Some Of The Latest News On Cyber-Attacks And Cyber-Security Trends
A survey of corporate technology officers reveals that while many companies are worried about all sorts of threats, they also don’t feel they’re prepared to defend against them. Some Of The Latest News On Cyber-Attacks And Cyber-Security Trends
A number of important industries are dangerously vulnerable to cyberattacks. Small businesses are far less prepared than big ones. And plenty of companies aren’t taking basic steps to improve their readiness, leaving them exposed to breaches that can threaten their existence.
These are some of the findings from a survey of information security officers at nearly 400 companies by WSJ Pro Research. The survey offers a revealing snapshot of the state of cybersecurity—in particular, what kinds of companies are unprepared and why.
The results are a wake-up call for industries that need to get their act together. And they provide a road map for what slow-moving companies need to do to make sure they protect their at-risk assets. The price of not doing so could be high, and perhaps devastating.
“Even today, after so many documented cyber incidents, some businesses lag behind in their preparation or, worse, they react in knee-jerk ways to today’s incident with no vision or strategy to address tomorrow’s,” says Alan Levine, chairman of the advisory board for Carnegie Mellon University’s chief information security officer program.
Mr. Levine, who spent 20 years as the chief information security officer at Alcoa Inc. and its successor, Arconic Corp., says there are too many “ostrich” organizations that have their heads in a hole. “They need to look up, look around and see cybersecurity as an organizational imperative regardless of sector.”
WSJ Pro Research, which provides data and research as part of journalists professional information offerings, surveyed information-security executives across different sectors and company sizes to see how they view the risks they face and the steps they are taking to protect their data.
Some Of The Key Findings:
• Organizations aren’t necessarily prepared for the threats they are most concerned about. Ransomware was highly concerning, for instance, with nearly 80% viewing it as high risk, but just under 70% felt prepared to deal with it.
• Manufacturing, government and retailing were behind other industries in important areas. Fewer than two-thirds of manufacturers and retailers have any cybersecurity program. Retailers were least likely to feel prepared to defend themselves against ransomware attacks. Government departments were also among the least prepared for ransomware attacks and well below average in offering cybersecurity training to their executives, as well as in identifying critical data. By contrast, health care reported surprisingly strong preparedness.
• Small companies tended to lag behind large ones in preparedness. For instance, only 63% of companies with under $50 million in revenue have a cybersecurity program, in contrast to 81% of companies with over $1 billion in revenue. More concerning, 15% of smaller companies have no plan to put a cybersecurity program in place. In addition, the very largest businesses were almost twice as likely to already hold cyber insurance than the very smallest businesses—39% of which had no plans to buy a policy in the next 12 months.
A Constant Barrage
The findings come at a critical time for businesses. Not only are they grappling with the pandemic and economic crisis, but cybercriminals have taken advantage of the chaos to step up their attacks. Forty-two percent of companies have faced an attack in the past year, the survey found.
And break-ins can be disastrous. They often impose large costs, waste time and resources, pose a big risk to a company’s reputation and brand—and can affect perceptions of a whole sector.
Yet cyber risks are stubbornly hard to address. Many executives fail to prioritize the problem or even to understand it. The subject can be complex and technical, the demand for talent outweighs the supply, and solutions can be expensive.
There is no single way to define what preparedness looks like, but it includes the ability to detect and respond to breaches, as well as develop a security-conscious workforce. The survey focused on eight measures of readiness, including having a cybersecurity program, identifying critical data that need protecting, training employees and company leaders, and having cyber insurance.
Several measures were found to be crucial indicators for how prepared a company is to deal with cyber risks.
Companies with cyber insurance, for instance, were likely to perform better on other aspects of preparedness. Simply having insurance suggests businesses have assessed their risk, understand their critical data assets and are aware of the potential for disruption if attacked.
The businesses may also be making efforts to decrease their insurance premium by taking risk-reduction measures.
