It's the second week of National Cyber Security Awareness Month, and the focus this week is all about creating a culture of cybersecurity at work. It's critically important for all workers to consider the impact their actions have on their company's ability to maintain a secure computing environment. Many of the most serious data breaches and other major hacking incidents can be traced back to a regular worker's irresponsible — or at the least, inattentive — action. So, stop! Don’t click on that weird link in your email! To borrow a line from Dirty Harry, “You’ve gotta ask yourself one question: Do I feel lucky?”
Let's consider the massive Target Corp. data breach of 2013. Forensic investigations concluded that the thieves put malware on the point-of-sale systems. This malware collected customer account data on a Target server and then periodically transmitted the data to an offsite server controlled by the hackers.
So malware is the cause of the breach, right? Yes, but how did the malware get installed on the POS system?
Investigators believe that the thieves stole a legitimate user's login credentials to get a foothold on the Target network, and then used those credentials to move around the network and elevate their privileges of what they were permitted to do. With higher privileges, they were able to unobtrusively install the malware that stole the data.
So the stolen credentials led to the breach, right? Well, yes, but how did the thieves acquire those credentials?
The forensic investigators tracked the purloined credentials back to one of Target's business partners. They believe an employee of a third-party contractor opened a phishing email and clicked on a malicious link. From there, a piece of malware was installed on the contractor's systems, and this malware was able to harvest the credentials that enabled login to Target's systems. Obviously, the person who clicked on that link was not lucky.
The rest is a 40-million-card-breach history.
The bottom line: One of the largest and most costly breaches ever began, at the root, with someone casually falling for a phishing attack. Had that small company embraced a more cautious cybersecurity culture, it's possible this whole incident could have been avoided. Dirty Harry’s advice might have helped.
As a testament to the value of security awareness training, workers who change their behaviors can reduce a company's security-related risks by about 60 percent, according to a recent report by the Aberdeen Group, The Last Mile in IT Security: Changing User Behaviors.
Companies know that a traditional prevention strategy can't be successful 100 percent of the time, says the report. So they turn to expensive, sophisticated technologies to detect, respond to and recover from security incidents. But the less expensive prevention strategy can be bolstered by modifying risky user behavior that is often the root cause for many security incidents. Using empirical before-and-after training, a behavior-change company called Wombat Security Technologies analyzed click rate habits and found that malware infections can be reduced by 45-70 percent through user awareness and training.
User awareness meets data protection
While 3DSI is certainly an advocate of increasing user awareness of cybersecurity needs, we also believe that many breaches can be avoided with stronger measures for data protection in the first place.
One great method seems obvious: Don’t store sensitive data at all. Tokenization with services like CardVault is a very effective means for removing sensitive data from a vulnerable environment. If the real data isn't even available when a hacker comes looking for it, the impact of a breach is minimized.
Merchants often engage a third party service like 3DSI to tokenize their credit card data and store the real account numbers in encrypted format in a secure vault outside of their own network. This transfers risk to the third party provider. The merchant holds the tokens as a representation of the cards, but never stores any real card data at all. Even e-commerce merchants can use a secure card collection in conjunction with a payment gateway so that they never have to touch credit card data at all. Thus if an attacker makes his way into the merchant's computer systems, there's no sensitive credit card data to steal. This is a cybersecurity culture that everyone can embrace.
Read more 2015 National Cyber Security Awareness Month posts:
- Pumpkin Lattes, Fall Festivals and National Cyber Security Awareness Month.
- Tokenization a Critical Security Technology for Apple Pay and Other Mobile Payments.
- A Cautionary Tale for Your Evolving Digital Life.
- Critical IT Projects vs. the Security Worker Shortage.