In the today's business environment, confidential information such as pricing information, customer lists, proprietary technology and marketing plans are vital business assets and any compromise may affect the core operations of the organization. It is the reason security breaches are such big news. Despite security leaks, distributed denial-of-service (DDoS) attacks and an advice from system security professions for individuals and businesses to protect their sensitive data, many of them are still unprepared and unprotected from the ever rising security threats. According to the Trustwave's 2014 state of risk report, many businesses have partial or no security system in place to protect the organizations from losing their most sensitive data. The question is - What are the various ways the most confidential information is at risk? What can these big companies do better to ensure sensitive information is protected from security threats?
Internal attacks facing the data and systems are the most common and the biggest threats big companies face. Terminated employees especially from the IT departments who have knowledge access to admin accounts, access to networks, and access to data centers may cause a serious damage to the company. For example, the recent Ashley Madison data leak was discovered to have been done by a former employee angered by a termination. To mitigate this problem, all terminated employees should have their access revoked. It is also important to control, monitor and manage all privileged credentials to prevent potential acts of exploitation.
Careless or uninformed employees
Careless employees with no adequate security best practices are likely to click on suspicious emails or open spam email attachments, use weak passwords to access the company systems, or visit unauthorized sites which are likely to pose a high security threat to the company. Sensitive information a company may risk include business secrets and confidential employees' data. To control this risk, it is important train employees on best practices of handling company devices and confidential information. Employees must be trained to manage passwords, avoid hacking from cyber criminals and how to encrypt sensitive data. According to Peter Doggart, business development vice-president for Blue Coat, although encryption is good to protect privacy, it is being used as a new method for attack. However, the company has integrated its SSL with "GigaSecure" Security delivery platform to enable inspection and security analytics at scale.
Sensitive data can be highly vulnerable when employees can access company data, share data, or neglect to change passwords using mobile phones. In a study released by BT Americas "mobile security breaches have been the most common affecting over 68% of all global companies in the last one year". The confidential information at risk include company passwords and company information saved on mobile phones. To control the risk, it is important for a company to have BYOD policy in place to educate employees on device expectations. Other measures include containerization to respect user's privacy and protecting BYOD risks with a hybrid cloud.
Unpatched or Unpatchable Devices
They include network devices such as printers and routers which can neither be patched nor their hardware designed to be updated. According CyActive, these devices can be exploited by cyber attackers to gain access to where data is stored. To protect confidential information, it is important to deploy vulnerability management as the first step. The second step is to identify all the Windows Server 2003 instances of vulnerability with priority given to systems according to risks and criticality.
Third-party service providers
According to Matt Dicks, the CEO of Bongar, many companies rely on the outsourcers and third-party vendors for maintenance and support of their systems such as Point-of-sale (POS) systems. If these companies use remote access to view sensitive information without following procedures, and the password happens to get into the wrong hands, sensitive information may be lost or accessed by competitors or worse. To control this problem, a company has to ensure that outsourcers follow remote access best practices such as setting privilege permissions, unique credentials and multi-factor authentication. It is also important to delete third-party accounts as soon as the contract of service is over.