Somewhat less common, but equally important, is delivering tailored cybersecurity training to executives, who are often targeted by cybercriminals for the extensive data to which they have access.
For example, companies that conducted executive-level training were more likely to have identified and protected critical data (84% over the 72% average), to have insurance coverage (63% over 51%) and far more likely to have an incident-response plan (84% over 70%).
The survey highlighted the gaps between companies’ perception of certain threats and how prepared companies feel they are to defend themselves. Ransomware—malicious software used by criminals to hijack computers and extort the user—is considered high risk by 78% of companies surveyed, but just under 70% of respondents in the survey said they believed they are well prepared to deal with such attacks.
By contrast, nearly 80% of companies felt well prepared to deal with malware, another threat considered high risk.
Another challenging area for all companies was assessing the effect of attacks on an organization’s supply chain or third-party suppliers. More than 70% of all organizations saw it as a major threat, but less than 60% felt prepared.
Only 62% of larger businesses—those with revenue of more than $250 million—were able to quantify and qualify the risk to or from their suppliers, though this was better than the 42% of the country’s smallest firms. Even financial-services firms—often considered the most advanced in cybersecurity—lagged behind, with only six out of 10 firms managing the risk well.
The survey also demonstrated how companies’ vulnerabilities—and their progress in addressing them—varied across different industries.
Industrial and manufacturing firms are struggling with third-party risk, with just over half having an understanding of those risks that could affect their operations. Fewer than two-thirds of manufacturers have a cybersecurity program, and the sector came out at the bottom in having an incident-response plan, a step that suggests readiness to respond when an attack does occur.
Furthermore, greater percentages of manufacturing companies said they were not planning to implement improvements in important areas anytime in the next 12 months. For example, 63% of manufacturers currently have no cyber insurance, and 37% have no plans to purchase coverage within the next 12 months.
Cybersecurity training isn’t in the plans for manufacturers for the coming year, either: Twenty-two percent don’t intend to implement employee training, and 26% said executive training won’t happen. And 15% have no plans to identify critical data worth protecting in the next year.
Manufacturing lines and industrial processes often run on operating systems or industrial-control systems that no longer receive security updates due to the age of the software. Taking systems offline for maintenance can be prohibitively expensive or disruptive to operations.
“[They] often rely on legacy infrastructure and applications that require unsupported platforms for continued operations,” says Andrew Rubin, CEO and co-founder of Illumio, a Sunnyvale, Calif., cybersecurity company. As a result, many manufacturers struggle to create effective cybersecurity strategies and controls.
Automation and the implementation of Internet of Things devices into industrial environments are introducing new risks to manage and more places for hackers to strike. Mr. Rubin says more breaches are starting to prompt greater awareness of the risks in manufacturing. “Failures are propelling action,” he says.
“Compromises and data loss among manufacturers are driving a desire to transform.”
Among the industries least prepared for ransomware is retail, where only 62% of companies were confident they are prepared to defend themselves against such attacks. Large databases about customers and loyalty-program members make retailers a prime target for cybercriminals, says Mun Valiji, former Group CISO of Sainsbury’s supermarkets, a major U.K.-based retailer, who left his post in March.
Even as the industry grows far more digital, retailers have been reluctant to add security measures that will affect customers’ experience on their e-commerce sites. “There is a very fine line between delivering an awesome customer experience online and striking the right security balance,” Mr. Valiji says.
Government departments at a local and federal level were also weak in some areas. For instance, they showed less confidence than most sectors in their own preparedness for ransomware attacks. Government agencies, along with construction companies, were also well below the 58% average of companies that offer executive training in cybersecurity, with only around 42% of both sectors saying they deliver the training.
The large amounts of personal data local government agencies often hold make them tempting targets for attackers, but tight budgets restrict access to cutting-edge security technologies and mean they are unable to compete with the higher salaries on offer in the private sector.
