Oops! That’s what Anthem has to say after a recent data breach that possibly exposed sensitive personal identifying information on up to 80 million customers. Anthem is the nation’s second biggest provider of health insurance. It was discovered that hackers had been in the system prying and thieving since December of last year. As always, it’s a good idea for the IT service desk to explore what happened that led to the breach and what it can teach us all about preventing such attacks.
1. Be Tougher to Crack Than the Others
There are basically two types of hackers, though each form can take on many individual flavors. The first type is a committed hacker or group of hackers who will do anything it takes to get into the system of their choosing. Hactivists and cyber terrorists fall into this group. Sometimes they have a particular target in mind, such as a company doing things they don’t like, and sometimes the hacking is just a challenge to prove they can get into a certain super secure system.
The second type is the opportunist. These hackers don’t have a specific target in mind, but are generally content to get into any system that can yield pay dirt in the form of fodder for identity theft. Occasionally, they aren’t even looking for information for theft; they just want to prove they can do it. While little can be done to prevent the first group from targeting you, making your systems as secure as possible can ward off most of the second group. They will just leave you alone and go after easier pray.
2. Don’t Depend on a Single Security Solution
Following a breach like Anthem’s, you’ll see scads of advertising by cyber security companies claiming that their product will prevent such an attack. While these products are indeed essential, realize that no single solution is a substitute for regular monitoring and other safeguards. Sure, get the security products! Just don’t assume that the claims by the developer mean you never have to worry about a cyber attack again.
3. Don’t Rely on Encryption Alone
Encryption is designed to keep unauthorized users out of the system. The data is usually unencrypted automatically for authorized users. Most hackers get into the system by stealing an authorized user’s identity, meaning the encryption does nothing to secure the data once they’re in. Encryption is good. It just isn’t everything you need to keep your data secure.
4. Don’t Collect and Keep Info You Don’t Need
It’s become common business practice to collect identifying information like social security numbers, drivers’ license numbers, and the like when customers apply for credit, sign up for insurance, visit the doctor, or set up an account. However, most of this data is of no use unless there are tax implications associated with the transaction. Think twice about the data you ask for and hold on your customers and the general public. If you don’t have the information, nobody can say their information was stolen because of your error. For example, if the health insurance company Anthem hadn’t had all of those unnecessary social security numbers in the database, those customers wouldn’t be at risk now for identity theft.
5. Have the IT Help Desk Enact Better Rules for Password Changes
Users don’t like passwords. They do silly things like use their cat’s birthday for a password, and then post happy birthday messages to their cat all over social media. However, regular password changes by all users could go a long way toward security. If passwords are changed frequently, by the time a hacker gets one and prepares to use it, it’s out of date. Have your IT help desk discuss better password regulations for users, train users on securing passwords, and make it mandatory to change all passwords regularly.
6. Make Your Customers and Employees Aware of the Potential for Phishing
Following most any publicized data breach (and all breaches are publicized), a new wave of phishing emails hits the Net. Anthem’s breach is no different. Make your users and customers aware of how to recognize legitimate communications from you, and always communicate with your customers in secure ways. Make it clear that you’ll never email them to ask for sensitive information, and inform them on the process for reporting possible phishing emails.
What’s the most critical lesson to take from Anthem’s breach? Monitoring your systems constantly is essential. Always assume a hacker is already in there, and keep a vigilant watch for evidence of the attack. No security is an adequate replacement for a watchful eye.