Privacy and Cyber Security are hot topics right now. Attacks on Optus, Medibank, and now Latitude have customers reeling, and plenty of people asking “what next?”
It’s easy to think that criminals only target big businesses and holders of large amounts of sensitive data, and that smaller organisations simply aren’t worth the time trying to breach, unfortunately the reverse is often true. Smaller organisations often have less robust policies and procedures when it comes so cybersecurity and data management, they may have less sophisticated software for detecting and blocking attacks, and they can often be seen as a weak ‘back-door’ into information held by larger companies.
It’s also worth noting that it’s not usually all about flashing lights and whizzing bits of Matrix code as these ‘hackers’ bash away at the cyber-doors of their targets. We just need to look at some of these recent high profile breaches to say that an alarming number come from something as simple as stolen login credentials. When the burglars have the keys it’s easy to get through the door.
- The Optus data breach occurred from someone finding a door that didn’t even have a lock on it. It should have, but it simply didn’t, an unsecured API (effectively a data portal) requiring no username or password at all.
- Medibank’s breach was the result of someone getting hold of a Medibank username and password from one of Medibank’s IT service providers.
- Latitude’s breach also appears to have been caused by stolen login credentials, which then allowed the person to pose as that employee and access other third-party systems.
It’s perhaps not hard to understand why so many emails are received trying to get you to ‘click here’ or to open an attachment. These emails are baited hooks fishing for login details to anything and everything. (In fact, whilst writing this I received an email purporting to be a saved voicemail, all I need to do is click the link to hear the message….)
So, what are some of the things brokers can be doing to safeguard themselves and their customers from potential breach?
- Use strong passwords and two factor authentication. If your password is the same, or close enough, over a variety of sites then you’re only as secure as the very least of those places. Consider how many times a user might use the same password just changing a number or adding a ‘!’ to the end. If their password is breached on Spotify or Facebook, your network could easily be next.*
- Use archives that are less accessible. It might be necessary for a large number of staff members to access information when a deal is in progress, but once it has settled it may pay to lock big chunks of customer information away in less accessible storage areas.
- Have a written policy round information retention. Consider what information is required from customers, where and how that information is stored, and how long it should be kept for. It’s easy to say ‘we keep everything’ but that significantly increase the damage that could arise from a breach.
- Keep software up-to-date. Hackers work by finding a small opening and then working to widen it or squeeze through. The fewer openings you have, no matter how small, the lower your risk.
- Continually educate your employees. It’s not enough to write ‘use strong passwords’ in your employee handbook and forget about it. Employees should be warned regularly about the risks of attacks and shown examples of things like phishing emails. Ensure that your staff members are aware of best practices for data security and train them on how to identify and report potential security breaches. This will help prevent accidental data leaks or breaches due to human error.
Finally, consider engaging a data security expert. A good specialist will look at all of the items above and much more. They’ll try to break into your systems in ways you can’t imagine, and whilst they may cost a little, consider it no different to an insurance premium; a necessary expense to protect against much larger consequences.