How companies get hacked: the human factor

As we’ve stated before, hacking is about exploiting vulnerabilities -whether they are system, technical or people related. A lot of the publicly available research points to human error as a major contributor of data breaches. According to the Symantec/Ponemon study, at least a third of serious data breaches were connected to human error or negligence.

In some cases, disgruntled employees with access to confidential information directly cooperate with hackers. Although there have been some high profile cases of this occurring, in most cases negligence and social engineering are more significant factors.

What can be done to reduce the hacking resulting from human error?
In order to change behavior you will need to train your employees about how to handle information in the age cyber-crime. Training can be both formal and informal and should vary by role. Frontline employees who handle credit cards need very different training than back office accounting and finance staff.

Here are some of the areas that need to be covered:

•  The dangers of posting personal information on social media. E.g. hacker can use your place of birth in password reset questions to hack into an account. (E.g. Sarah Palin’s email got hacked this way).

•  How to handle sensitive company information such as passwords and customer data. Your employees need to understand the dangers of malware, viruses etc. One that should be reinforced is never to give out passwords or confidential information over the phone or via email.

•  Other areas that can reduce the level of cyber-crime due to human error include:

• Put in place security protocols that relate to access to data, encryption of files and confidentiality of information.
• Limit access to confidential information and put mechanisms in place

Hacktivism: Why it Matters for Small and Medium Businesses

The surge in activist hackers (hacktivists) that we saw in 2012 continues unabated in 2013 and can no longer be dismissed as a fringe threat to corporate America. Hactivists are no different from traditional cyber criminals and although their motives may be considered ideological or altruistic, the damage that can be inflicted can often be worse. This is particularly the case if your business has been identified as a target by an activist group.

The Verizon Data Breach Report identified the following common hacking actions: SQLi  (access to the backend database is obtained by
“injecting” code into URLq queries), Stolen credentials, brute force attack (when an algorithm runs through all possible permutations to crack a password) and RFI (Radio Frequency Identification chips that are used in some payment cards) as well as backdoor malware. The targeted assets are web applications, databases and mail servers.

What you can do to protect against hacktivists

The number one thing to deter a hacktivist attack is to focus on cyber-prevention. Prevention is not just about IT – it’s about the whole organization: people, process and technology.

• Update anti-virus software and scan for malware and web application vulnerabilities

• Put in place policies to protect credentials, customer data, etc.

• Train employees with access to sensitive information

• Limit access to sensitive information and ensure credential information is changed so that departing employees can no longer access systems