Complex Made Simple

Yahoo hack: How to protect yourself from attack

Verizon Communications declared that 3 billion Yahoo accounts had been hacked instead of a billion ones, now that they acquired the giant search engine and closely looked at the damage.

Yahoo is not the only company to have experienced such an attack. Last year witnessed some of the worst security breaches in history, with a rising number of attacks on big firms and public organisations, including Tumblr and LinkedIn among others.

Accountancy firm Deloitte, which has been the latest target of a cyberattack, admitted that the attack might have compromised confidential emails and plans of some of its blue-chip clients. That is the second recent major cyberattack targeting major enterprises.

Earlier in September, over 143 million customer accounts at Equifax, the U.S. credit monitoring agency, had either been accessed or tampered.

Read: Cyber attacks: 7 key things businesses need to know

 Why Is It Important to Prevent Such Attacks?

It is highly important to prevent such attacks as they cost trillions of dollars, according to Security firm Cybersecurity Ventures, which predicts that global annual cybercrime costs will grow from $3 trillion in 2015 to $6 trillion annually by 2021.

In an attempt to reduce and prevent such incidents, KMPG provides the following five basic steps that should be implemented by companies.

One: Back up Your Data Regularly

Employees should be encouraged to frequently back up their data throughout the year. The implementation of regular back-ups ensures that critical data will not lost in the event of a cyberattack.

Two: Look out for Red Flags

With UK phishing scams rising 20 percent per year, employees should be trained to keep a watchful eye on such harmful emails. While email providers and antivirus vendors are continually improving their detection procedures to spot these potential threats at an early stage, some of the trickier scams can still find their way into the inbox. These emails may be disguised as a trusted client’s email or a recognisable brand, but will tend to have a few dead giveaways.

Three: Change Passwords Frequently

Once a cybercriminal has access to a corporate password, he/she has free rein to do as they please. It is mandatory that employees change their passwords on a regular basis and that they do not use the same password for multiple accounts.

Four: Control the Paper Trail

Even with the best security measures in place, companies can still be exposed to threats through employee negligence. For example, an employee might leave a printout of a sensitive document or a device full of confidential data in a public place. The issue can be addressed by fostering a corporate culture that strongly emphasises the proper disposal of paper-based documents and encryption of removable and mobile devices.

Five: Avoid Disclosure of Sensitive Information over the Phone

Most people have heard of phishing, but many companies are still not aware of another worrying phenomenon – vishing. Vishing is the act of using the telephone in an attempt to scam the user into surrendering private information, which can later on be used for identity theft. The solution to dealing with vishing is simple awareness. Employees should be encouraged to put the phone down on any caller, if they have any doubts about his/her identity. They should also refrain from giving out PIN numbers, web passwords, credit card details and addresses over the phone.

Read: Deloitte cyber attacks spread fears among blue chip businesses

Action That Can Be Taken

According to Hart, companies need to understand that being breached is not a question of “if,” but “when.”

“Just because breaches are inevitable does not mean that action cannot be taken. Doing so requires a data-centric view of threats, in which the value of data is essentially made useless to hackers, which entails a better identity and access control techniques, foremost, multi-factor authentication, as well as the use of encryption and key management to secure sensitive data,” he said. “Unfortunately, only 4 per cent of breaches have been “Secure Breaches”, in which encryption was used to render the stolen data useless,” he added.

Meanwhile, Steven Malone, Director of Security Product Management at Mimecast, said that, while Yahoo was predominantly used by consumers, businesses should be mindful that if they did not require regular password changes, it was likely that many users would have re-used their Yahoo e-mail password in the workplace.

“Password re-use opens up critical business systems like Outlook Web Access to attackers, and once they have access to an internal mailbox, it is trivial to phish internally and escalate privileges on the network. Organisations must look to implement Multi-Factor Authentication (MFA) on any business system exposed to the internet, in line with their broader cyber resilience strategy of protect, continue and recover.”

Read: At least 1 in 3 will be hacked in 2017: cyber attacks on the rise