Before the dust could settle on Target’s data security breach, news of a potentially larger one has surfaced. On September 18, 2014, Home Depot confirmed that it suffered a data breach involving the debit and credit card information of approximately 56 million customers. Target’s breach involved approximately 40 million cards.
Home Depot’s breach involved payment card information for purchases made at U.S. and Canadian Home Depot stores from April to September, 2014. According to Home Depot, criminals used unique, custom-built malware not seen previously in other attacks to breach payment card systems. Though their investigation is ongoing, Home Depot said names, card numbers, expiration dates, cardholder verification values and service codes may have been compromised.
Seeing yet another large business with substantial resources suffer a massive data security breach should be more than enough to confirm that data security breaches can happen to any organization. Though preventing data breaches is becoming more difficult, businesses can take steps to reduce the risk.
A subsidiary of Reinsurer Munich Re recently held a presentation with cybersecurity experts and risk managers to show how cybercriminals choose their targets and access their systems. This presentation provided several key takeaways for businesses.
- Businesses are not only viewed as targets by cybercriminals, but also as conduits to attack a business’s clients.
- Businesses must identify any data that may be valuable to others, and keep only what is needed.
- Most hackers use email and browsers to access a business’s systems.
The cybersecurity presentation identified 10 ways for businesses to prevent a data breach.
- Outsource payment processing (point-of-sale, web payments) to take advantage of their sophisticated and dedicated security measures.
- Separate social media from financial activity by using a dedicated device for online banking and a different device for email and social media.
- Don’t reuse passwords and don’t trust websites to store them for you. Set up a two-factor authentication process that verifies identity by sending a secret code to your phone.
- Train employees to protect sensitive and confidential information. Remind employees that most malicious attacks involve email, and that they should alert others when suspicious emails are received.
- Identify risks by evaluating systems and networks, including email infrastructure and browser vulnerability. Learn how business associates (vendors, suppliers, partners) handle data security.
- Mandate encryption for all data that is stored (at rest) and transmitted (in motion), and avoid the use of Wi-Fi networks if possible.
- Use the latest web browser version that is available rather than relying on individual patches and updates.
- Update operating systems to take advantage of built-in security improvements.
- Secure routers connecting business computers to the Internet. Set strong administrator passwords and, if Wi-Fi is necessary, use a WPA2 password.
- Encrypt backup data and store it off-site.
Home Depot is currently dealing with the consequences of its data security breach by investigating the breach, updating data security systems, notifying potential victims, providing free identity theft protection and adjusting its public relations to minimize the damage to its reputation. The costs of these efforts can be staggering. For businesses lacking the resources of the Target’s and Home Depot’s, these costs can be devastating.
As we have seen, nothing is foolproof, so businesses should use insurance to protect against cyber risks. There are a number of cyber liability products that protect against privacy injuries, such as identity theft, and that cover the cost of complying with various data breach notice laws. However, given the complexity of the risk, an experienced insurance agent should be consulted to ensure that adequate coverage is obtained.
If you would like to learn more about insuring against cyber risks, contact us.
If you would like to subscribe to our newsletters please click here.