In early June, cybersecurity-news website Krebsonsecurity.com reported the city of Florence in Alabama paid a ransom of $291,000 after criminals locked up the city’s IT systems. The city’s mayor confirmed the attack and payment.
The health-care sector reported far less vulnerability than other areas. Health care is sometimes seen as one of the most targeted sectors. Yet, while 63% of construction and infrastructure companies admitted cybersecurity breaches on one or more occasions in the past 12 months, only 17% of health-care organizations said they had been compromised.
“We think the reduction is due to a combination of factors, including improvements in the cybersecurity posture of health-care organizations,” says Dave Wong, vice president with cyber-incident response provider Mandiant, a division of FireEye Inc., “but the behavior of attackers had also changed.”
In 2017, health care was the third-most-targeted sector, according to Mandiant’s annual threat report. By 2019, security improvements and evolution of the attackers’ tactics led to the sector dropping to eighth place. Cybercriminals follow the money, Mr. Wong says, and when fewer ransoms were being paid, they shifted their focus elsewhere.
“Ransomware operators previously targeted hospitals knowing that the operational disruption could potentially cost patients’ lives,” he says. “Now, the same ransomware operators target larger companies with deeper pockets.”
Security preparedness also varied by business size, with smaller companies lagging behind larger ones in a number of areas. Only 63% of companies with under $50 million in revenue have a cybersecurity program, in contrast to 81% of companies with over $1 billion in revenue.
A lack of cybersecurity preparedness in the small to medium-size business sector can affect other businesses.
Within supply chains, a supplier could be used as a steppingstone to compromise the customer’s network, as happened in the 2013 breach of Target Corp., where hackers gained access to the company’s network via an HVAC supplier. Also, attacks that cause operational disruption could have a knock-on effect on customer operations.
The survey highlighted a number of areas where companies are making progress in protecting their at-risk assets.
One critical aspect of a cybersecurity program is the identification and protection of a company’s critical data assets. If the confidentiality of the critical data assets is lost, the integrity of the data is compromised or the data is no longer available, disruption will be significant.
Across all businesses in the survey, 72% have completed an assessment of what data is critical and have taken steps to protect it. A further 22% plan to conduct such a review in the coming 12 months.
Cyber insurance is another key area. Overall, 51% of all businesses had purchased cyber-insurance coverage, and a further 24% planned to purchase coverage in the coming 12 months.
Companies that have purchased cybersecurity insurance and have conducted training for their executives show higher than average preparedness in other areas.
Still, many small businesses choose not to take on coverage, says James Trainor, senior vice president at Aon Cyber Solutions, a unit of insurance provider Aon PLC. “Small businesses often don’t have the resources—financial or personnel—to conduct a robust cyber assessment and risk-quantification process,” he says.
But he also was concerned over the 35% of large companies that didn’t already hold cyber insurance, citing the potential for catastrophic losses. “I’m not sure how a board is exercising its fiduciary responsibility to protect its shareholders and the firm from this growing risk without cyber insurance,” he says.
When it comes to training and awareness, the data show 68% of companies are educating employees. But 45% of businesses under $50 million in revenue have not yet implemented training.
Somewhat less common, but equally important, is delivering training to executives. Government agencies and construction companies are well below the 58% average, with only around 42% of both sectors saying they deliver the training.
Training executives is less generic than training users at a large scale. The messaging must be driven by the unique set of risks and threats faced by individuals and companies, and the strategies that should be employed to counter those risks. Such training, regardless of industry, is “a very nuanced conversation,” says Jason Hoenich, president of cybersecurity company Habitu8.
“Good cybersecurity begins with good leadership, and these functions are best led by a chief information officer who is trained, informed and capable,” says Mr. Levine of Carnegie Mellon.
A CISO’s role, he says, is “to see the circumference of the organizational wheel, to understand every single place where good cybersecurity strategy can make a positive difference for the organization.” He adds: “Good leaders know their current state, define a better state, and design a path to get from here to there.”
Which Industries Are Most Likely To Pay Ransomware?
