Ways Companies & Individuals Can Protect Data Online
While the ability to operate a business and run a household online has its conveniences, entrepreneurs and individuals face a growing threat from hackers and criminals accessing their information and using it to steal assets and identities. The FBI's Internet Crime Complaint Center (IC3) saw a 69% increase in complaints in 2020 compared to 2019, with losses reported to exceed $4.1 billion. More than 5,258 confirmed data breaches occurred in 2020 across four regions of the world in 16 different industries, according to the Verizon 2021 Data Breach Investigations Report (DBIR).
“Whether you own a business or are managing your personal data online, the place to start is to understand what information is important to you and what information is the most sensitive," said Paul Keener, head of cybersecurity operations at City National Bank. “After that, you need to think about how you'll store that information and how you'll access it."
What’s the CIA Triad?
The three main concepts to address when it comes to your data include confidentiality, integrity and availability, said Keener, which he refers to as the “CIA triad."
“Confidentiality means you need to know your data isn't being inappropriately shared with the public," said Keener. "The integrity of the data means that it can't be altered, and the availability of the data refers to the ability to access it when you need it."
The Best Data Protection Practices for Everyone
Both individuals and business owners need data protection. Two prime ways for both groups to safeguard themselves are multifactor authentication and robust password management.
Multifactor authentication, which provides layers of data protection, is a simple step for protecting accounts. Typically, this means entering a password and receiving a text with a one-time code.
While signing up to take that extra step can be a minor irritation, the safety of your data, particularly your financial accounts, is of paramount importance. Multifactor authentication is essential for password manager software, said Keener.
“It's smart to use password manager software to keep track of your various passwords, but you never want someone to get access to all your passwords," said Keener.
Most people are aware that they shouldn't use the same password on more than one site, yet a 2021 survey by PC Mag found that 70% of people admit to using the same password at least sometimes and 21% admit to using the same password for everything.
“The main danger of repeatedly using the same password is that if one company has a breach and all their passwords are compromised, the attackers will run your password through systems online to see where else that password has been used," said Keener. “It may not matter so much if you used the password at a store once a few years ago and they didn't store your credit card, but if the attacker can use that password to get into your bank account that's a much bigger problem."
Passwords vs. Passphrases
Some people opt to use the same password but with a different ending or beginning for each store, such as “Almdc16Giant" at the grocery store and “Almdc16Target" for that store.
“Usually that would be OK because attackers put passwords through an automated system," said Keener. “They would have to be highly trained and targeted directly at you to take the time to infer your password pattern."
However, he suggested that a better plan is to use a long password or a “passphrase."
“A short password can be run through a computer that quickly reveals other information about you and other locations where the password has been used," said Keener. “The advantage of a passphrase, such as 'introductiontooperationalriskmanagement" is that it can be something easy for you to remember."
The best data protection includes the use of long passphrases combined with multifactor authentication, Keener said.
The Best Data Protection Practices for Businesses
Business owners specifically need to evaluate the systems and services they use to manage their data, create a back-up and restoration system, and then address access, Keener said.
“You need to decide who in your business has access to which data and establish external and internal access systems," he said. “Maybe not every employee needs access to everything."
Among the most common issues businesses face include ransomware attacks and business email compromise (BEC) attacks.
“Ransomware refers to someone stealing access to your data, damaging the integrity of the data by blocking access by you and your employees, and holding that access ransom for money," said Keener.
BEC attacks trick business owners or individual employees into giving the attackers access to their email account to contact their financial institutions and employees to gain information from them that can be used for identity theft, Keener said. Alternatively, a BEC attack can be used to attack your clients and suppliers.
“A data minimization strategy can prevent some damage from a cyberattack," said Keener. “In other words, if there's data you don't need to store or replicate, then delete it."
Business owners should also encrypt their own data, said Keener, so that if attackers gain access the data will be unusable.
Keener recommends these essential data protections for all businesses:
- A VPN (Virtual Private Network) for the company. Keener said that this is particularly important for remote workers to ensure their information is encrypted when they are working at home, a coffee shop, a hotel or an airport.
- Anti-malware software for all devices used by employees onsite and working remotely.
- A secure web browser with privacy add-ons.
- A password manager system.
“Every owner needs a layered approach to understand their risks and the controls they have in place across all devices," said Keener. “They need to look at the software available for mobile devices they use themselves and that their employees use."
How To Plan For Cyberattacks
In addition to establishing a risk-reduction systems, every company needs a response strategy in case of an internet threat.
“You need to know who to contact under what circumstances and in what sequence," said Keener. “If any financial information has been compromised, it's smart to notify your financial institution – preferably your personal banker – and check on what financial recourse is available."
Contacting law enforcement and your insurance company are also important initial steps if you suspect your business or personal data has been breached.
When cyber attackers manage to access a victim's account, they typically move the money quickly out of the country so that it cannot be retrieved. That's one reason it's so important to reach out immediately to your banking partner.
“City National Bank has our own incident response plan, but we should be part of your response plan, too," said Keener.
For additional advice on cybersecurity protection, visit the federal Cybersecurity and Infrastructure Security Agency or Infraguard, a nonprofit company that partners with the FBI and private companies to share information and education about cybersecurity.
This article is for general information and education only. It is provided as a courtesy to the clients and friends of City National Bank (City National). City National does not warrant that it is accurate or complete. Opinions expressed and estimates or projections given are those of the authors or persons quoted as of the date of the article with no obligation to update or notify of inaccuracy or change. This article may not be reproduced, distributed or further published by any person without the written consent of City National. Please cite source when quoting.