Cyberattacks are not going anywhere soon. The risk of a data breach has been steadily increasing for businesses over the past decade. In fact, in Q3 of 2021, there were more data breaches caused by cyber attacks than there were total breaches in 2020.
These dynamic and new threats are coming up constantly. According to the 2021 Business Aftermath Findings:
* 58% of small businesses have been impacted by at least one data breach or one security breach.
* 45% of small businesses spend between $250,000 and $500,000 to cover the cost of a breach.
* 15% had to reduce their headcount to cut expenses following the breach.
As a business, it’s imperative to have an awareness of the recent breaches and learn how to protect your company from malicious actors and other threats.
The Accellion Breach
This breach led to personal data from universities, governments, and multiple global companies, law firms, and banks being exposed and exploited.
The breach was a result of a vulnerability in an outdated product that the tech company Accellion had not yet retired. Although they had advised their clients to stop using it and migrate to a new system, a lot of companies failed to do so.
Malicious actors were able to haul out personal and sensitive information like patient medical records, numbers, diagnoses, identifying information, and credit card details. The hackers threatened to make that information available on the internet if the affected company did not pay them. Wired Magazine described the fallout as an extortion spree.
- Companies should practice ongoing evaluations of their third-party providers. Avoid settling for what has worked in the past.
- If your third-party provider is requesting that you update to a newer, more secure system, they’re probably saying that for a reason. Heed their warning!
- Use contracts to protect your company. Be sure your contract lays out your expectations with respect to how you want your data to be used and protected.
- Require that the vendor indemnifies you in the event they experience a breach. Note that this will not mitigate any harm to your reputation in case of a breach.
- Embed requirements and routine audits in your contracts.
The Colonial Pipeline Attack
Malicious actors gained access to the Colonial Pipeline network via a retired VPN (Virtual Private Network) that hadn’t been closed down. Not having multi-factor authentication requirements, malicious actors were able to gain access by using an employee’s stolen credentials. The hackers then sent a ransom note demanding payment.
- Businesses should always implement multi-factor authentication for important logins.
- Remove access whenever an outdated or abandoned software platform or any system has access to your network.
- Network segregation and segmentation is so important. You should limit the access each individual user has to your networks and limit the amount of information being stored on individual networks.
If you want to learn more about lessons from the recent data breaches, check out https://cgl-llp.com/podcasts/cgl039.
The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.