The year began with a report of a massive data dump involving more than two billion user credentials sourced from thousands of online breaches and leaks over the years. The collection of data — known as “Collection #1” — included usernames and passwords in plain text as well as sensitive documents, all amounting to 87GB. It was reportedly available for download since the last week of December and was actively exchanged in hacking forums. According to some reports, more sets of data will be posted and sold online, each containing more individual credentials and sensitive information than the first. Collection #1 has been taken down since publishing, but the ramifications of this dump is just the beginning for many of those whose data are included.
Collection #1 alone contains more than 700 million unique email addresses and more than 21 million dehashed passwords. With all that data available for malicious activities, online misdeeds can cross over to offline criminal activities. If users recycle their credentials for different online accounts, then Collection #1 in itself will prove damaging to many. From socially engineered attacks such as phishing and fraud, to identity theft and blackmail, individuals’ and even organizations’ losses become exponential. Businesses who experience breaches not only could end up paying fines due to the GDPR and other national laws, but could also lose their customers’ trust, revenue, and reputation. Individuals can be targeted for scams and cyberattacks, and their subsequent activities online can be limited because of the feeling of loss of security.
With the growing availability of technology that keeps people online and connected 24/7 — thus creating big digital footprints and data stores —cybercriminals’ attack vectors increase as well. This means both users and enterprises must prioritize online privacy and data security.
Enterprises are still the foremost target of cybercriminals for potentially getting the most profit. A single breach in an enterprise system could provide access to a treasure trove of data for cybercriminals: in-house servers, proprietary information, company assets, third-party suppliers, and client records. Here are some practices and principles for enterprises to protect their data and the privacy of their users or customers:
Implement cybersecurity policies and procedures that everyone in the company understands. For example, employees’ personal devices should only be connected to a dedicated BYOD network, or establish that company-issued devices be the only ones used for remote work needs. Conduct cybersecurity awareness programs to ensure compliance.
Provide a VPN (Virtual Private Network) for employees who need remote access to company assets. This enables them to connect to the office and have an additional layer of security as they access company servers. Install a two-factor authenticating program to prevent unauthorized access.
Practice network segmentation and data categorization, and install firewalls. Network segmentation means assigning different networks for different functions or device types. It allows IT administrators to gain better visibility to monitor the components and traffic of the network, as well as enables them to protect, remove, or install each segment when necessary. Data categorization means classifying datasets from low value to high value and restricting the personnel and officers who have access to different identified levels of importance. It also allows the organization in assessing which datasets need more layers of protection to minimize damage in the event of an intrusion. The firewall is a typical first layer of protection that acts as a barrier that sifts information passing through networks from external systems, analyzing data to reject malicious data according to preconfigured rules set by the admins.
Practice data minimization, or the principle of gathering only the data needed to fulfill a specific purpose. Companies are encouraged to collect and process the least amount of their customers’ information, to be stored or archived for only a specified amount of time. While regularly backing up your data and practicing the 3-2-1 system are recommended, data minimization is advantageous as it enables efficiency in storage and allows better protection, management, and organization of the data on hand.
Include security principles such as privacy by design in the early stages of projects or product development. Privacy by design means security is foremost from creation to implementation, with the security of digital assets prioritized and privacy set as the default, whether handling personal data internally and externally. Pseudonymization, a method that prevents the owner of data to be identified, can be used for protecting user privacy and can be established during design stages. Incorporating additional verifications for users, for example, two-factor authentication (2FA) on your websites and apps, is another example.
Secure networks, servers, gateways, and endpoints. Make sure that all systems download patches regularly. Install security solutions that provide multilayered protection and easy patch management.
Users also need to take responsibility for their own online privacy. Although enterprises are accountable for the data they collect, users should still follow best practices to minimize risks to their privacy and safety.
Conduct a digital trace specific to your personal information. List down all the websites, apps, and forms where you left your personal, banking, and other identifiable information. This may be tedious and time consuming, but knowing and remembering majority of the businesses which have your information can give you an idea which credentials need to be updated, deleted, or changed.
If available, enable 2FA or a layered security solution in addition to the primary password request for all online platforms that have your personal profile and PII. Companies with online platforms such as banks and social media now provide more than one type of verification process, such as one-time passwords (OTP). Never share your OTP or 2FA credentials with other parties, even if they claim to be employees from the company. If you think your banking information has been compromised, check your statements for unauthorized charges and notify your bank immediately.
Manage passwords wisely and smartly. Frequently change your passwords and make them complicated. This hinders cybercriminals from easily getting into your accounts with easy, default passwords. Change default credentials and passwords of devices, from the router to your mobile device.
At a time when data is currency and as we become more connected, cybercriminals will use all the resources available to them to take information and turn it into profit. Technology is expected to improve and develop at an even faster pace, but manufacturers still consider security to be an afterthought whenever more improved versions are released to the public. As we wrote in our predictions for 2019, data dumps such as Collection #1 will be more pervasive as cybercriminals become more intent in profiting from their malicious activities. Users and organizations need to be hand-in-hand in protecting themselves and their information. Enterprises must secure not only their company data but also their customers’ data and manage not only their own digital footprints but also their users’. Users, on the other hand, must play a role in their online safety and consider it part of being responsible digital citizens and enabling secured connections.