More than 40% of companies say they would at least consider paying.
It’s one of the trickiest questions a company can face: pay a ransomware demand, or don’t.
Among cybersecurity leaders surveyed by WSJ Pro Research, 57.5% said they wouldn’t pay, leaving 42.5% who said they would at least consider paying—with a wide range of responses depending on what industry a company is in. WSJ Pro Research provides data and research as part of The Wall Street Journal’s professional information offerings.
Law-enforcement agencies including the Federal Bureau of Investigation have advised victims not to pay ransomware attackers, who encrypt the target’s data and demand a ransom—typically in bitcoin—to unlock it. Paying creates an incentive for more cybercrime and doesn’t always result in the encrypted data being restored, authorities say.
Still, about 74% of survey respondents in the construction industry said they would consider paying a ransom, making construction companies the most likely to contemplate it. Technology firms were next, with about 57% saying they would consider paying. The sector least likely to consider paying was government, with only 18% of respondents saying they might.
Brian Kirk, a former cybersecurity leader in the construction industry who now leads the cybersecurity team at consulting firm Elliott Davis LLC, cites a couple of reasons why construction companies might be more willing than others to meet ransom demands. One is that the companies generally have a decentralized IT infrastructure that is often spread out among dozens of contractors and subcontractors.
That makes ransomware attacks harder to contain, making recovery more difficult and expensive if a company decides not to pay a ransom. And the industry faces tight deadlines on construction projects, which increases the pressure to unlock scrambled data quickly. Construction companies also tend not to spend enough on cybersecurity technology and personnel, he says.
“Your choice is paying the ransom or starting over from scratch, and if you’re in the middle of a big construction project, then starting over isn’t an option,” says Mr. Kirk.
There have been a handful of recent reports of ransomware attacks on construction firms. Bouygues Construction, a subsidiary of the French conglomerate Bouygues SA, disclosed a ransomware incident in January but provided few details. A spokesman for the company said in an email that Bouygues didn’t pay a ransom and that it was able to restore its data on its own.
Mr. Kirk says most ransomware attacks against construction firms go unreported, because they can damage a company’s reputation. Many data-breach notification regulations only apply to sensitive consumer data at public companies, and can make exceptions for ransomware if the data is simply locked up and doesn’t leave the company.
Technology companies tend to be more willing than many others to pay a ransom for different reasons, says Sean Brooks, director of the Citizen Clinic at the University of California, Berkeley’s Center for Long-Term Cybersecurity.
Technology firms generally have a more sophisticated understanding of their computer infrastructure than many other organizations and so would likely have a better understanding of how much money it would cost to not pay a ransom, Mr. Brooks says.
If a company is able to accurately crunch the numbers and determine that the cost of not paying far exceeds the amount demanded, it may be a straightforward decision to pay, he says.
“Tech companies almost certainly have a much more nuanced sense of what the recovery from a ransomware attack looks like—what the lead time is for recovering the assets, what the opportunity cost is,” says Mr. Brooks. “A lot of companies in the tech sector lay money aside for these kinds of risks as an operating cost.”
On the other end of the spectrum, government agencies generally are reluctant to pay ransomware demands because it’s politically untenable, Mr. Brooks says.
“In a case like ransomware, where it’s a very serious crime that involves straight-up extortion, I can’t imagine a world where government agencies are willing to pay demands,” he says. “The political cost of justifying it to various constituencies is just awful.”
Cities including Atlanta, Baltimore and New Orleans have suffered debilitating ransomware attacks in recent years and have refused to pay the demands. Last July, the U.S. Conference of Mayors passed a resolution calling on cities around the country to not give in to ransomware demands.
“The default for government is not to pay—no one wants to get hauled in front of Congress for paying,” says Mr. Brooks.
Companies Battle Cybersecurity Risks of Having More Remote Workers
Hackers see working-from-home employees as weak points into company networks. Here’s what businesses are doing to shore up their defenses.
Companies that moved to remote work because of the coronavirus now face another long-term question mark: security.
Stay-at-home workers have become targets for hackers, and they are exposed in a way that company networks aren’t. The use of personal devices and internet connections, coupled with the anxiety of balancing work with child care and other tasks at home, has introduced a different set of weak points, says Tami Erwin, chief executive of Verizon Communications Inc.’s business segment.
Home Wi-Fi networks are often not well-secured, relying on weaker equipment, protected with insufficient passwords and shared by different users and devices—which may become infected with malware that collects vital information.
Home workers may also be more vulnerable to phishing scams that open up access to company networks, because they may feel less security-conscious outside the office. And remote work has prompted many workplaces to adopt applications such as teleconferencing tools that have their own security weaknesses.
“You’ve almost got the perfect scenario where people are less prepared, and bad guys have lots of time,” says Ms. Erwin, whose division sent about 20,000 employees home in response to the pandemic, to join 10,000 more who already worked remotely.
In response to the shift, companies are urging employees to be more wary about cyber hygiene, as well as beefing up their abilities to investigate attacks from afar and turning to tools that authenticate remote employees or detect threats to their devices.
How many of the changes stick remains an open question as a battered economy forces corporate chiefs to rethink long-term spending plans and hiring practices. Still, the combination of factors will likely accelerate several broader trends reshaping cybersecurity.
Putting Up A Gateway
Virtual private networks, which keep data private even when it is shared on public networks, have long been used to allow off-site employees to access their workplace’s perimeter defenses. Workers log in using passwords or other authentication tools to set up shop inside.
The huge numbers of employees now working remotely raises challenges for companies that use VPNs. Some workers have never used the technology before, and companies have to explain how to operate it and remind workers to be vigilant about using it.
Another problem: bandwidth. Too many users on a VPN can damage connection quality, so companies have moved to expand capacity to meet the staggering new need.
Equifax Inc. faced just such a surge in users. Before the coronavirus outbreak, around 10% to 20% of its employees worked from home on a normal workday, Chief Technology Officer Bryson Koehler says. But within one week’s time in March, as lockdown orders went into place around the world, that figure surpassed 90%.
The company expanded its VPN technology so all employees could use it while working remotely, Mr. Koehler says, and a small team of network specialists worked around the clock during the first week to make sure the network ran smoothly.
British e-commerce company Made.com’s VPN usage doubled after lockdown orders went into place in March, so Chief Information Security Officer Paul McCourt ditched physical keys employees used to log in. The USB key was clunky and a potential security risk if employees lost it, he says.
Now, Made.com employees access its VPN through the Okta Inc. platform. The system enables workers to reach different workplace applications by multifactor authentication, which requires users to provide more than one way to verify identity.
Moving Further Into The Cloud
Some companies, though, have sidestepped the VPN question altogether. They are accelerating a move they had started making before the pandemic hit—switching to cloud-based services.
These platforms, such as online versions of the Microsoft 365 suite, host corporate applications on their own servers, easing the pressure on company systems and offering employees more flexibility to access software at home.
Fearing the shift to home offices and personal devices could hamper developers’ work, Microsoft Corp. Chief Information Security Officer Bret Arsenault moved about 32,000 employees onto cloud-based workstations within 48 hours in March.
“That is the beauty of the ability of the cloud to both surge and scale,” Mr. Arsenault says, adding that the shift will be permanent.
Thanks to that kind of migration, the cloud-computing market saw 37% year-over-year growth in the first quarter, according to Synergy Research Group Inc., and the pandemic could accelerate the trend.
“I believe this is an inflection point,” says Sean Joyce, U.S. and global cybersecurity and privacy leader at consulting firm PricewaterhouseCoopers LLP.
There is a big trade-off to cloud services, though: They require cybersecurity teams to put new technology in place to monitor their workforce as closely as they could inside a company network.
