Data breaches cause a massive impact on businesses. We caught up with Paul Ramsbottom, the Managing Director of Advanced Solutions International (Asia Pacific) in Melbourne to find out how companies can improve the security of their data.
Paul, how good are businesses in general at looking after their data?
I don't think businesses are that good. We are improving, but when you look at the basic things that keep your data safe like changing passwords regularly and not using the same password on all systems, we could do better.
Changing passwords often sounds pretty simple. Why don't we do it?
The number one reason for data breaches remains weak passwords. Even though we know an enormous amount about how to keep our data safe, password vulnerability is still number one. Some businesses insist that staff change their passwords regularly, but unfortunately, many people go for a similar password again or don't bother making the change. Many people also use the same password across various systems because it's too difficult to remember a large number of different passwords. The second reason for inadequate data security is that your software systems and devices aren't set up correctly. Both of these things are relatively easy to correct. Just focus on doing the basics properly.
What are hackers looking for?
There are several different types of hackers. The first group are political hackers known as hacktivism, but I doubt that many ACE New Zealand members would be vulnerable to these people. However, if you are working on a fracking project, maybe a coal mine project or something that's politically sensitive, you could be open to hacktivism on your website or databases. The second group are of more significant concern. These are the people who are looking for usernames and passwords which can then be sold on the open market. These unscrupulous people know that once they have your username and password, it is likely that you have used the same ones across all your systems. That makes it relatively easy for them to gain access to multiple accounts.
How difficult is it to keep hackers at bay?
It is pretty tricky as the hackers are now able to stay ahead of the game. Unfortunately, no matter how much money businesses spend on protecting their data, it will never be enough. That's why it is so essential that you practice good password security and behaviour because it is impossible to stop the hackers completely. These people don't have to be incredibly smart to work out how to invade your system. They can gain access to a staff member's password that hasn't changed for a long time, or there is a switch that hasn't been turned on to lock the system. The same applies to mobile phones and laptops. You are likely to have confidential data and client lists on your phone, but if someone steals the phone and it's not password protected there is an opportunity for a breach. We know of staff who've had their laptops taken which had client data on them. The laptop wasn't password-protected, or it had a straightforward well-known password like '1234' or just the word 'password'. The laptop files were accessed, and the client data stolen.
How can a business work out if there has been a data breach from their system?
In many cases, you won't know. However, if a client realises that a password that is totally unique to them has been stolen, they may report the breach. At that point, you can go back and look through the router or firewall logs which may give you a clue to when and how it happened. Those logs are generally not monitored every day, and it's difficult to determine whether password files have been accessed. If a client reports a breach, you then have something specific to search for, and that could lead to the identification of how it happened.
Is the theft of credit card details still a significant problem?
It's not such a problem nowadays. Credit card companies are up for the cost of any loss, so they are incredibly careful about how they secure their data files. Credit card numbers are generally stored as tokens, and they are unusable without having access to an extra level of security.
Do businesses need to enhance their firewalls?
Routers typically include a simple firewall, and generally, that is enough to give you some basic protection from hackers. You should always have a secure firewall, and your ISP will also provide you with a firewall. You can buy fancier ones that will alert you when an attack is happening, but that is not where hackers are getting into systems.
How do you prevent employees from inadvertently introducing a virus into your business system?
Viruses are not generally a significant problem as Windows, and Mac computers now have relatively sophisticated virus protection built-in – provided you keep your automatic updates on. However, email phishing scams are becoming common. Phishing scams are, for instance, where the CFO receives an email from the CEO asking for an account to be paid immediately. The email looks so genuine that the CFO makes the payment and the scammer is away with the money. Phishing scams are tough to detect because the email looks so real, and the scammers are becoming smarter at making their emails appear genuine. The only way to avoid this type of scam is to require two signatories on every payment. Protection from this type of fraud comes down to businesses having proper processes in place and all staff being aware that a phishing email could arrive in their inbox.
Do these phishing emails always look for money?
No, not at all. We recently saw a scam where the marketing manager received an email from the CEO saying he was with a new business partner and wanted an email list of clients. The file was supplied as requested, but it went to the scammer, and this caused a significant breach of security. So the advice is, be very careful when replying to emails. These people are getting smarter by the day.
Finally, what is the most crucial advice you have for businesses to keep their data safe?
Change your passwords. I know it's an inconvenience but only a minor one when you consider the cost of a data breach. Also, ensure that settings are turned on in Windows and Mac computers that prevent staff from reusing any of their last five passwords, and make sure passwords include at least eight characters. We all hate going through the hassle of making password changes, but for the sake of your company's data security, it's just got to be done.
Watch Paul's webinar Data Protection Essentials
Helpful links from the webinar: