Each year, Verizon compiles a Data Breach Investigations Report (DBIR). It is a comprehensive summary of data security threats and breaches that helps to better understand the landscape of cyber security.
2017 marks the tenth year that this report has been released, and Bryan Sartin, Director of Verizon's RISK team, says that according to Verizon's studies, some of the sectors that are most prone to attack this year are "financial services, retail, accommodation and healthcare." "You don't need to be big and famous to fall victim to cybercrime. Start-ups are targeted for their breakthrough technology. Some companies simply present themselves as a soft target and act as a stepping stone to access their partner's systems." Sartin said.
According to the DBIR, 80 percent of hacks involve the exploitation of stolen or weak credentials. This is a 17 percent increase from last year. Sartin points to basic prevention methods such as two-factor authentication as effective means of security hygiene. The consistent application of simple security methods has the potential to stop most security attacks before they can gain access to data. Sartin says that consistent application simply does not happen.
In 2007, Johns Hopkins Hospital launched an awareness campaign aimed at encouraging employees to regularly wash their hands, pointing to the fact that good hand hygiene reduces infection and the spread of disease. Servio Medina, COO at the American Defense Health Agency's policy branch, argues that the same concept can apply to data security. By paying attention to the risks of clicking unfamiliar links or opening attachments, leaving devices lying around or accessing work documents through a personal email, we may not be able to eliminate risk entirely, but "we certainly have the responsibility to reduce how much we contribute to the risk of information."
Here are four tips to ensure effective security hygiene that may help reduce human error as a cause of data breach--if they are applied consistently:
Enact simple company-wide policies to aid in data breach prevention
Something as simple as adding an identifier to the subject line of emails can help to verify that an email is legitimate. If there is no identifier--adding a letter to the beginning of the subject--an employee will know that the email is not from someone in the company, and will know not to open it or click any links within it. This will help to decrease the 66 percent of malware breaches that occur as a result of phishing.
As an example, Gmail accounts offer this type of identity verification as a default setting. Log in is done with a password and then a pin is sent to your phone to enable access to your account on a new device. With this method, a thief will need both your password and your phone to access your account.
Accounting for the location of your devices at all times
This one is as simple as not leaving your devices lying around or unlocked. Make sure that passwords are set on laptops and phones, and make sure that they are either with you or in a secure location where they will not be stolen. Additionally, it is critical that all sensitive data is encrypted and that employees are strictly prohibited from printing it out. This will help to minimize the chances of a data breach if devices are lost.
Regular training on data security
It is important to ensure that employees understand the risks related to data security, and how to be proactive in preventing data theft. Keeping employees in the loop regarding current trends in data breaches will help to safeguard against attacks. If employees know what to look for and are trained to spot any evidence of foul play, they will be less likely to become victims of a data breach.
There is no such thing as an impenetrable defense, but often times a half decent security system will deter cyber criminals who will move on to an easier target.