Never Trust, Always Verify
The pace of change could also help hasten a philosophical shift. Many cybersecurity teams previously viewed cyber defenses as a castle and moat, with firewalls and virtual private networks monitoring for unwanted visitors who were trying to come inside—and assuming everyone inside had been vetted.
Now, with many more remote workers beyond companies’ outer defenses, security professionals are focusing on securing individual employees and their devices.
This “zero trust” model prioritizes verifying users’ identities and devices at various checkpoints with passwords and other authenticators, says Stephen Schmidt, chief information security officer for Amazon.com Inc.’s cloud-computing arm, Amazon Web Services.
At the same time, teams limit access to sensitive material and use automated tools to scan devices and applications for abnormal spikes in traffic or unusual queries. The architecture is designed to detect attacks by people who have already made it inside networks, including disgruntled current or former employees.
“We’ve been on a journey to a zero-trust network for a long time,” Mr. Schmidt says. “This really reinforced that that is something that has to be completed.”
Getting Past Passwords
Along with adding new checkpoints within the system, companies are changing how you prove your identity at those points—demanding a variety of identification methods instead of just traditional passwords.
Lost or stolen credentials comprised the second-most common cause of data breaches in 2019 after phishing emails, according to Verizon, while the leading form of malware was password dumpers, which extract credentials for crooks who seek access to company networks.
Enter multifactor authentication, which often combines passwords with other security measures, such as fingerprints or other biometric identification. Microsoft, for one, said last year that 90% of its employees no longer use passwords.
Multifactor authentication has also been critical for Swiss pharmaceutical firm Roche Holding AG as it secures its corporate applications while employees work from home.
I Know All The Cybersecurity Rules. Yet I Still Break Them
The reasons say a lot about what’s wrong with the rules, and how tech companies could make us safer online
We all know we’re supposed to follow basic cybersecurity practices like using a password manager or running antivirus software—just the way we know we’re supposed to floss every day and keep eight months of emergency savings in the bank.
Being human, however, we often fall short. And even though I’ve been researching and writing about cybersecurity for more than two decades, I’m no exception. I’m just as likely as anyone to cut corners on my own online security.
If a geek like me doesn’t follow the rules, can we really expect normal people to do it?
What follows are some of the rules I break, and why I break them. They offer a glimpse at what’s wrong with cybersecurity these days—and what needs to happen so that more people will follow the rules, and be safer online.
The Rule: Generate and keep all your passwords in a password manager so that you use only unique, complex passwords.
Why I Break It: Password managers seem like a great idea. They’re dedicated apps that store all your passwords in one place and fill them in when you visit a site, so you don’t have to remember them or retype them each time. You can import your current passwords, or let the apps generate new and complex ones for you. And you can access the apps from different devices and applications.
In practice, however, these apps can be somewhat inconvenient. On some websites, the password manager may not be able to detect which password to use, and some apps or devices make it hard to access the manager in the first place.
I also run into trouble with duplicate passwords. I’ve got multiple password managers—the one I chose because it works across all my devices and applications, and the other ones that just came bundled with my system or web browser. When I go to a site, any or all of these managers will ask me if I want to save or update my login—so if I’m not paying close attention, it’s easy for me to save my password to the wrong app, and then forget where I put it. Or I end up with one manager that has my current password, and another one with an out-of-date login.
Then if I return to the site, I have to hunt through all these different password managers to find the one with the right password—or just give up, create a new password, and have even more password versions to contend with.
Even my dedicated password manager can end up with duplicate passwords, because it’s easy to screw up and accidentally choose to create a new password when I’m just trying to update an existing one, which means I end up with duplicates for certain sites. Then I have to figure out which of my five different Gmail logins is the actual current version.
For this reason, I don’t rely on my password manager for services like Facebook, Twitter and Google. Lots of sites let you use those services to log in, instead of creating new accounts on the site itself. Since I choose that option frequently, it’s easier just to remember the passwords for those big, useful accounts—which I call “keychain” logins—rather than fiddle with the password manager and fix its mistakes.
