Information security is one of the areas that I often see neglected by companies and almost without investment. We think that attacks by so-called hackers are things that only happen to others and in science fiction movies. In 2011 cyber-attacks in the United States were up 67%. Recently, many of us have received warnings to change passwords on large websites like LinkedIn or Evernote, because usernames and passwords have been stolen. Several criminal groups have begun to leave other activities with more physical risk to engage in profitable cybercrime.
Attacks come in many forms, from stealing information from your database, to leaving your company’s site inactive (and not selling), generating financial fraud and irregular transactions, altering information, etc. The costs for a company, not even counting the image problems, can reach hundreds of millions.
Do you think your information has little value? Let’s look at an example of an attack on a simple site where the user registers by creating an account with his email and a password to view comic videos. If the site is not protected, an attack can steal the database with the users’ email and passwords.
Assuming the site users have Gmail accounts, the hacker then goes to Gmail and tries to log in with the emails and passwords they stole (47% of people have the same password for all sites). By entering the email, they can identify the bank where the user has an account, the Facebook account, and all other services. With that you can go to each of these sites (Facebook, Twitter, bank, etc.) and tell them that you lost your password by asking them to send a new one by email (which the hacker already has access to). They change all the passwords and, as if by magic, the user ends up suffering from fraud and having his digital life destroyed. Does your company want to be responsible?
How should a company react if it is attacked? First, you need to identify the problem and fix it, but that’s not enough. What many companies don’t know is that, according to the law, they are responsible for taking appropriate measures to protect their users’ information and negligence in failing to take these measures can make companies liable for damages caused. Another obligation of the law is that the company must immediately notify users that their information has been compromised.
According to information security specialist Tiago Filipe Dias, in order to protect themselves, companies must put security measures in place, namely: adoption of secure passwords, firewall with an adequate security policy, anti-virus, frequent updates of application software, security on laptops, security on mobile devices (cell phones, tablets), and special care with e-mails and internet browsing.
The truth is, we are not going to stop taking pictures on our phones and posting them on Facebook or turn off the Internet connection at home. The systems will have to evolve to adapt, but until then pay attention to the information you put online, as well as your company’s security measures.