There was a 25% increase in the number of reported data breaches in 2017, according to the European Union Agency for Network and Information Security (ENISA) Threat Landscape Report 2017. 2018 could be even worse, with the report warning about the growing threat of:
- SQL injection, in which attackers insert malicious code into web applications. This allows them to spoof people’s identity, tamper with existing data, void transactions, change balances, become administrators of the database server or disclose or destroy data.
- Phishing, in which attackers impersonate a legitimate organisation by email or other form of communication (such as text or social media). These messages typically contain a link or an attachment, which the attacker uses to steal the recipient’s personal data or infect their system with malware.
- Insider threats and privilege misuse, which includes any unauthorised use of organisational resources – whether accidental or malicious. In either instance, sensitive information is exposed and is classed as a data breach.
The report also highlights the threat of physical data being lost or stolen. As with insider threats, such incidents are classed as data breaches even if no one outside the organisation accesses the information.
Organisations also need to be wary of what happens to data that they share online, as has become evident in the recent Facebook scandal. The social media site reportedly turned a blind eye as data analytics company Cambridge Analytica harvested 50 million profiles to help Donald Trump’s election team “build a powerful software program to predict and influence choices at the ballot box”.
Another whistleblower has claimed that this practice is common. He didn’t give any specifics, but with investigations into Facebook looming, it’s surely only a matter of time before further revelations.
But data harvesting isn’t the only threat that social media sites pose. Information Age warns that such sites “can also be used for sophisticated social engineering and reconnaissance activities which form the basis of many attacks on the enterprise. Criminals and hackers are known to use these platforms to distribute malware, push rogue antivirus scams and phishing campaigns to lure their victims”.
Social media is also increasingly being used in whaling attacks – a form of phishing in which crooks imitate an organisation’s CEO. If a CEO lists extensive information about themselves on social media, crooks can better tailor their scams.
The number of whaling attacks tripled in 2017, according to cyber security provider Smarttech 247, and the scam’s lucrative returns suggest that it will remain a prominent threat in 2018.
How you should prepare
Any organisation that’s concerned about cyber security should adopt ISO 27001, the international standard that describes best practice for an information security management system (ISMS). It provides the basis for managing data security using an integrated set of policies, procedures and technologies, and complements a host of laws, including the Directive on security of network and information systems (NIS Directive) and the EU General Data Protection Regulation (GDPR).
Organisations that have adopted ISO 27001 need someone to regularly review their systems to make sure they maintain compliance with the Standard. You can gain the skills to fill that role by enrolling on our ISO27001 Certified ISMS Lead Auditor Training Course.
This course covers:
- The structure and requirements of ISO 27001;
- The audit process;
- How to select and lead an audit team;
- The principles of effective auditing;
- How to apply continual improvement of the ISMS; and
- Conducting an audit follow-up.