FBI Says Hack Attacks Easy to Prevent

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.pymnts.com/news/2015/fbi-says-hack-attacks-easy-to-prevent/#.VNO2_p3F-So

At a point when data security and fraud protection are becoming more
important issues for retailers after a recent spat of high profile data
breaches and new hearings on the issue in Washington, FBI investigators
have discovered that over 90 percent of the data breaches reported to the
agency were entirely avoidable had businesses taken adequate steps to
protect sensitive information.

At the Online Trust Alliance’s Data Privacy and Protection Town Hall in New
York City FBI Special Agent George Schultzel revealed that companies had
“little to no security whatsoever” in 90 to 95 percent of the breaches that
the agency handled, and that they were the victims of hackers striking out
of “convenience.” At the meeting, Schultzel made recommendations that
companies begin to draft and implement security plans to prevent easy
hacking in the future, and to feel comfortable coming to regulators with
questions or concerns regarding implementation.

One suggested method is to use educational programs to warn about different
ways hackers can access data, specifically spearfishing campaigns that
enable hackers to access data through encrypted emails containing malware.
Other methods include increasing usages of data encryption as well as
minimizing the amount of data a company has stored on file. One example,
cited by panelist Clark Russell, deputy chief of the Internet Bureau at the
office of the New York attorney general, was of a hacked company that
reported a breach involving hundreds of Social Security numbers that the
company had not needed in more than a year.

Most panelists, including Schultzel and Russell, also see regulatory reform
as a possible means to ensuring that companies report breaches and security
concerns in a timely manner. One bill in New York would include “safe
harbor” protection for companies to report hacks, which would emphasize the
point that the FBI doesn’t treat “victims like anything other than
victims,” according to Schultzel. Additional incentives could also be used
to emphasize the importance of security as a priority among businesses
handling large amounts of sensitive data.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!