It has been an eventful 2018 in the data security and privacy space as cybercriminals continue to carry out more sophisticated attacks to breach into private servers. Additionally, continent-wide changes in data privacy regulations such as the EU General Data Protection Regulation (GDPR) are seeking new ways to protect the data of businesses and consumers.
Despite the additional safeguards implemented by government agencies around the world, malware, ransomware and IoT attacks are becoming harder to prevent, compromising potentially sensitive personal data of companies in virtually every industry. Part of the reason why data is becoming more compromised is because corporate data stored in the cloud is more at risk than data stored elsewhere. Combine this with the fact that 54% of all payment information is stored in the cloud, according to Ponemon Institute research, and you’ll see why it’s more important than ever to protect the sanctity of your data, regardless of where it’s stored. The aforementioned study also found that 49% of customer information is stored in the cloud and 35% of consumer information is in the cloud. Here are seven of the biggest data security stories and trends of 2018 so far:
While AI and machine learning (ML) offer automation, data analysis and other business solutions, there’s a dark side to the technologies as well. Hackers have recently been using AI to carry out more sophisticated cyber-attacks as the technology can automate the process of collecting company data from code repositories, supplemental documentation, social media and more.
Plus, AI can also help hackers figure out passwords by reducing the numbers of possible passwords based on a number of factors, including geography and demographics. One recent example of this technology in action was the AI.type keyboard app, which learns the writing styles of its users in order to provide a personalised messaging experience.
However, it led to a data breach that exposed the data of 31 million Android users. Cybercriminals used the app’s AI capabilities to enter its server, attaining full names, emails and exact locations, as well as how long the app had been on a user’s device. Moving forward, security experts will have to offer a more decentralised approach to AI, distributing data to a number of devices in a similar fashion to blockchain technology.
New Data Security Regulations With the GDPR
As previously mentioned, one of the biggest stories in data privacy and security this year was the EU GDPR, which was passed on April 14, 2016 and it came into effect on May 25, 2018. The new regulations are designed to ensure that data privacy laws across Europe are the same with the main goal of protecting and empowering data privacy of all EU citizens.
The move is helping to reshape the way organisations tackle data privacy, pushing CIOs and CMOs to adjust how they store and leverage consumer and customer data. CIOs will have to ensure that their consent management processes are detailed and consistent, while CMOs need to focus on protecting the sanctity of their business’ data.
With stricter laws and more rights for consumers come heftier fines for companies that fail to comply with the GDPR. These fines could reach north of €20 million or a 4% annual worldwide turnover, depending on which figure is larger. It remains to be seen how this move will pan out as a Forrester report revealed that 80% of companies will fail to comply with the GDPR, while 50% of companies will choose not to comply.
The FTC Cracks Down, Garnering Mixed Results
The U.S. Federal Trade Commission (FTC) has had a busy year, turning its attention towards protecting consumers by pushing companies to enforce their consumer data security and privacy policies. One of the agency’s biggest victories came in the form of a children’s privacy and security case where a complaint was filed against toymaker VTech.
The FTC accused the company of violating the Children’s Online Privacy Protection Act, claiming VTech had amassed the personal information of its child customers without informing their parents and attaining their consent. Plus, the company allegedly failed to secure the consumer data it compiled, which eventually resulted in VTech shelling out $650,000 to settle the case.
Back in January, the FTC and the state of Nevada cracked down on the parties that run MyEx.com, a revenge porn site, for posting intimate images of people without their consent. The site promoted heinous acts that violated federal and state laws, which led to fines and bans from continuing this activity in the future.
Most recently, the FTC had a complaint against healthcare firm LabMD that ran for nearly 5 years and came to a conclusion in early June. The agency accused the firm of mishandling sensitive patient health records. The FTC attempted to force LabMD to revamp its patient data privacy and security policies, but the ruling landed in favour of the firm.
Nevertheless, the lengthy litigation forced LabMD to shut down, proving that it’s becoming increasingly harder for companies to operate with lax data security practices.
Sandbox-Evading Malware and IoT Ransomware
Sandbox technology has traditionally been an effective way to scan your devices for malware and prevent viruses and other malware. However, more hackers have developed sandbox-evading malware that can infect your computer. One of the most popular sandbox-evading malware came in the form of Locky back in 2016.
