Where’s your data at?
Before GDPR is law, the man (or lady) on the street should really start paying a lot more attention to who has their data, what data they have and what you can do to protect yourself. Over the pond, Gallup asked Americans what worried them. 38% said having their car nicked or broken into. 67% were anxious about having their personal info stolen.
There’s a scary irony there too. 71% of American businesses had at least one data breach in the last 12 months. Yet, 87% are sure they have their data on lock down, according to SolarWinds.
This false sense of security (ha ha) highlights how business defence against cyber crime is just not close to being good enough. There are no excuses.
People have been warning about attacks for years. It’s unlikely someone could have predicted the impact of something like WannaCry. I’m sure you remember how it devastated systems here in the UK as well as the rest of the world. But, there is one chap, Saegeant Mark Varnau from San Diego thinks he can predict the next attack targets. Amazingly, he thinks the cloud is next. Like, no way, man! What else can you possibly predict? That in the summer it will be warmer than the winter? Holy moly!
It all started because some group called the Anti-Phishing Working Group said that in H1 there was an increase in phishing attacks on Cloud Storage, File Hosting and Logistics and Shipping, according to a rather tedious “Phishing Activity Trends Report” for H1 2017. The attacks are being run by gangs who are trying to hit both the aforementioned man (or lady) on the street.
Ever with their finger on the pulse, the FBI released a press release in October 2017 called “FBI Tech Tuesday – Building a Digital Defense Against Cloud Computing Dangers”. A bit late maybe, but well done for trying, nonetheless. Guess what the concerns the public have. Go on. Guess. That’s right, losing their data and someone stealing their data. Usefully, the Feds have suggested cloud companies ask themselves these questions so they can work out their weaknesses.
Does your cloud service provider have adequate back ups and redundancies? Does your provider have adequate logging? Does your provider have a DDoS mitigation plan? Are strong password requirements enforced? Do they have 2 factor? Do your employees know what a phishing attack looks like? Is your data encrypted at rest and in transit?
All really obvious stuff that should be being taught in schools, rather than pushed out as a PR thing for the FBI…
The real issue, however, isn’t bad password management, but human error. People oversharing on facebook or letting themselves be part of a man in the middle wifi attack.
How to fix it? Who knows. Hire people that know about security, right? Hmm, not so easy. Last year in Americaland 30,000 information security jobs went unfilled. This is predicted to become a worldwide shortage of 2 million jobs by 2019.
So what can people do? Get training, or train themselves. Ask better questions. And ultimately, don’t be stupid.