Over the past few years we have not only seen an increase in the number of cyber-attacks, but also a disturbing upward trend in the sheer amount of data that has been stolen. The maliciousness of the attacks has also reached the point where data is not only being stolen, but also deleted.
Just look at these estimated numbers:
- Home Depot – 56 million cardholders affected
- Target – 40 million cardholders and 70 million others affected
- JPMorgan Chase – 76 million households affected
- Sony – 33,000 private files resulting in 47,000 social security numbers, personal information of employees and contractors, financial data and feature length movies being stolen
It should go without saying that companies are going to be focused on security more than ever in 2015. In fact, Gartner has predicted that global spending on enterprise IT security will reach up to $76 billion this year.
Attempting to prevent attacks by increasing spending on intrusion detection and data loss prevention is, however, only addressing part of the solution.
4 Key security areas for 2015
1. Vendor Management
If you are using third parties/vendors to manage any part of your IT, then ensure that their security protocols align with yours. In both the Target and the Home Depot attacks, hackers gained entry to the core systems via a third party exploit.
Not only should vendors have security protocols in place, but their staff and contractors must be educated accordingly.
2. Educating users
Phishing is not only a product of stolen data, but it has been used in at least one of the recent major hacks. Target’s systems were compromised due to a third party vendor opening and executing malicious code via a targeted phishing attack.
It is especially important when running an email program, whether for eMarketing, transactional or eBilling purposes, that consumers be aware of the potential of phishing emails.
Educate customers on what emails they can expect to receive, versus what to look out for when suspecting phishing. This communication needs to happen often, as the threats themselves mature.
3. Technical Controls
Authentication controls such as DKIM and SPF are no longer optional and should be accompanied by a DMARC policy to further combat phishing attempts.
Learn more about the technical set up of DKIM and SPF
Read more about DMARC:
- Striata to implement DMARC – a new standard for email authentication
- 10 things you should know about DMARC’s battle against email fraud
4. Response Management
While the aim is to never have a system compromised, there is never a 100% guarantee of this. Communication to stakeholders, including customers is imperative after a breach to avoid further attacks. Often in these hacks, personal data including email addresses are part of the stolen assets.
We’ve learned that cyber criminals are opportunists, for example, when Air Asia QZ 8501 went missing late last year, it took around 24 hours for phishing emails and posts on social media linking to malware to be seen in the wild.
4 Key ESP Security Areas You Should Be Aware Of In 2015
Aucun commentaire:
Enregistrer un commentaire