What every company should know about a data breach

Every day it seems the news is filled with stories about companies that have had their data servers hacked and sensitive customer data compromised. In this unique time where a majority of people are working from home and holding online conferences as well as shopping and banking online due to the pandemic, a data breach can be a startling reality, said Al Pascual, co-founder and COO of Breach Clarity, a fraud prevention and detection technology firm.

"Companies should remember that not all threats come from the outside," he said during an interview with ATM Marketplace. "Data breach protection strategies should consider both internal and external risks of data leakage."

Breach Clarity, which has invented a proprietary algorithm to analyze and score the threats of every publicly reported data, advises companies to protect themselves by leveraging a zero-trust model in combination with a defense-in-depth strategy.

"For those unfamiliar with 'zero trust,' the overarching premise is that companies should not assume that all users should have unimpeded access to all information, devices, networks, services, etc," said Pascual, who recently chatted with ATM Marketplace about how companies can protect against a data breach. "This idea fits neatly into a defense-in-depth strategy, where layers of controls are deployed to protect an organization from the outside in."

Q: Do companies know when there is a data breach?

A:There are data breach protection strategies that should be considered, both internally and externally to avoid the risk of data leakages. However, there is no "best case" scenario when it comes to data breaches, but there are strategies that would help to mitigate the fallout when a company detects a data breach on its own, as a result of active monitoring of their network traffic or users' behavior, as well as through threat intelligence that monitors for any criminal communications concerning their organization.

In reality, many organizations only become aware of a data breach after it has been discovered by a third party. That could be a security researcher – or much worse – when a ransomware attacker shares the compromise with the world to intimidate a company into rendering payment. The latter situation is a very embarrassing, and increasingly effective tactic on the part of criminals.

Q: What are the steps they should take when they realize their data has been compromised?

A:When a compromise is detected, companies need to keep two things top of mind: triage and compliance. Triage is when a breach occurs and companies need to work as quickly as possible to determine the data that has been affected in order to assess their risk and responsibilities, as well as identifying the means of exfiltration because the attacker may still be in the system. Compliance means it's important that a company is aware of their notification obligations when consumer data is compromised. Even then, most companies tend toward the bare minimum, hiding behind language that obscures the risk to affected individuals and only offering token compensation. Transparency and responsibility are a quicker path to restoring the trust of those who are impacted.

Q: What are the easiest ways to have your data compromised?

A: Weak authentication and phishing attacks are the two largest threat vectors when it comes to data breaches. This means moving away from a reliance on static credentials (user names and passwords), especially when it comes to remote access, and hardening your organization against phishing attempts through better detection and user education. These are some of the best investments an organization can make to keep its data safe.

Q: What are some of the more challenging ways cyberthieves have breached data?

A:The compromise of third-party vendors has caused pain for many large organizations, including those within the financial services ecosystem. In fact, large bank breaches are almost exclusively the result third-party system or provider compromise.

A company can control its risk by actively protecting data hosted by a third-party cloud service provider, and by performing security assessments of new vendors. Of course, it's almost impossible to know the security posture of your vendors' vendors, and there is a real chance that those organizations have your data as well. So, it becomes more imperative that your company engages with vendors that take data security very seriously.

Q: Are there any regulatory bodies to prevent data breaches?

A:Companies that store or transmit card data fall under the Payment Card Industry Data Security Standard, which is an information security standard that includes a comprehensive array of guidelines. Companies can also look to the FBI, which puts out notices with increasing regularity about schemes targeting businesses. The National Institute of Standards and Technology (NIST) offers information on best practices as well.

Within the financial services industry, institutions can look to the Federal Financial Institutions Examination Council for security requirements that will help to ensure their institution is effectively "hardened." The FFIEC's cybersecurity assessment tool is a very useful resource.

Additionally, the Financial Services Information Sharing and Analysis Center is a great non-governmental source of information around threats and best practices specific to the financial services industry.