Another increasingly common threat that you should keep an eye on is ransomware that targets IoT devices. If you have a smart home hub that is connected with your phone, laptop, smart fridge, smart thermostat or even your car, this could be a potentially deadly threat. Ransomware is a way of holding one of your devices hostage for 48 to 96 hours, requiring you to make a cryptocurrency payment if you’re hoping to get your device back.
If you fail to make the payment within the 72-hour window, all your data will deleted and potentially stolen. This threat could be potentially deadly when you’re driving and a cybercriminal takes hold of your smart car. It can also threaten the safety of a company’s data across multiple devices.
Bigger Focus on Multi-Factor Authentication
Data privacy regulators may soon pass legislation that requires virtually every retailer, tech company, financial institution and any business that compiles consumer data to implement multi-factor authentication. While many businesses already do so, it could become a necessity moving forward.
There have been countless data breaches over the last few years that have exposed consumer data, most of which came from weak, stolen or default passwords. This is linked to the fact that most companies still use single-factor authentication, exposing the personal information of one user, which opens the door to accessing the data of every user.
Combine this with the fact that a BitDefender report recently discovered that more and more UK home computer users are worried about being the victims of identity theft. The study also found that 48% of those surveyed were unsure of their anti-malware software status. Expect multi-factor authentication to become the norm within a year.
Verizon 2018 Data Breach Investigations Report
The Verizon 2018 Data Breach Investigations Report (DBIR) found that IT teams and security experts still have their hands full as the number of threats threatening business and consumer data continues to increase. The DBIR found that 39% of malware-related data breaches come from ransomware, which is the most common type of malware.
The number of ransomware this year is double that of last year’s and it tallies up to more than 700 incidents. Plus, attacks are now hitting business critical systems, which include encrypted file servers and databases, pushing criminals to ask for larger ransom requests.
Phishing, smishing and other social attacks are becoming more sophisticated as Human Resources departments are being targeted to attain employee wage and tax data. There were 170 incidents of phishing and its varieties in the last year, 88 of which targeted HR staffs. About 4% of people fall for a phishing campaign nowadays.
DDoS attacks are also becoming more prevalent, accounting for more than 56% of all attacks in the information segment. Financial and insurance companies are also being targeted as card skimmers are being installed on ATMs to steal card data from customers. The report also found that most cybercrimes are carried out by external parties (72%).
How to Protect Your IT Systems in 2018
There are plenty of IT security practices that are evergreen, such as changing your password constantly and backing up your data regularly. There are also new requirements every year as cybersecurity threats change and IT systems become larger and more complex. One of the most common issues in recent months has been Wi-Fi vulnerabilities.
Key Reinstallation Attacks (Krack) are especially popular among hackers, allowing criminals to exploit WPA2 weaknesses. Hackers use Krack to tap into a private Wi-Fi network while a person’s device is being authenticated to connect to it. The hacker can intercept this process and steal all the data that is being transmitted through the network.
A good safeguard against Krack is constantly updating your software, firmware and antivirus on every single one of your devices. Plus, you and your workers should always be entering websites with HTTPS connections, even if you’re using a password-protected Wi-Fi network. Also use encrypted communication protocols across interactions between servers and clients and get a VPN for all devices that are used for business operations.
Another IT security initiative we recommend is implementing cloud-based identity and access management (IAM) tools. These can protect your data by monitoring any threats that could be lurking, preventing your workers from accessing certain resources if the IAM tool detects any irregularities in the process of accessing a file.
Finally, we recommend that you always back up your data on a regular basis, regardless of the size of your operations. A recent study from research firm Clutch found that more than half of the small businesses in the world have no data loss prevention or recovery tools. There are many ways to back up data, which can be through an online service, an external hard drive, the cloud or all of the above.
Backups are integral to ensuring that you maintain your IT data-security compliance requirements. They also guarantee that your business can run smoothly without any data loss or resource gaps.
Our team at BOBcloud offers data backup services that offer businesses of all sizes a great deal of efficiency, privacy and security. We store your data on the cloud via Microsoft Azure, keeping up with the industry’s top security and compliance requirements by offering military-grade encryption to your data and documentation.