Data Breach Report A Sharp Reminder of GDPR
The findings of Verizon’s 2019 Data Breach Investigations Report have reminded companies that let customer information go astray that they could be facing big fines and damaging publicity.
The annual Verizon Data Breach Investigations Report (DBIR) draws upon information gained from more than 2,000 confirmed breaches that hit organisations worldwide, and information about more than 40,000 incidents such as spam and malware campaigns and web attacks.
The report reminds companies that although personal data can be stolen in seconds, the effects can be serious and can last for a long time. In addition to the problems experienced by those whose data has been stolen (who may then be targeted by other cyber-criminals as the data is shared or sold), the company responsible for the breach can, under GDPR, face fines amounting to 4 percent of their global revenues if it has been judged to have not done enough to protect personal data or clean up after a breach.
Senior Staff Hit Because of Access Rights
It appears that senior staff are a favourite target of cybercriminals at the current time. This is likely to be because of the high-level access that can be exploited if criminals are able to steal the credentials of executives. Also, once stolen, a senior executive’s account could be used to e.g. request and authorise payments to criminal accounts. The report also highlights the fact that senior executives are particularly vulnerable to attack when on their mobile devices.
Booby Trap Emails Less Successful
The report also states how sending booby-trapped emails (emails with malicious links) is proving to be less successful for cyber-criminals now with only 3 per cent of those targeted falling victim, and a click rate of only 12 per cent.
What Does This Mean For Your Business?
The report is a reminder that paying attention to GDPR compliance should still be a very serious issue that’s given priority and backing from the top within companies, as one data breach could have very serious consequences for the entire company.
Senior executives need to ensure that there is a clear verification and authorisation/checking procedure in place that all accounts/finance department staff are aware of when it comes to asking for substantial payments to be sent, even if the request appears to come from the senior executives themselves via their personal email. Obtaining the credentials of senior executives can also mean that cyber-criminals can operate man-in-the-middle attacks.
Executives and staff need to be aware that if a high-level email address has been compromised the first thing they may know about it is when funds are taken, so cyber-security training, awareness and policies need to be communicated and carried with all staff, right up to the top level.
The low level of booby trap emails being successfully deployed could be a sign that businesses are getting the message about email-based threats, or it could be that criminals are focusing their attention elsewhere.