Could your company data be compromised?
Digital credentials are among the most valuable assets found on the dark web. Why? Usernames and passwords connect you and your employees to critical business applications and online services.
In 2020, the number of records exposed to unauthorised users reached 36 billion. A staggering 2,935 data breaches were reported in the first three quarters alone, making 2020 the “worst year on record.”
While much of this data comes from the United States, New Zealand organisations are no less at risk. In January 2021, the Reserve Bank of New Zealand’s customer data was significantly breached after a cyber attack on a third-party file-sharing service.
The Privacy Act 2020*, which came into effect on 1 December, requires New Zealand businesses to notify the Office of the Privacy Commissioner in the event of a serious privacy breach or face a fine of up to $10,000, further underscoring cyber security’s growing importance to our national economy.
Increasingly sophisticated phishing scams, where attackers gain the victim’s trust to persuade them to share sensitive information, including passwords, are making employee education more vital than ever. In an increasingly complex environment of data sharing across mobile, cloud, and personal devices (“BOYD”), employees play a tremendous role in keeping your organisation’s data safe. Companies who champion their employees as the gatekeepers of their information can encourage buy-in to a culture of cyber security and good IT hygiene practices.
Why do hackers want your passwords?
Generally, cyber criminals want to access your personal and corporate information for financial gain, usually by way of identity fraud but sometimes even blackmail or extortion, as with ransomware, which holds encrypted data hostage until a ransom is paid.
How do people access your passwords?
The biggest threat to data security is reusing the same password across multiple websites. Rather than following best practices to choose a unique and difficult-to-guess password for every new site, many people simply repeat the same one. Totally understandable, given the number of sites that require you to sign in – and how often people forget their login info.
Unless you pay for password manager software, which automatically generates and saves a unique password for you, employees may revert to an old password that they can remember. Even worse, they may reuse the same username/password combo outside work on unsecured personal devices or networks, perhaps visiting sites that eventually get hacked. And once hackers have their personal information, they have effectively got yours, too. A hacked site’s entire database typically gets sold on the dark web, where other hackers then purchase it to gain access to other sites, including yours.
Other commonly used strategies include phishing, keystroke logging software or hardware, and brute-force attacks, where hackers use trial and error to guess login info, encryption keys, or access hidden web pages. Other times, relaxed security practices such as saving passwords on paper or unprotected digital documents may be to blame.
What is the risk to your business?
Financial loss from false transaction requests and reputational damage are the most common forms of fallout. While you are ethically and sometimes legally obligated to inform customers of serious breaches, not every breach warrants it. Consider each incident on a case-by-case basis, evaluating the relative risk of harm before letting third parties know. In some cases, there may be the possibility of personal damage, when private records are exposed, or even physical harm.
An organisation’s servers are typically all linked, so the successful exploitation of any administrator-managed server could give cyber criminals access to everything they are after. Be aware that there is a high element of opportunism involved: Like a common thief, the typical hacker starts by looking for low-hanging fruit, so do not make it easy for them!
Poor IT hygiene practices in order of risk:
• Using the same password across multiple devices or sharing passwords
• Inadequate restrictions on user access to critical data
• Incorrectly configured network security settings
• Stolen devices with insecure passwords and/or security settings
• Employee devices used at home or other unsecured networks
What can you do about it?
Securing your employee and client information is the most effective way to prevent data breaches. We recommend regular security audits, policy and procedure reviews, and implementing multi-factor authentication wherever possible. Ongoing staff training to boost awareness and promote cyber security best practices, particularly amongst your finance team, will also go a long way in thwarting malicious attacks.
But prevention is only half the battle. Businesses of all sizes should seek to implement visibility and detection capabilities across their operations, including antivirus, malware, and dark web monitoring software. Ideally, you will have a clear, comprehensive cyber security profile for each medium or business scenario and well-defined processes in place for risk mitigation and recovery should the unexpected happen.
How Think Concepts can help
We offer a large range of cyber security products and services, including IT hygiene audits, employee training, comprehensive antivirus protection with ThinkProtect, and proactive dark web monitoring with Dark Web ID.
First, we will look at what your business is currently doing and assess your risk profile, scanning for vulnerabilities and opportunities for improvement. Then we will offer a custom programme to address any security gaps and establish a protocol for best practices going forward. Depending on your needs, we can train staff on how to spot phishing emails, set up multi-factor authentication, make “BOYD” devices that staff use at home more secure, monitor company emails for any password breaches on the dark web, and create a secure backup of all critical files to protect against data loss.
Dark Web ID is a monitoring solution that scours the Internet to locate any compromised credentials associated with your company in real time. With this award-winning product installed, you’ll know if and when your users’ credentials have been phished, breached from a third-party website, or transacted on the dark web – before they cause damage to your business.
We can either monitor your Dark Web ID reports for you or you can mind them yourself then come to us when you need assistance. For $99 a month, we can monitor one domain name, which is sufficient for most customers. Should you wish to add domain names, you can do so for just $49 a month.
Dark Web ID can be bundled with ThinkProtect, our antivirus management service. Using our cloud-hosted server, we will ensure all antivirus and security updates are promptly done for you. We will also perform periodic audits to verify that all software is correctly installed and working on all machines as it should.
With businesses increasingly relying on technology and remote working, robust cyber security matters more than ever. Proactive solutions rather than reactive fixes will help safeguard your data and keep you several steps ahead of even the savviest cyber criminals.
*Disclaimer: The above does not intend to provide you legal advice and is informational only. For legal advice, please contact a certified legal professional.