happen if an employee, customer or vendor tracked fraudulent activity based upon their information. What if it was tracked back to one of these complainers that had refused to protect their sensitive data?
I ask you, will someone who has their credit card number stolen from a merchant’s data be more likely to sue the merchant with ‘big bucks’ for not performing their fiduciary duty in protecting the sensitive information,or wait around for the court to put the felonious data thief on a $20 per month restitution plan?
Odds are, if we know where the thief got our information, we'd go after the merchant, not the thief.
And to rub matters a little more raw, what if the data thief didn't even hack their way into your computer from the outside? What if the theft was an inside job? What if one of your own employees was stealing sensitive information they had access to because of poor data security? What if they were selling that data to identify thieves? How would you handle that nightmare?
Heck, you might even find yourself charged as an accessory to the crime for not protecting those credit card numbers. That would be a really 'raw' situation to be in, wouldn't it?
I'm confident you really believe that a network firewall would keep the bad guys out of your network. I think you believe that your anti-virus and malware protection software will catch any of the viruses, trojans and worms that can squeeze their way into your system and start stealing information.
You might even believe that the password protection you have on your computer, network, accounting software and other data storage will keep the night custodians from rifling through your sensitive information.
These three security measures will lull you into a false sense of security and possibly limit the instance of breaches, but it only takes one security flaw to get you and your data into trouble. When a single virus, trojan or worm make their way through your defenses, they can live on your network and do whatever they want for as long as they want. One of the first things they do is block themselves from security detection. You might scan your system back to back and never detect the invader.
You can be sure there are vulnerabilities known to the criminals who can exploit them and gain access for any number of reasons, not the least of which is theft of your sensitive information. A hacker may quietly change your system and create a back door so that he can come and go undetected whenever he wants.
A worm-based key logger may secretly record every key stroke and, in doing so identify not only your internal passwords, but all of your external passwords for credit card websites, and even your bank accounts. A trojan might be designed to hide itself, silently gather sensitive information and secretly mail it back to its source. And you won't even know these things are taking place because you believe your firewall, anti-virus and passwords controls are protecting you.
Of course, the internet pathways are just one avenue into your cache of sensitive information, workers can unknowingly load malware onto your system from a flash drive, or when they upload data from a laptop, tablet or smartphone.
In fact, the same mechanism also can off load the results of an earlier malware invasion so that the information a worm has garnered while on your system is passed on to a smartphone or tablet, which then hits the cellular WIFI network and uploads the data back to the hacker of origin.
But it doesn't stop there, you can have criminals walk in the front door and use their social engineering abilities to obtain passwords to, or even use of, your network to misbehave. Then, of course, there is that curious employee who wants to see what everyone else in the office (including the boss) is earning. What about those malcontents with a grievance that decide to take out their frustrations on your data?
I am certain I could go on and on rubbing you raw about your lack of sensitive data security, but I will stop for today. Next week, Part 2 will look at how you can get better prepared to prevent the loss of sensitive data and protect yourself from the consequences if you're hit by hackers.