It has been a week of hacking revelations and some of the data breaches have been massive.
The famous Marriott hospitality giant disclosed a breach that had been running for four years on a reservation system for its Starwood properties.
As many as half a billion customers may be affected, so when I say massive breach, I really mean it.
“For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences,” Marriott said in a statement released early Friday morning.
Marriott said the intruders encrypted information from the hacked database (probably to avoid detection by any data-loss prevention tools when removing the stolen information from the company’s network), and that its efforts to decrypt that data set was not yet complete. But so far, the hotel network believes that the encrypted data cache includes information on up to approximately 500 million guests who made a reservation at a Starwood property.
Are all hospitality suites at risk?
Here’s the thing, if you hold data on a large number of individuals; be they employees or clients then you need to take security seriously.
In the run up to Christmas there has been a massive increase in the number of phishing emails, this is no coincidence. With more people spending money, the data that companies collect is increasing and that makes for an attractive target.
Nobody would be interested in us!
It’s amazing how many times I have heard this from staff in companies. They could not be more wrong.
By launching a phishing attack on your company, the hacker can gather lots of information from your system that may provide authorised access to a supplier or an accountant. Once in those companies they may then have access to hundreds of other companies. This sort of attack causes massive data breaches.
Once they have finished with your company, they may well sell your details to other hackers providing them with access to your systems for other uses. A common use is turning your computers into zombies for use in attacks on other systems, or just to use your computing power for some other purpose.
During the time your system in compromised, everything you type, save and email is available to the hackers. They can easily capture your banking information for use later.
You are never too small to be of interest to a hacker, it is a numbers game for them. The more computers they can compromise, the bigger the potential rewards.
Staying safe is a challenge that increases in complexity year on year and for new and small companies it is not a subject that is very high on their priority list, even though they know it should be.
First line of defense
For start-ups and SME’s, the typical computer network grows organically with little thought to security. The majority of these have a standard router from their internet service provider.
These routers have a firewall built in but it is basically set to allow everything. Even if you edit the routers firewall it is a manual process that offers only basic protection against a data breach.
A quality Firewall or a replacement Router with a quality Firewall that has managed rule sets configured automatically by the vendors security experts.
These are not expensive systems, they start at around £99 for the typical small office with annual subscription licenses at under £50 a year for automatic regular updates.
This is your first line of defense and depending on how much you are willing to spend can prevent your staff visiting malicious or infected websites, scan for infected traffic trying to enter the network, prevent hackers from accessing the system and stop DDOS attacks.
Second line of defense
Anti-Virus (AV) /Anti-Malware (AM) software needs to be installed on all of your computer systems and it must be kept up to date.
I have been in dozens of companies where I have had to advise the business about their AV or AM software not being legal.
Software licence compliance is important, the licences for almost every AV product license states that it is free for personal use but you must buy a license if you are running a business.
Buying a license usually provides you with more frequent updates and as a result better protection. Some products also offer financial and or technical guarantees for licensed products.
If you are uncertain as to which AV/AM to use contact us.
Staff are your biggest asset when it comes to protecting your data providing you train them correctly.
So many companies are wise enough to have their IT company or an IT Security company send simulated phishing emails to your staff as part of an ongoing training program.
Yes of course that is something that we can do, but it is not why I mention it. Staff training makes staff more productive and reduces costs in the longer term. It also reduces staff turnover for a number of reasons, including, staff wellbeing, fewer incidents that require investigation or disciplinary actions, increased company reputation.
Other things you can do
Got an old computer? These can be configured as Intrusion Detection Systems (IDS) that IT can use to identify attacks on the network, the use of an IDS also provides a way of thwarting attackers and allowing IT to learn the techniques and methods that the hackers are using to compromise the system.
Add more Firewalls to segregate departments only allowing authorised connections between those departments. This may seem like overkill, but believe me, separating the Accounts department from the rest of the company is not the only thing that should be done.
If you have an internal IT department and a Software development department then these should also be segregated using a Firewall.
Production and retail departments should also be separated from each other many other departments within the company.
Want to know more?
If you would like further advice, please contact us for an informal chat.