Category: Security

Security

  • 5 Key takeaways from Marriott’s massive data breach

    5 Key takeaways from Marriott’s massive data breach

    In November 2018, global hotel chain Marriott disclosed one of the biggest data breaches of all time where the records of half a billion customers were stolen. The misappropriated data included personally identifiable information, payment card details, and passport numbers. Aside from the immense scope of the attack, what also made it so notable was the fact that Marriott took three months to disclose the breach. Here’s what business owners in Atwater should learn from the event:

    #1. Don’t be fooled again
    Shortly following its acquisition by Marriott in 2015, Starwood reported a relatively minor data breach that targeted its point-of-sale systems used in various shops and restaurants. Although it remains unknown whether the two breaches were connected, what it does demonstrate is that victims of cybercrime can be targeted more than once.

    Hackers often target the same companies because they know them to be easy targets. However, some smaller attacks are actually carried out as smokescreens to draw attention away from more severe breaches.

    #2. Traditional security measures still play a role
    One of the first things you often hear from technology vendors and cybersecurity experts (including us!) after a severe breach is that victims should hurry to modernize their security infrastructures. That’s usually good advice considering how often hackers rely on exploiting old or unsupported systems. However, this doesn’t tell the whole story.

    A primarily proactive approach towards information security should still be accompanied by more traditional, reactive measures. Although things like training and next-generation antivirus are critical, conventional firewalls still play a role.

    #3. Mergers and acquisitions present serious technical challenges
    Mergers and acquisitions come with enormous technical challenges. These bring together two starkly different infrastructures, which inevitably creates incompatibility issues and information silos. During the process, security often ends up being compromised.

    For example, following the $13 billion purchase of Starwood, Marriott found itself needing to merge disparate reservation systems and loyalty programs with data stored in multiple databases. That’s why data migrations — whether large and small — need to proper planning and expert guidance.

    #4. Encryption keys should always be kept away from encrypted data
    The precise number of records compromised in the Marriott data breach remains unknown to this day and the approximation has been revised several times. The main reason for this is that the hackers encrypted the data they gained access to before misappropriating it. It was extremely difficult to identify which records had been stolen, since Marriott’s data loss prevention system couldn’t pick them up. To guard against such incidents, it’s necessary to store encryption keys on a network separate from the data itself.

    #5. Rapid detection and response planning are critical
    Because of the catastrophic data breach of 2018 and their failure to disclose it immediately, Marriott is now facing multiple class-action lawsuits. Breach notification laws require that companies disclose incidents within a given time frame, which is typically 45 days. They are also legally obligated to maintain an up-to-date and documented security policy and to take all reasonable precautions to protect customer data in the first place.

    In the end, the Marriott data breach should serve as a wake-up call to every organization, regardless of its size or industry, that a multilayered approach to information security is essential in this day and age. Everything from preventative measures to response procedures and 24/7 monitoring solutions should be included.

    Valley Techlogic serves businesses in Central California with dependable technology advice and solutions that help boost information security, enhance scalability, and reduce risk. Call us today to get the support you need.

  • 5 Common causes of data breaches and how to stop them

    5 Common causes of data breaches and how to stop them

    Although data breach reporting dropped by 59% during the first half of 2018 in California, no business can afford to be complacent when it comes to cybersecurity. Everyone’s a potential target, and cybercrime continues to rise.

    To protect your organization, you’ll need to identify the common causes of data breaches and how they can affect your operations. Here are the most common threats you need to watch out for:

    #1. Human error

    Human error is still the prevailing cause of data breaches, even though technology is usually the first to get the blame. Many people have developed poor security habits that put businesses at risk. For example, a lot of people don’t even use a PIN code to protect their smartphones, while others use easily guessable passwords or fail to lock their screens when they leave their desk.

    Such habits are akin to leaving the door to your home wide open when you go on holiday. The only effective way to combat human error is to conduct ongoing security awareness training programs that help people understand that information security is everyone’s responsibility.

    #2. Outdated systems

    The cyberthreat landscape is constantly evolving. Hardware manufacturers and software developers are fighting an ongoing battle to be one step ahead by releasing regular security updates for their products.

    That means you should always be running the latest version of every operating system, firmware, and application connected to your corporate network. Use automated patch management to keep everything up to date and immediately identify devices that are no longer supported. Any software or hardware that’s reached the end of its support life cycle should be retired as soon as possible, since the original manufacturer won’t be releasing any more critical security updates for it.

    #3. Malware

    Malicious software, or malware, refers to any kind of malicious code, such as computer viruses or ransomware. Malware comes in many different forms, from the mildly annoying to the highly dangerous.

    Signature-based detection methods like conventional antivirus software will help protect IT systems, but they still need to be kept up to date to protect against new and unknown threats. However, signature-based detection is not enough to protect against zero-day exploits, malicious code injection, and a variety of other threats. To prevent malware infection, businesses need to implement comprehensive scanning to identify potentially suspicious activities, not just known threats.

    #4. Social engineering

    Most cybercriminals aren’t actually hackers staring for hours on end at unintelligible lines of code. Rather, they’re looking to build your trust by masquerading as legitimate businesses or your fellow employees. These social engineering scams hope to dupe victims into giving away confidential information.

    Usually, there’s no specialized technology involved — scammers use the same platforms as everyone else, with the most popular mediums being email and social media. Sometimes, fraudsters even use physical means like dropping infected USB drives to trick an unwitting employee into using them in order to infiltrate a computer. It’s a lot harder to protect against these threats through technological controls alone, so the only real way to stop them is to train your employees to be more cognizant of them.

    #5. Physical theft

    It has become commonplace to use mobile devices in the workplace and for employees to bring their work laptops home with them, making physical theft a more serious problem than ever before. But far worse than losing the device is a thief gaining access to all the data stored on it.

    Although there are ways to minimize the risk of theft, ensuring data safety is still more crucial. That’s why every device used for work should be encrypted and protected with multifactor authentication. Just for good measure, administrators should be able to remotely wipe lost or stolen devices, too.

    Valley Tech Logic provides information security services that help organizations in Atwater, Merced, and Winton protect their most valuable assets and use modern technology with confidence. Call today for support.

  • What does the California data breach notification law mean to your business?

    What does the California data breach notification law mean to your business?

    California has long had some of the toughest data breach notification laws in the country and, in 2018, attorney general Xavier Becerra announced a new law to address certain limitations of the original SB 1368 bill that went into force in July 2003.

    The new legislation expands on existing laws to add requirements for organizations to notify their customers if their passports, ID numbers, or biometric data are stolen. It aims to close various loopholes in current legislation, and was partly enacted in response to enormous data breaches such as the Marriot hotel chain breach, in which 383 million records were stolen.

    It shouldn’t come as any surprise that businesses in California are facing constant threats from hackers and other malicious actors. Being home to Silicon Valley, the state has long been a leader in information security legislation. Many states have followed a similar model, but for organizations based in or with branches in California, the new laws place very specific requirements on data breach notification.

    The primary measures companies need to take is to report data breaches within 72 hours of them being identified, verify that personally identifiable information (PII) was adequately encrypted at the time, and provide detailed reports for legal and auditing proceedings. Although the introduction of the law was greeted with some hostility, particularly by technology companies, it will come into effect at the end of 2020.

    What else does the new law stipulate?

    The consumer-focused law aims to make it harder for hackers to get their hands on private data while also forcing organizations to be more transparent about how they collect data and what they do with it. To that end, businesses must disclose precisely which information they will collect and specify why they need it and what they intend to do with it.

    If a business wishes to send the data to third parties, they’re also legally obligated to specify who those third parties are. Furthermore, businesses will have to allow their customers to opt out of their data being sold to third parties, and they cannot retaliate by changing the pricing or level of service. They can, however, offer financial incentives to collect data.

    In many ways, the new data-protection laws mirror those of the General Data Protection Regulation (GDPR), which was introduced in the European Union last year, and enforces strict practices on the collection and use of data. While many businesses struggle to overcome compliance challenges, it’s more important than ever to stay a step ahead.

    Information privacy and security are now some of the biggest concerns of modern times, so it’s only to be expected that the introduction of legislation such as SB 1368 will soon be mirrored across other states and countries. As cyberthreats continue to evolve, compliance is only going to get harder, hence the need for a more proactive approach.

    Why your business needs a compliance strategy

    Overcoming compliance hurdles isn’t easy, but it does help protect both your customers’ data and, consequently, your brand’s reputation. By adopting a culture of continuous improvement with regular security and compliance audits, your business will be better placed to stay ahead of both cyberthreats and legislative changes alike.

    It’s essential to have a compliance strategy; a clearly defined process that incorporates crucial factors like ongoing security awareness training, compliance auditing, and multiple layers of protection. Above all, it requires a culture change; one in which information security and privacy are considered business advantages rather than just a necessary evil.

    Valley Techlogic provides network security services and compliance advice to organizations in Winton, Merced, and Atwater. Call us today for immediate support.