Cybercriminals are always looking for new ways to gain entry to your systems and steal your data. Ransomware is on the rise — two in every five businesses in the UK have been attacked, while reports of phishing have increased 870% in 2017. Meanwhile, malware attacks are also spiralling, with 18 million new samples captured in 2016 alone. But while most organisations are focusing on combatting these problems, there are many threats that get overlooked.
1. The Dark Web
The Dark Web is the ‘hidden’ part of the internet, not indexed by conventional search engines like Google or Bing. It makes up a large proportion of the internet and, for the vast majority of people, is dimly understood as a network for illegal activities like drug trafficking, terrorism and sales of weaponry.
But what many people don’t realise is that the Dark Web is increasingly becoming a marketplace for something much more valuable — your data. Whether via malicious hacking or accidental breaches, criminals are after all sorts of company data including export dumps from CRM systems, client information, employee login credentials, financial records, HR databases and more — all of which fetch a fair price on the Dark Web.
Just last month we witnessed Instagram falling victim to hackers who posted email addresses and phone numbers associated with 500 A-list celebrities accounts for sale on the Dark Web for just $10 each. As such, we should remember that the Dark Web is a significant and growing threat, and one that businesses should not ignore.
2. Third-party breaches
Data breaches via third parties are on the rise. In fact, 63% of breaches today are linked to third-party vendors in some way. Recent victims of this type of breach include Amazon, Target and the IRS. Our database of third-party breaches covers more than 4.8 billion email addresses — with more than 1.5 billion added in 2017.
Usually, when businesses think about data protection, they often only consider their long-term suppliers such as a payroll provider or an outsourced storage provider. But what about those suppliers who work with you on a shorter-term basis like a marketing agency on a three-month contract, or a contractor who works with you for a month? Businesses share a lot of data with these suppliers but don’t realise that they could still be at risk of a breach long after the contract ends.
Furthermore, most people don’t realise that third-party breaches can easily occur from something as simple as your employees signing up to almost anything online. For example, if an employee uses their work email address to sign up for a newsletter, website or conference, then that email address could be at risk of being breached and put into the hands of an attacker who could use it to carry out a phishing attack on your business.
Employees may well be the weakest link in any defence system for the simple reason that they are human. Humans make mistakes — leaving USBs on trains, sharing passwords with colleagues (like Nadine Dorries), clicking on dodgy phishing links — all of which can lead to their employer coming under attack from cybercriminals.
Once GDPR comes into force in May 2018, businesses will need to report significant breaches affecting customer data to the relevant supervisory authority within 72 hours of the organisation becoming aware of it. Penalties for failing to comply with these conditions are severe — there will be a two-tiered sanction regime for those who store information incorrectly, and have data leaked, or who don’t promptly report those breaches. Lesser incidents will be subject to a maximum fine of 2% of an organisation’s global turnover. For more serious violations, this could set them back 4% of turnover.
Fines aside, the damage a data breach can do to your reputation could be almost irreparable — especially in the short term. Therefore, if your data is leaked or hacked, you need to find it quickly, and address the breach before more “bad guys”, the regulators or the media discover it.
5. Board-level awareness (or lack of)
If you are part of a board of directors, and cybersecurity is not on your agenda at the moment, you are putting your entire company in jeopardy. While cybersecurity may not directly help you with revenue growth or improve profit margins, it deserves attention because the consequences could be dire in terms of damage to your reputation, share price and lost revenue. In fact, according to a cybersecurity report from CGI, hacking attacks on UK businesses cost investors £42bn since 2013. The report also found that share prices fall by an average of 1.8% following a severe breach. The impact on a typical FTSE 100 firm is a loss in value of £120m after a breach, according to the study.
Our BreachAlert software tool is vital in tackling all of these issues. BreachAlert monitors millions of Dark Web pages and then filters and extracts information based on corporate data, like email addresses, trademarks, client lists and employee information. The best part about BreachAlert is that it can instantly alert you when your data is being shared and discussed online by cybercriminals. Having this information in real time may save you from receiving a large fine under the GDPR and may help you to realign your incident response strategy — creating a more secure environment for your data.