Make It Easier: Give me one password option to rule them all. Once I install a password manager on a device, my browsers and operating system should know to store my passwords there, instead of prompting me to use their own systems. And please, test those password managers in the field, with a wider range of actual users.
The Rule: Don’t overdisclose on social media, which creates personal and professional vulnerabilities online and offline, especially for children.
Why I Break It: I don’t have a lot of opportunity to get out and socialize, and many of my dearest friends live far away. Even before Covid, social media was the lifeline that kept us connected, and now it feels even more important to share our family’s joys online and get support when we have moments of grief and frustration.
Make It Easier: Social-networking platforms need to make it easier for us to narrow or widen the audience for our posts. Setting up permissions for who can see what content takes a fair bit of grooming and tweaking, and many platforms don’t even give you that option.
Social networks should also default to a high level of privacy for new users or for kid-related content, instead of extreme openness that only tech nerds know how to limit. Rather than assuming that every new social-media connection is a true friend who gets access to my entire life, put everyone on the equivalent of my restricted list until I deliberately admit them to my inner circle.
The Rule: Use an ad blocker and decline cookies so that you won’t be tracked across multiple websites or get ads targeted to your personal browsing history.
Why I Break It: Many media sites prevent you from accessing their content if you’re using an ad blocker, because it kills their main source of revenue. And declining cookies just means that I get a thousand irrelevant ads for belly-fat busters, when I could be seeing relevant ads for red cowboy boots, patio furniture and coding games. If I have to see ads, they might as well be tailored ones.
Make It Easier: Targeted ads are a ubiquitous part of the browsing experience because many of us are still laboring under the illusion that we can get something for nothing—that online publications and social networks should be free. When consumers balk at paying for online services, it is easier for service providers to just fall back on the proven tactic of mining our data and selling our eyeballs to the highest bidder.
Instead, social networks and other web services should all offer the option of buying our freedom back by paying a monthly service charge to get content and interactions, and not see ads or have our data mined. (After all, many of us happily pay to upgrade favorite mobile apps to their ad-free versions.)
The Rule: Regularly back up your devices to an external hard drive—ideally two of them, so that no matter what goes wrong at home or in the cloud, you’ll have your data.
Why I Break It: No matter how many times I set my computer up to back up over Wi-Fi, it fails—so I once again find myself backing up over a cable connection, which is just too cumbersome and space-intensive to do regularly. Plus, I keep so much of my life in Dropbox, Google Drive and Gmail that 95% of my current working files are retrievable anyhow.
Make It Easier: Backing up an entire computer should be as easy as backing up individual files to Dropbox or Google Drive. Just let us check the parts of our computer we want to sync—or select the entire hard drive. That way, we not only back up all our crucial files regularly but also other critical things few people think about backing up: our personalized settings and applications.
The Rule: Use two-factor authentication wherever possible, so that your sign-ons have to be confirmed by phone, text or another method.
Why I Break It: Two-factor authentication is inconvenient and annoying. You need to wait for the authentication code to arrive, and if you can’t find your phone immediately, you end up hunting for it just so that you can log in to a website on your computer. Meanwhile, certain apps that handle verification may lock you out if you switch to a new phone.
Make It Easier: The industry should adopt the painless verification that some apps use—letting me confirm my identity immediately through the app itself. For instance, if you have the Gmail app on your phone and try to sign in somewhere else, a message pops up from the Gmail app asking, “Is this you?”, so nobody can sign into your Gmail account unless they can confirm that login on your phone. (Another good reason to keep your phone face, fingerprint or password protected!)
It is far less convenient to wait for (and type in) a verification code. Messing around with text-messaged codes should be a fallback scenario, not the default behavior.
How To Prevent Medical Records From Being Hacked
Research shows that many breaches are simply the result of sloppy behavior on the part of employees.
Here’s a common nightmare scenario: The computer system at your doctor’s office is hacked, and somebody has all your medical records.
