Saturday, 6 August 2011

Have You Been Hacked This Month? Oh, Yes You Have



Written by Andrew Kemshall
I’m assuming the majority of people are sitting smugly reading this thinking ‘of course I haven’t!’
You do everything you’re supposed to do, right? You’ve installed a firewall, you’ve got some anti-virus software, you never follow links in emails or open attachments from someone you don’t know or trust. Well, that’s all very commendable. But unfortunately it isn’t you that’s been hacked. It’s your information stored by the companies you trust that’s been compromised.
Since the start of this year, globally, there have been 365 data loss incidents involving 126,727,474 records. According to Juniper Research, 90% of organizations have suffered data breaches in one form or another over the past 12 months. Testament to this is the number of household brands that have inadvertently divulged the information of hundreds of individuals:

  • Epsilon’s mailing lists were breached which affected, amongst others, a number of U.K. brands including Marks & Spencer and Mothercare.
  • Sony Playstation had its systems hacked with the personal information of 77 million gamers accessed.
  • Numerous incidents by the U.K.'s National Health Service that holds millions of sensitive personal information records for almost every individual in the country.
  • RSA experienced a breach that has jeopardized the security of thousands of users of its physical two-factor authentication tokens.
  • Travelodge is still holding its cards very close to its chest but it has confirmed that the email address of some of its customers have been sent spam messages.

I would conservatively estimate that the average family’s personal information has been breached 10 times since June.
Organizations ask you to trust them to store your information. They even provide a box for you to tick to show that you don’t want your details shared with third parties. And, with the best will in the world, they don’t intend to spill their databases into the black market. However, the stark reality is that all too often someone’s lax security controls allow a malicious person to gain entry to your personal records.
Too Little Too Late
Each time an organization is breached we see them desperately trying to reassure customers that it’s all going to be okay. For example, Travelodge was at great pains to inform its customers that it hadn’t made any money by selling its customers email addresses or that their financial information was affected.
What organizations fail to grasp is that, each time your record is breached, organized cyber criminals are piecing together bits of information about you, your habits, and that of your family’s that together creates a complete picture.
There will be some that argue - what can be done with an email address? Well, a criminal could spoof you into responding to a phishing email purported to be from the bank you use or the store you shop at. If they have some further details about you, for example date of birth, children’s names, etc,. they may be able to ‘guess’ your password and access your account. Some of you may even recall, back in 2008, when Jeremy Clarkson (from the BBC show Top Gear) printed his bank account details in his column in The Sun believing there was little criminals could do with the information other than put money into his account.
Take Back Control
You can’t personally go into every organization and ask them how they protect your information. That said, perhaps if more people were willing to challenge organizations about their security strategy before doing business, companies might do more to protect your information.
However, given this isn’t going to happen any time soon, you need to treat your personal information as you would any of your physical possessions in the real world. Here is a list of things you can do to prevent cyber-criminals capitalizing on your personal information :

  • Put a lock on the door by installing a firewall and make sure it is properly configured and up to date
  • Keep your operating system and browser patched and up to date.
  • Install an alarm by using industry standard anti-virus software and make sure you install any updates. Malware infecting your computer can be an avenue for hackers to gain access to your personal data.
  • Restrict key holders by not sharing your password with anyone. PCs allow you to create user accounts for a reason!
  • Change your password regularly and make it hard to crack – but one you can remember without writing it on a post-it-note and sticking it to the screen!
  • If you change your PC make sure you get the hard drive scrubbed. It’s amazing what criminals can pick up on eBay.
  • Be careful about the personal information you divulge when filling in registration forms. Ask yourself whether the organization really needs that much information about you and, as importantly, can you trust them to keep it safe? They’ll tell you how they intend to use the information but don’t be afraid to ask how they’re going to protect it to.
  • Be careful what you tell strangers on social Web sites and in chat rooms.
  • Question the validity of emails you receive and never click on an embedded link or down load attachments if you’re at all suspicious. Most banks will tell you how they will contact you and what they won’t ask you to do. If in doubt call the organization the communication is supposed to have been sent by to allay your fears or confirm your suspicion.
  • If you have children, and allow them to use your PC to access the Internet, make sure they know about online safety.
  • If you are using your computer for work purposes and store sensitive data on it, get your employers to install 2 factor authentication, that’s something you know (like your own strong and made up password) and something you have like a “one-time” password which can be sent to you via an SMS message on any mobile device you own.

We’ve all got used to locking our front doors and keeping valuables out of sight. Until we can trust organizations to give our virtual possessions the same protection we need to take steps to protect ourselves.
Andy Kemshall is CTO at SecurEnvoy, a provider of tokenless two-factor authentication systems.

No comments:

Post a Comment