Data Breach at Capital One - What happened and how do I prevent a data breach?
As you probably have already seen on any news source by now, Capital One announced yesterday that 100 Million!!! people were affected by the latest data breach.
This includes information such as credit scores, balances, SSNs,, bank-account numbers and credit-card numbers. In addition, other information such as names, addresses, phone numbers, dates of birth, credit scores and other financial data were also potentially stolen as a part of the breach.
This comes on the heals Equifax's big settlement announcement and countless other hacks that have been in the news recently.
So What Happened?
According to the court filing, the hacker gained access by exploiting a misconfigured web application firewall. Once past the firewall, the suspect used a "special command to extract files in a Capital One directory stored on Amazon's servers." from CNN.
So What Should You Do?
If you are a smaller business with less resources than Capital One reading this thinking, "If it happens to Capital One, it can happen to anyone!". This is a valid point, and unfortunately, it can happen to anyone if a hacker really wants to get in.
However, if you are a business, there are a number of simple steps you can take to help prevent this and limit your exposure:
1. Evaluate what data you really need to keep
As an example, if you are a B2C selling online or in a retail storefront, do you ever need to keep a customers SSN or personal information? Maybe an email or a phone number to contact them, but be careful what you are keeping. This will help limit the exposure of what a hacker can get.
More commonly for a lot of smaller businesses, pay the nominal amount to outsource your credit card processing. This way, you never have to keep this data and are not liable if you aren't keeping it.
2. Educate your employees
This sounds simple….and it is… or is it?
Make your employees go through some sort of yearly security training. Help them understand what is a good security practice and what is an absolute no. Hackers are not just using algorithms to attempt every combination in the book. They are doing research on employees and finding personal information to mimic as if they were the employee actually working in the company to get access.
3. Enforce password policies
Make passwords be complex where it can't be their dog and their graduating year. Make the passwords change frequently. Make sure no one shares passwords. Make sure passwords aren't written down. Make sure any wifi network has a password. Make sure any device with access to data has a password.
4. Completely destroy physical data before it goes to the trash
If you have sensitive information on a piece of paper or on a thumb drive, make sure that it is shredded and totally destroyed before putting in the trash.
5. Outsource the complex to people who are experts
If you are not that familiar with IT in general or you don't feel like you have a great grasp on cyber security, consult with an expert who can help and make unbiased and quality suggestions. Even though it will cost you more money on a month to month basis, it will be worth it. The statistics do not lie, 60% of SMBs with a data breach will close in the next 6 months. Do not let that be you.
If you are looking for a way to help make your business more secure, let Opkalla help and let's discuss what would be best for your business.