Nowadays, it seems like barely a week goes by without a company having to report it has experienced a serious cyberattack against its business. In the last two months alone both low-cost airline group easyJet and accessory retailer Claire’s were among those hitting the headlines. In both incidences, customer data was breached, and credit card details were stolen, with the easyJet attack affecting nine million people, while the attack on Claire’s lasted a whole month. With much of society conducting almost all aspects of their lives online in the current climate, this is a worrying trend.
However, the frequency with which these incidents appear to be taking place is causing many consumers to become desensitized to them. In fact, there is a growing belief among consumers that their data will eventually be breached, but this is paired with the expectation that organizations, such as banks, retailers and travel companies, will ultimately have the protections in place to safeguard that data. And, if their details do get leaked, there’s an expectation that through credit card protections or regulatory insurance, the consumer will be protected (reimbursed) from the financial losses when the loss is through no fault of their own. With consumers now using a growing range of online service, from banking to grocery shopping, arguably more so now due to the Covid-19 pandemic, they are increasingly expecting businesses to protect them and their data, In fact, 72 percent of consumers believe businesses, not governments, are best equipped to do this. Consequently, organizations need to do more to protect consumers’ data and give them the peace of mind that even if they do suffer an attack, they won’t be personally impacted. Key to this is proactive monitoring.
Proactive brand monitoring
If brands are to protect their business and customers against the threat of cyberattacks, it’s vital they understand where their vulnerabilities lie and where threats may be coming from. Organizations may find that their brand is being misused for phishing, targeting consumers with malware or even pay per click (PPC) activity, for example. Getting ahead and identifying any weak spots early in a brand’s online presence will in turn allow organizations to gain a comprehensive view of any vulnerabilities and creates an awareness of the types of threats they are facing before they can happen. This approach could indicate whether an attack is in the works or impending and will allow businesses to take the necessary precautions to protect their organization and consumer data.
As part of this, it’s essential that businesses monitor all the different avenues through which threats could arise, such as the Dark Web and other online platforms, to understand whether their brand is being misused and how it’s happening and enable them to take action. For example, by using a Dark Web monitoring service, businesses will be able to see whether their IP address has been listed for sale which would indicate that they may be vulnerable to being hacked or compromised. In such cases, the business can take the action of sandboxing the server as it could be the way that threat actors get in the door.
If organizations fail to take this proactive approach to identifying new cybersecurity problems, then they are unlikely to have any idea about where threats lie and how best to protect themselves when these problems become apparent. If they aren’t proactively monitoring and their customer data is put at risk, their credibility and consumer trust in the brand could be at stake.
Not only must businesses be proactive in monitoring for threats, but they must also educate their employees to ensure they can also recognize the different types of threats they may be susceptible to and how they can escalate. Malicious emails are one of the most prevalent threats for businesses, with small businesses receiving an average of one malicious email in every 323 sent and 76 percent of businesses have reported that they were a victim of a phishing attack in 2018. Unfortunately, employee-targeted phishing scams are often the gateway to Advanced Persistent Threat (APT) attacks which can lead to businesses being infiltrated by malware to steal intellectual property, including customer data.
To better protect themselves, organizations should increase awareness of how different individuals may be targeted, such as accounts payable being targeted by scams that impersonate senior executives asking for money transfers. Meanwhile, payroll employees may be asked for tax records which contains a lot of personal information about employees, and HR may receive PDFs disguised as CVs but that actually contain malware. Such attacks are designed to infiltrate the network undetected– instead taking data from organizations little by little – and don’t initially look like a data breach.
Businesses need to get one step ahead of attackers by educating employees to recognize phishing attacks and threats and the different avenues hackers could take. This should include introducing processes so that employees know how to check if emails are coming from a legitimate source. In the unfortunate situation where an attack is successful, as a best practice, businesses should proactively establish protocols and put resources in place to be able to deal with a data breach when it happens.
A path to better consumer protection
Ultimately, with so many companies asking consumers to store their credit card details with them in order to make the processes of purchasing items as quick and simple as possible, the trade-off has to be that organizations do all they can to keep that information safe. It is only by taking a proactive approach to cybersecurity whereby they educate employees, introduce new protocols, and monitor their brand for threats, that they will be best able to protect both their business and consumers.
Stefanie Wood Ellis, AntiFraud Product & Marketing Director, OpSec Security