Cyber attacks on Companies in 2017?
It is not a matter of intimidating the population. It is simply echoing a report that the UK information management and analysis company Experian has posted. It is the Fourth Annual 2017 Data Breach Industry Forecast and it includes the main security gaps in the business environment that we will see in 2017.
The cyber attacks of 2017
The main cyber attacks that the industries will suffer at the international level in this year 2017 will be:
Theft of user passwords: The consequences of the theft of such credentials can affect companies even years after the event occurs.
An example of this type of attacks we have been able to see in big companies like Yahoo! or Linkedin, where thousands of users have suffered the robbery of their accounts.
Cyber attacks will be directed against concrete infrastructures: behind many of the cyber attacks are States, whose objective is no longer the simple espionage of another State, but an attack to the same affecting the main industries of the country. In focus may be the electrical industries or consumer goods industries. Through a cyber attack could be disrupted their service, with serious consequences for users, who could claim the companies for damages. In November 2016 we witnessed how the Mirai malware affected 900,000 Deutsche Telekom users in Germany, who stayed for three days without fixed telephony, internet and online television.
Theft of personal data of the users: in focus are the sanitary entities and insurance companies of the sector. Moving from paper files to online files facilitates access to this data
Attacks on payment transactions for small and medium-sized enterprises: The fact that many of these companies do not adopt adequate security measures in relation to payment methods make them a clear target for cyber criminals.
“Phising”: The main objective of this practice will be the individuals, more than the computer systems of the industries. For this reason, it will be necessary to inform workers in the industries about the risks involved in their activity and the safety measures they must take in their work.
Are companies prepared to avoid these cyber attacks?
Most of these cyber attacks aim at the theft of information that must be subject to special protection in the company, through the security measures appropriate to each sector.
Among the regulations to be taken into account for the protection of the data held by companies is Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons With regard to the processing of personal data and the free movement of such data. Spanish companies must also apply Organic Law 15/1999, of December 13, on the Protection of Personal Data.
Article 9 of the Law on Protection of Personal Data provides that the upload of the file, and where appropriate, the data processor, “shall adopt the necessary technical and organizational measures to ensure the security of the data. Personal data and prevent unauthorized alteration, loss, processing or access, taking into account the state of the technology, the nature of the data stored and the risks to which they are exposed, whether arising from human action or the physical environment or natural.”
The security measures to be applied when in a company treats personal data of natural persons, are developed in the Regulation of development of Organic Law 15/1999, of December 13.
Among the concrete measures to be taken to avoid cyberattack and the consequences of a loss of information are:
- Set a login user code and password to the server.
- Set user codes and individual passwords, to be able to enter the operating system. You will have to choose a secure password.
- Periodic expiration of the passwords: the passwords must be changed periodically. At most they will be used for one year.
- Passwords stored unintelligibly.
- You must make backups, at least every week, and will be checked periodically. If, according to the personal data processed in the company, a high level of protection must be applied, two backups must be made, one in the data processing room and another outside. An online copy is preferable on a remote server.
- A record of any occurrences must be recorded.
Obviously, in addition to these measures to prevent the theft of information of personal data that operate in the company, it is necessary to install a good antivirus if we want to avoid an attack on the computer equipment.
Security in SMEs
As it appears in the report mentioned, attacks on payment transactions in medium and small enterprises will be more common.
Perhaps being aware of the vulnerability of security is more complicated for medium and small businesses. To end this situation, the National Institute of Cybersecurity (Incibe) has created a video game whose aim is to teach SMEs to detect their vulnerabilities and the importance of protecting themselves to avoid a theft of information.
The protagonist of “Hackend: The game is over,” is a small entrepreneur who faces several real situations of the day to day of an SME, such as the preparation of a budget, the use of e-mail or the presentation of a Product in a congress. In the video game the company will be victim of several of the attacks mentioned above (theft of customer data, access to the computer system without permission, undue charges in the bank account) and the player must identify what has failed In the company, and what measures must be taken to avoid these cyber attacks.
Knowing in advance the cyber attacks to which the companies are exposed, it will be necessary to take the appropriate security measures to avoid greater evils.