Safeguarding sensitive data is the best customer service you can give. A former FBI agent shares how to do it.
If your business handles personally identifiable information, public health information, and/or payment card industry data, your most important job is safeguarding that. Above anything else, that’s what you’ll be remembered for should there be a significant breach.
“Those are the crown jewels of an organization, their customers’ information,” said Jeff Lanza, who retired after 20 years as an FBI special agent and provides talks on cybersecurity and identity for organizations nationwide. “If you’re not doing everything you can to protect that, you’re failing at job No. 1.”
Most breaches stem from an employee doing something they shouldn’t, wittingly or unwittingly. Most of the time, they mean no harm, being taken in by a phishing email and clicking without thinking. Before they know it, they let malware inside the company’s network.
Criminals will either hack into someone higher up in the organization’s email or spoof their address, pretending to be them but with slight alterations in the domain name. If you don’t look closely, you might not notice it’s a fake until it’s too late.
“The hackers are trying to make you use emotion to make decisions rather than common sense,” Lanza said, “because when you make emotional decisions, a common theme is you can’t assess risk and you’re not taking steps necessary to prevent what may be a problem.”
On the IT side, professionals can mistakenly leave open ports that are vulnerable to hackers. Sometimes, a thing as simple as not installing software updates allows hackers an opening, as occurred in the 2017 Equifax breach.
With dispersed teams working from all sorts of places that are not the office, it’s vital to take cybersecurity measures wherever important information is accessible. People working at home need an encrypted network with WPA2 or stronger protocol and a strong password.
“Not the default password that comes with the router,” Lanza said. “That needs to be changed to something strong, at least eight characters, preferably longer, with some complexity to it.”
In the Internet of Things era, that vigilance needs to extend to other connected devices in the home, things like Wi-Fi refrigerators and thermostats that access the home network.
For anyone working in public spaces such as coffee shops and airports, a VPN is absolutely necessary, he said.
“Public Wi-Fi networks, even if they’re protected with a password, are not secure.”
The Threat of Ransomware
A particularly pernicious cybersecurity threat is ransomware. When it first emerged, hackers would lock an organization’s files, demand a ransom to decrypt, and turn them back over. Faced with the prospect of paying up or rebuilding their entire systems and databases, many organizations paid up.
As companies smartened up and created airgap backups they could turn to, hackers grew more sophisticated. They began targeting the backups, hacking into systems, and deleting or encrypting backup files before launching ransomware attacks. Companies who planned on resorting to their backups in the event of an attack would discover to their horror that the backups weren’t there.
The next iteration of ransomware attacks was the threat of releasing sensitive information publicly unless the organization paid a ransom.
“That could be personally identifiable information, including social security numbers,” Lanza said. “They attack schools a lot because students’ information is very sensitive. Parents would go crazy if they thought their kids were going to have all their personal information out there.”
They target hospitals that have patient health information and where having computer systems down can be a matter of life and death. Another lucrative target is proprietary information, things organizations wouldn’t want competitors or the public to know about.
Since many of these hackers live in countries that don’t have extradition treaties with the U.S. or wouldn’t extradite cyber criminals, there’s little chance of catching and incarcerating them. In some instances, such as the 2021 Colonial Pipeline hack, the FBI can identify the hackers and recover some or all of the ransom.
The only real deterrence is for companies to take steps to protect themselves. In the event a ransomware attack does occur, companies should first shut everything ASAP to contain the breach, bring in their IT professionals, and if necessary contact law enforcement.
While most instances of employees inducing breaches are mistakes, sometimes hackers work with someone on the inside. Conducting thorough background checks on new hires can ward some of that off, but it’s much more useful to take a zero-trust cybersecurity approach.
“The most important thing when it comes to information – this applies to not just computer crime, but identity theft and national security information for companies that deal with that – is compartmentalizing,” Lanza said. “No one should have access to information, either physically or on the computer, unless they absolutely need it to do their job.”
The more people that have access to sensitive information, the more vulnerabilities you have. That lesson was painfully borne out in the 2013 Target data breach when hackers got in through an HVAC company that had remote access to Target’s network. Striking during the busy holiday season, the hackers stole 40 million credit and debit records and 70 million customer records. The zero-trust philosophy needs to extend to third-party vendors as well as employees.
If your organization wants to pride itself on customer service, protecting customers’ sensitive data is job No. 1.