Current California law requires businesses that have experienced a data breach to notify any CA resident whose personal information may have been stolen. After experiencing a data breach, organizations must send a formal breach notice to affected parties. If more than 500 state residents have been informed of a breach, the company is required to send a sample copy of the notice to the California Attorney General.
Who’s on the List?
The State of California Department of Justice has released a list of all the companies that have sent out formal notifications with links to samples of the notices. Examining a few of these formal breach notices shows that all types and sizes of organizations can fall victim to a cyberattack. By looking at these notices, your company can also learn how to take a preventative approach to security to avoid ending up on the list.
Here’s an overview of several of the affected organizations:
USA Waste-Management, LLC
On January 21, 2021, USA Waste-Management, LLC detected anomalous activity in its network environment. After launching an investigation, with the aid of third-party forensic specialists, and contacting the FBI, the organization learned that hackers had accessed and stolen files containing sensitive information between January 21 and 23. While USA Waste-Management detected the breach quickly, it took many months to determine that personal information, such as names, Social Security Numbers, and driver’s license numbers, had been taken.
Farmers Insurance
Between January 20 and February 12, 2021, hackers used the Farmers Insurance auto quoting system to steal the personal information of users, including driver’s license numbers. Hackers had used the system to make fraudulent requests for quotes, making it difficult to determine who had been affected by the breach. Farmers noted that people who had made valid quote requests during this period or had someone request a quote for them may not have been affected.
University of California
In December 2020, University of California was breached through a third-party file transfer appliance (FTA). The breach the University experienced was part of an international attack on higher education institutions, government agencies, and private companies. Hackers exploited vulnerabilities in the third-party application to gain unauthorized access to personally identifiable information. Affected parties included students, faculty, staff, and retirees of the University.
What These Companies Did Wrong
While these organizations did the right things by following CA law and sending formal notifications to affected users, they failed to implement a proactive security strategy. These threats and vulnerabilities could have been identified and detected ahead of time to prevent a breach from occurring. Once a breach happens, it can take companies days or even months to discover it. Taking a reactive approach to a breach gives hackers more time to steal and compromise data. For example, in the case of UC, sensitive data acquired during the breach was later published on the internet, increasing the opportunity for identity theft and fraud.
The Consequences of a Data Breach
Data breaches can be costly for companies. The organizations profiled above took on the financial burden of providing free credit monitoring and identity theft protection to the affected people for 12 months. Other companies were forced to patch or replace the software and appliances that the hackers exploited to gain access to sensitive data. A major data breach can also be damaging to the reputation of the business, causing its clients and customers to lose trust in it and go to the competition instead.
Lessons Learned
By looking at a few organizations on the list of companies in CA that experienced breaches in 2021, your company gets a glimpse of some of the types of vulnerabilities that lead to data breaches. Targeting the network, third-party applications, and user endpoints are just examples of the many attack vectors that cybercriminals use to steal private information. To avoid ending up on the list of breach victims, your company needs to follow the NIST 800 Framework of identify, protect, detect, respond, and recover.
Adopting a wide range of security tools will help your company prevent myriad cyberattacks. These tools include:
1. Multi-Factor Authentication
By themselves, passwords are a weak line of defense. Hackers can easily crack passwords using special software, and many organizations fail to change their default passwords for third-party applications. Multi-factor authentication uses a combination of 2 or 3 factors to judge if a user is authorized to gain access. These factors may include tokens, single-use codes, personal questions, or biological markers, such as fingerprints.
2. Security Awareness Training/User Awareness
Employees can be a liability if they lack security awareness. Workers may open suspicious emails, click on infected attachments, and use insecure websites, exposing your company to ransomware and other types of malware. Security awareness training teaches employees how to recognize the tell-tale signs of phishing emails and what to do when they encounter one. Training may include regular testing and simulations.
3. Web Content Filtration
Another way employees can expose your company to threats is by accessing websites. They may be using company computers and networks to do research or to surf the net during a break when they visit an insecure or bogus website, exposing your systems to viruses and other intrusions. Web content filtration prevents employees from stumbling onto harmful websites by only allowing access to authorized websites and denying access to all other web content.
4. Endpoint Detect & Response
Endpoints can be a key vulnerability for companies. They include mobile devices and laptops used by remote workers, IoT devices, and POS systems. These endpoints can be difficult to monitor and track, as they are numerous and exist at the edge of the network. Endpoint detection and response (EDR) solutions monitor, collect and analyze endpoint data to detect threats so that breaches can be prevented. Real-time analytics empower EDR to send alerts when suspicious activity is detected so the threat can be intercepted.
5. 24/7 Alerting & Monitoring
Monitoring the network is an around-the-clock job. Any time your company’s guard is down, a hacker can slip through. Outsourcing monitoring to a managed service provider (MSP) gives you access to an entire staff that can focus day and night on monitoring your system for potential threats and sending alerts.
6. Patching/Updates
Hackers exploit out-of-date hardware and unpatched software to stage attacks on your company. Organizations often fall behind on updating their technology assets, leaving them exposed to risk. An MSP can keep track of your patches and updates to ensure that they are always implemented on time before a cybercriminal can take advantage.
7. Email Filtering & Threat Protection
Hackers use your employees’ inboxes as a weapon against your company by sending phishing emails. These emails can be used to stage ransomware attacks. Email filtering and threat protection delivers another level of defense against phishing attempts by preventing suspicious emails from reaching the inbox and keeping employees from sending responses to harmful emails.
How to Avoid Ending Up on the List
To prevent a breach, your company must implement intelligent tools that can detect a potential attack. Machine learning, predictive assets, and cloud-based models can help you prevent a breach from happening. Clare Computer takes a detect, respond, and remediate approach to cybersecurity, identifying inbound attacks and responding immediately to them. We follow NIST 800 Framework for detecting and identifying the stages of a cyberattack. Our Managed IT Support offering will raise your security profile and connect you with the leading security vendors. We deliver 3 levels of managed security: NetCentral Manage Essentials, NetCentral Manage Complete, and NetCentral Secure.
