Protect Yourself & Your Clients from Identity & Data Theft

Avatar Act-On
Corporate

Pssst … want to buy 25 million email addresses and passwords? How about some highly confidential financial data on your biggest competitor?

Marketers today work hard to gather detailed information on their customers, so we can find the right people inside the right accounts and target their interests with personalized content. Increasingly, we hold more personal, proprietary information.

But – not a day seems to go by without a new case of a company having their data stolen. If your organization stores a lot of data, then you are an attractive target for online identity and data thieves. Data and information are the currency of the web now, and the bad guys like to get as much of it as they can. More than ever, you have to be diligent about how you obtain, store – and eventually destroy – consumer and business data.

The size of the identity and data theft threat

The Identity Theft Resource Center (ITRC) compiles and lists data breaches confirmed by various media sources and/or notification lists from state governmental agencies. This list is updated daily, and published each Tuesday.

According to the ITRC, there were 781 breaches in 2015.

  • The business sector again topped the Breach List with nearly 40 percent of the breaches publicly reported in 2015, an increase of 8.1 percent from 2014 figures.
  • The health/medical sector had 35.5 percent of the total overall breaches, a drop of 8.6 percent from a record high of 44.1 percent in 2014.
  • The banking/credit/financial sector ranked third with 9.1 percent of the breaches with nearly double the number of breaches reported in 2014. It was the first time this industry ranked in the top three.

“Breaches have become the third certainty in life,” said Adam Levin, Chairman and Founder of IDT911, a provider of identity and data breach defense services. “It is safe to assume that the actual number of breaches is much higher than what is reported.”

So far in 2016, high-profile breaches include the US Department of Justice (10,000 Department of Homeland Security employees, 20,000 FBI employees), Snapchat (700 current and former employees), Verizon Enterprise Solutions (about 1.5 million customers), the Philippine Commission on Elections (the personal information of every single voter in the Philippines – approximately 55 million people), and a whole lot more.

Type of data theft

Regardless of your industry, if your own data is breached, or that of your clients or customers, it WILL affect your bottom line. Brand protection and data stewardship are the building blocks for the digital market. Without these tenets in place, your clients can (and will) begin to question your commitment to their data security.

So what are the bad guys after?

Thieves target personal, financial and other personal identifiable information (PII) including:

  • Names and addresses
  • Phone number
  • Email addresses
  • Social Security numbers
  • Bank account numbers
  • Credit and debit card numbers
  • Account passwords
  • Security questions and answers

How do data breaches work?

Attacks can take many forms and can be combined specifically to provide in certain circumstances a multi-pronged approach for the incident. These include but are not limited to:

Phishing

Phishing scams are typically fraudulent email messages appearing to come from legitimate enterprises (e.g., your university, your Internet service provider, your bank). Click on a link in the message – then all hell breaks loose and you could find yourself cleaned out. The SnapChat breach was a phishing incident.

Hacking

Hacking and hackers are most commonly associated with malicious programming attacks on the Internet and other networks. This results in many issues that may affect infrastructure and software.

Malware

“Malware” is an abbreviated term meaning “malicious software.” This is software that is specifically designed to gain access or damage a computer without the knowledge of the owner. The recent Twitter data breach (June 2016) – 32 million Twitter login credentials are now being sold on the dark web – appears to be the result of hackers infecting browsers including Firefox and Chrome with malware.

Malvertising

Is the use of online advertising to spread malware. Malvertising involves injecting malicious code that can hide undetected. The user has no idea of the potential damage that can be caused.  You can pick this up from a malicious ad on a trustworthy site.

Ransomware

This is a type of malicious software designed to block access to a computer system until a sum of money is paid and the block is lifted. Trend Micro researchers recently discovered an updated version of the FLocker, an Android mobile lock-screen ransomware that’s capable of locking smart TVs as well. “FLocker will try to convince you that you’ve done something illegal with your TV and offer to let you get out of it by paying the ransom. Not in Bitcoin like most ransomware: this one demands $200 worth of iTunes gift cards.” 

Hardware Theft

Stolen laptops, hard drives etc. can be a treasure trove for non-secured data and information.

Exploitation of Accidental Release

These category of risk includes data spill, improper disposal of digital assets, and other accidents or employee theft.

Once they have access to the data, thieves use stolen data to:

  • Misuse people’s identities
  • Commit financial fraud – all forms and types
  • Use stolen information to commit additional crimes
  • Launder money
  • Impersonate people for the purpose of stalking and harassment
  • Perform terrorism activities
  • Corporate and other types of manipulation

Once it occurs, data breaches affect every aspect of your company and have a direct effect on many functional areas including legal, finance, IT, marketing, sales, and services.

What can you do to prevent data theft?

There’s nothing that will make you bulletproof. That said, there are a few simple steps you can make some great strides in protecting your brand, your customers, and ultimately your reputation.

Here’s a handy to-do list for your review:

  • Your critical first step: technical security. Review all your potential internal loopholes
  • Conduct a comprehensive risk assessment to identify threats, analyze potential harm, and identify what reasonable mitigation efforts you would take in event of a breach
    • Understand the legal landscape
    • Implement policies and procedures consistent with the legal issues
  • Update your anti-virus technology, and keep it updated
  • Train your employees, to build safer data handling habits and awareness
  • Develop a written information security program and incident response
    • Periodically review the program to guard against new and evolving threats
    • Understand clearly what your plan is to isolate and mitigate a threat(s)
  • Require your vendors to employ best security practices
    • Make those requirements part of your contractual language, and include penalties for non-compliance
  • Make privacy a corporate mandate for adoption – create a data breach team, and give it the authority to make changes where necessary for safety and security

There are many companies and organizations that offer data breach services and information. The Online Trust Alliance has some tremendous information on how to keep yourself protected online and also offers some great insight on data breech awareness planning.

Remember in our digital economy, it’s not a case of “If”– it’s a case of “when” a breach will occur. As John Chambers, CEO of Cisco for 20 years, famously said: “There are two types of companies: those that have been hacked, and those who don’t know they have been hacked.” 

Cheers,

David