The enormous trend of data loss due to the growing number of Data Breaches, that is the sad reality of today’s technology-dependent and obsessed world. This is the overall picture painted by the recently released Gemalto’s 2018 Breach Level Index. The report has revealed that around 3.3 billion user files of varying importance were lost to security breaches involving multinational companies, small & medium enterprises and even the public sector in 2018, and still counting.
The stolen records are now in the hands of unknown 3rd parties, which are now enjoying the wealth of information they can extract from the breach given that an estimated 96% of stolen data were saved in the clear, that means those are not encrypted. For the last five years, it is fairly common to hear news about a security breach at least on a weekly basis, which exposes personally identifiable information to other parties beyond to those that were entrusted to host the data originally.
Requiring affected consumers to be notified of a data breach may encourage better security practices and help mitigate potential harm, but it also presents certain costs and challenges. Last May 2018, the European Union’s GDPR has taken effect. It covers all companies that service EU-member states citizens and those countries operating inside an EU-member state. The GDPR mandates full disclosure of a company of its data breach within 72 hours upon discovery, or else a hefty penalty will befall an erring company.
Strictly implemented notification requirements can create incentives for entities to improve data security minimizing legal liability or avoid public-relations risks that may result from a publicized breach. Also, consumers alerted to a breach can take measures to prevent or mitigate identity theft, such as monitoring their credit card statements and credit reports. At the same time, breach notification requirements have associated costs, such as expenses to develop incident response plans and identify and notify affected individuals. Further, an expansive requirement could result in notification of breaches that present little or no risk, perhaps leading consumers to disregard notices altogether.
With the introduction of employee’s personal computing tools to the workplace opens opportunities for vulnerabilities that were previously non-existent to exist on a corporate network. Also, known as BYOD (Bring Your Own Devices.), employees take advantage of their own smartphone, tablet or even their personal laptops in order to do their corporate tasks. While these presents a qualified arrangement depending on the deliverables, this opens unnecessary complexity and loopholes to an otherwise already secure and hardened network.
The best thing to mitigate BYOD risks is to ensure that the encryption of the device becomes an absolute prerequisite prior to it connecting to the network. With strong encryption ensures limited access capacity for an unauthorized user to penetrate the network using an unknown device.
While at it, the use of hardware tokens like OATH, Google Authenticator and other similar technologies lessens the possibility of an authorized account from being taken over by an unknown party. This is based on the capacity of a hardware token device serving as a secondary authentication mechanism for a corporate system. Only those that physically possess the hardware token and knows the password is granted access.
It will take awhile in order to reverse the current trend, maybe once all those companies that are big enough yet lax enough for hackers to earn a profit at their expense are all hacked. Then many will be very afraid, enough to push forward for a much secure world.