Security breaches are an unfortunate reality that companies face today. How to keep both your own and your clients’ information secure is top of mind for executives. A panel at this year’s SS&C Deliver 2018 conference addressed these concerns and gave insight into what to consider when thinking of information security.
We’ve seen many high profile breaches in the last few years. The largest one was the 2013 breach at Yahoo that affected 3 billion customers (think about that: that is 3/7 of the human race!). One year ago this month, the Equifax breach impacted about 148 million consumers (about half the country). This was caused by attackers exploiting an unpatched vulnerability. In fact, most breaches could have easily been prevented by applying an available patch.
To understand how to help prevent a breach, you first need to understand the anatomy of a breach. What types of things create vulnerabilities and how do you combat those? According to session panelist Dan Thomas, VP of Information Security at DST (a unit of SS&C Technologies), there is no “silver bullet” in protecting your data. However, there are steps you can take once you understand how attackers are targeting your data:
- Patching – keeping your operating systems and applications patched with the latest security updates is critical to keep attackers at bay. Attackers exploit known vulnerabilities in systems and, unless those patches are in place, you’ve given them an easy way into your systems.
- Segmentation – reduce the risk to your organization by segmenting data from different business lines and keep separated across different databases and networks.
- Two-factor or multi-factor authentication – two-factor authentication adds an extra layer of security. It requires not only your username and password, but something only you would know or have physically on hand - like a token. Attackers are looking for the path of least resistance. If the path in is too hard to crack, they will likely move on.
Another way to help keep your data safe is with good “security hygiene”. This means inserting the basic security mechanisms based on an understanding of your business and the location of potential security gaps. What are your business processes? What are the rules? For example, one of the recent ways attackers are taking advantage of companies is by searching your company website along with social media sites, such as LinkedIn, to find key executives. In one instance, they may use the name of the CFO to ask another employee to wire money to an account. Unless the appropriate internal processes are in place to safeguard against this type of attack, a hacker may be successful in wiring money to offshore bank accounts.
Lastly, the human factor is something that can’t be ignored. How do you prevent employees from clicking on suspicious links in emails or not locking computers when they step away from their desks? Employees are particularly susceptible to phishing attacks, where attackers will send very real looking emails with malicious links. Once an employee clicks that link and malware is installed or sensitive information (such as passwords) revealed, not only does a hacker have access to the computer, but potentially the network and servers as well. Ongoing training and prevention programs targeted at making employees more aware of the types of attacks are the best way to combat phishing. It is preferable that an employee click on an education link in a simulated phishing email sent by your security team rather than a malicious link in an email from a hacker.
The thought of a breach that compromises company and client data and puts the business at risk can strike fear into the hearts of most executives. Understanding what breaches are and what steps you can take to proactively combat them are the first steps in a successful information security plan.