Financial information is not the only valuable data worth stealing. What we see in these breaches is that attackers are looking more for general customer information and less for specific billing or credit card data. Indeed, such information can be very lucrative for spammers.
When you have a customer database record, such as a user name, linked to a name and an email, you already have a lot of valuable information. This information can be used to craft a customized spam message, bearing the user’s name, details and interests, which will appear legitimate.
Chances are higher that a user will open a customized spam message and click on it, than if they receive generic spam. This in turn increases the profitability of a spammers’ campaign. Imagine for example emailing 500,000 recipients with a proposal to buy some product. If only 1 recipient out of 1,000 orders your product, that's already 500 new orders. Now you can imagine the latent profit that a spammer can make with 70 millions email addresses and individual information.
Lessons in protection
Companies shouldn’t buy into the illusion that they are compliant and therefore safe from attacks. Targeted attacks are on the rise and no company is completely bulletproof. Businesses must erect as many barriers as possible between cyber-criminals and their corporate network and assets.
Protection starts with the deployment of an in-depth security strategy across the network, endpoints, and multiple security devices connecting to the network. Enterprises need to apply several layers of protection, including an advanced Firewall and Intrusion Prevention System (IPS) to detect blended threats; a comprehensive endpoint security solution to secure all endpoints and mobile devices; a preventative data loss prevention solution to protect informational assets.
Simultaneously, they need to define a solid and well-structured security policy to enforce the protections. This policy needs to be aligned with the business objectives, and clearly understood by the employees of the organization. In addition, I would encourage enterprises to take a fresh look at how they expose their data assets in order to reevaluate how to best protect them.
After securing and shutting this ‘main door’ to potential attackers, organizations must work on securing and closing their perennial ‘back door’ – the users themselves. Human error is the one security problem that technologies alone can’t fix and for which there’s no patch. It is up to organizations to actively engage, train and educate their employees, in order to turn them into real, security-aware corporate gatekeepers.
Only a trained, security-aware workforce, combined with a solid, in-depth security system and a well-defined security policy can defeat today’s hackers. Hopefully business at large can adapt and learns these lessons, avoiding further data breaches in the coming months.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.