You’ve probably heard that hackers want your private information. That’s true, but it’s not the whole story. Cyber criminals who want private information don’t always hack to get it. It’s an important distinction, because when all your cyber security efforts are focused on making data inaccessible to hackers, you inadvertently turn a blind eye to other threats.
Some hackers aren’t looking for data
Some hackers want your computer resources, not your data.
One reason some hackers want your computer is to use it as part of a crypto mining farm. Crypto currency can be mined legally en masse, but it takes intense resources. Hackers would rather get your computer to do the work. Crypto criminals hack into hundreds of thousands of computers and create a powerful crypto mining system they don’t need to pay for.
Other hackers run programs that search for unsecured IoT devices to create a botnet to deliver DDoS attacks around the world, like the infamous botnet Mirai. In 2016, the hackers behind Mirai rallied thousands of unsecured CCTV devices to deliver a massive DDoS attack that left most of the internet inaccessible to the East Coast.
BrickerBot is another piece of malware you need to worry about. It targets Linux-based IoT devices running BusyBox that have open Telnet ports. Brickerbot uses brute force attacks to gain access to unsecured devices. Then, it executes commands to corrupt storage, disrupt internet connectivity, and delete all files on the device. The flash storage is rendered unusable, all kernel operations are stopped, and when the device is rebooted, it’s useless. Imagine if that happened to your company’s POS machine, or any other expensive device you rely on every day?
The only way to prevent your company’s digital devices from being destroyed by a botnet, or becoming a botnet slave, is to set secure passwords, keep ports closed and hidden, and don’t connect to the internet before you’ve reset the factory password.
Securing electronic payment systems isn’t so simple
Many industries have started using electronic methods for collecting payments. Landlords, for example, have started to accept rent from tenants online. While most landlords don’t allow tenants to pay rent with a credit card, some will accept cards connected to a bank account in lieu of a bank transfer. Funds are available faster when transferred to and from debit cards rather than through a traditional bank transfer, which requires at least one business day to process. This means property management companies need to be certain that their electronic rent collection process adheres to the Payment Card Industry Data Security Standards. A business that doesn’t follow these standards can be fined by card companies like Visa and Mastercard.
There’s more to the story, though. PCI standards were created to make sure businesses protect customer data, but some merchants get hit with fines even when there’s no evidence that card data has been stolen. One retailer sued Visa for $13 million for fines incurred without evidence, bringing the controversial aspects of PCI compliance to light.
In essence, when a data breach occurs, credit card companies collect fines from third-party banks that process the transactions – not the merchants. If they fined merchants directly, they’d fight it in court. Instead, when third-party banks are fined, they sue the customer (the merchant) using the indemnification clause to justify it. Merchants must battle the banks (the middleman) to get their money back.
Your electronic payment processing might be secure, but you’re still at risk of being fined by card companies who don’t have to prove a data breach even occurred.
Encrypting data is your number one defense
Hackers will always find a way to steal data. Your job isn’t just preventing data from being stolen. You need to encrypt your data in case it does get stolen. When data is encrypted, it can’t be read.
According to PCIpal’s research, more than one-fifth of consumers said they would permanently stop supporting a business after a data breach. Even when consumers aren’t affected, the fact that a data breach has occurred is enough to make them stop trusting a business.
Stolen data isn’t always compromised data
The truth is, data breaches happen far more often than businesses acknowledge. Under GDPR, a business isn’t required to report all data breaches to data subjects. If stolen data is encrypted, there’s no need to notify the subjects. Encrypted data is useless to hackers. That’s reason enough to make encrypting data a priority in your overall cyber security plan.