What if the hacker uses your medical history to blackmail you or to embarrass you publicly? What if the public exposure of your records affects your job prospects?
The good news is that you probably shouldn’t worry about your medical records. But you should be worried that the hacker has your Social Security number or financial information that was stored in the physician’s office computer.
Among nearly 1,500 data breaches at health-care entities in the U.S. from 2009 to 2019, affecting 169 million patients, our research reveals that only 22 involved the breach of sensitive medical information—such as records of HIV tests, sexually transmitted diseases, cancer, mental health, abortions and substance abuse. Two million people were affected by those 22 breaches.
The disclosure of nonmedical information that could be exploited for identity theft or financial fraud—such as driver’s license numbers, Social Security numbers and bank-account or credit-card numbers—was much more common. There were 1,042 breaches of this type of information at health-care entities, affecting 159 million individuals.
This suggests that hackers and thieves for the most part intentionally targeted sensitive identifying and financial information, and the medical records became collateral damage.
Another study of ours, however, shows that many breaches like these are easily preventable.
In that study, we found that insiders were responsible for more than half of the breaches at health-care organizations—and most of those breaches were accidental. If health-care providers had stronger internal controls in place and their employees followed the right protocols, many breaches could have been avoided.
We examined detailed descriptions of more than 1,100 health-care data breaches that affected 164 million patients. Health-care organizations are required to notify an office of the Department of Health and Human Services of breaches affecting 500 or more people, and to classify those breaches in prescribed categories.
Unauthorized access or disclosure of patient health information, a category that covers a broad range of sloppy behavior by employees, accounted for 25% of all breaches in the study. Employee mailing mistakes—sending sensitive letters to the wrong recipients, printing Social Security numbers on mailing labels or making confidential information like HIV status visible through envelope windows—were the most common problem in this category, accounting for 10.5% of all breaches of any kind.
Among other subcategories, employees taking health information home or forwarding it to personal accounts or devices represented 6.5% of all breaches, while emailing errors, such as sending emails to the wrong recipients, represented 2.8% of all breaches.
Internal mistakes also played a prominent role in some other categories of breaches. For example, unencrypted devices or paper records lost or misplaced by health-care entities accounted for 7.2% of all breaches, and improper disposal of devices or paper records was responsible for an additional 3%.
Even in the category labeled hacking or IT incident, which accounted for 20.5% of all breaches, accidental exposure of personal health information through the internet was responsible for 5.4% of all breaches of any kind—more than malware or viruses at 5.3%. Also within this category, employees clicking on phishing emails were the cause of 3.4% of all breaches.
Making It Better
Clearly, some basic training for employees about mail and email practices and cybersecurity would be helpful. But mistakes will still be made. So, before mailing patient information, health-care entities should double-check the accuracy of mailing labels and make sure the labels or envelope windows don’t reveal confidential information. When communicating with patients through emails, they should check to be sure the recipient is correct and no one is improperly cc’d.
Beyond that, reducing the storage of patient information in mobile devices, such as laptop computers or USB drives, could significantly reduce the risk of a data breach. Nearly half of the breached data in our study was stored in mobile devices. And sensitive information should always be encrypted.
Finally, health-care entities should also consider storing patients’ identifying and financial information separately from their medical records, to avoid the loss of medical records as collateral damage in breaches aimed at obtaining data to be used for identity theft or financial fraud.
Some Of The Latest,Some Of The Latest,Some Of The Latest,Some Of The Latest,Some Of The Latest,Some Of The Latest,Some Of The Latest,Some Of The Latest,Some Of The Latest,Some Of The Latest,Some Of The Latest,Some Of The Latest,Some Of The Latest,Some Of The Latest,Some Of The Latest,Some Of The Latest,Some Of The Latest,Some Of The Latest,Some Of The Latest,Some Of The Latest,Some Of The Latest,Some Of The Latest,Some Of The Latest,Some Of The Latest,