The number of major computer data leaks has been steadily increasing for years and we have seen significant leaks even in the past few months. In April 2021, LinkedIn suffered a data breach that stole sensitive information from over 500 million users, including email addresses, cell phone numbers, workplace information, full names , account IDs, gender details, etc. Facebook experienced a data breach that included the personal information of more than 533 million users. Clubhouse also experienced a leak of public user information through a legitimate application programming interface (API), exposing 1.3 million user records.
If your organization is a Small and Medium Business (SMB), don’t be fooled because you only hear about attacks on global businesses. SMEs are attacked and attacked frequently. One of the main ways in which your business systems are hacked is data leaks from private users.
Consequences of data leakage by private users
Lots of people have Facebook and LinkedIn accounts. If a user’s public information is disclosed, it may have consequences for both the user and the user’s employer.
Consequences for the private user
Information disclosed by social media can be used to personalize a cyberattack (often phishing) against specific users. The personal touch of these emails – using a name and a real reference – can be very convincing and easily fool a user. After the Facebook data breach, there was an increase in SMS spam messages to published mobile numbers, which advertised alleged package deliveries, but aimed at stealing credit card data.
Stolen credit card data can be very profitable for cybercriminals. These data are often exchanged in underground forums. If a user’s passwords are stolen during an attack, the attack circle can increase. With the password, attackers can log into an account and send convincing spam messages to the user’s circle of friends to find potential new victims. User profiles are also misused to spread malware or to stimulate other accounts with subscribers.
Consequences for your business
Criminal access to a private user’s account can create a number of problems for their employer. Unfortunately, many users still use the same password for different services. If any of these services experiences a data crash, the attacker can also test the username and password combination on other services. This shotgun method is called credential stuffing. Attackers can often gain access to corporate VPN, Microsoft 365 environment, file sharing platforms, or other corporate resources. If the work email account falls into the wrong hands, the attacker can even reset passwords and get information from the email archive.
With the evolution towards remote work, personal life has mingled with professional life. Business laptops can be used for private surfing. So a malware infestation through a private social media network leads directly to a compromised work device. The next time the user connects to the corporate VPN, malicious code can pass through the firewall into the corporate network.
If an employee’s private account is hacked, they can give the attacker the keys to the company. An attacker now has the data necessary for CEO phishing fraud or Business Email Compromise (BEC), where the attacker impersonates an executive or executive who works in the company. user’s business to steal money or more data.
Secure password management and authentication are essential. Strong, unique passwords are just the start. Multi-Factor Authentication (MFA), User Entity Behavior Analysis (UEBA), or Zero Trust Access can also minimize the consequences of stolen passwords. Since these are private employee accounts that are not under the control of the company, educating users is an important part of the security campaign.
5 tips to increase resilience and data protection for small businesses
To better protect sensitive or personal data against an attack, every SMB should follow these five tips:
- Use strong passwords. Each user should use strong and different passwords for each department, change those passwords frequently, and your business should use a password manager as an enterprise-wide tool.
- To safeguard. Every SMB should follow the 3-2-1 backup rule, which states that you keep your data in three places, on two media, with a backup stored offsite, such as in the cloud.
- Deploy a security solution. Every SME must invest in a security solution that integrates the most recent technologies.
- Encrypt data. All data should be encrypted in transit and at rest, using enterprise-grade encryption.
- Quickly patch the software. Patches should be applied as soon as possible after their publication date, as many of these fixes are developed to stop new threats. If you are using unsupported applications (for example, no patch available), you should consider upgrading to a supported version to minimize the risk of attack. Unpatched software is a great opportunity for cybercriminals.