California is a major target of cyber crime in the U.S., accounting for one in six hacks into major computer systems in the country, according to a new report by the state Attorney General’s office.
While the damages are in the billions nationwide from hacking attacks mostly on businesses, California by a large margin tops all states in the number of hacked systems, the number of computer systems infected by malware, the number of victims of Internet crimes, the losses suffered as a result of those crimes, and the number of victims of identity fraud, according to the report.
In addition, because of the outsized role new technologies and mass-media entertainment play in its information-based economy, California is particularly vulnerable when its networks become infected and its intellectual property is stolen.
In 2012, the Privacy Rights Clearinghouse recorded at least 331 breaches in the U.S. caused by international criminals who were purposefully trying to compromise databases or networks. California accounted for 17% of those breaches – a far higher percentage than in any other state – which, in turn, contributed to putting at risk the sensitive personal information of at least 2.5 million Californians that year, according to the report.
Between 2009 and 2012, the number of intentional breaches in the U.S. jumped by 280% (see chart), but during that same period the number of breaches in California shot up 560%.
The rapid increase in international breaches both in the state and nationwide should be cause for concern for any business that has an online presence, but particularly for those that have sensitive customer information online, like ID information and credit cards.
Cyber security best practices
Strong passwords – Use strong passwords and change them regularly. Passwords are the first line of defense in preventing unauthorized access to any computer. Strong passwords should be at least eight characters in length and include a combination of upper case and lower-case letters, one number and at least one special character, such as a punctuation mark.
Install and maintain anti-virus software – The primary way that attackers compromise computers in the small office is through viruses and similar code that exploits vulnerabilities on the machine. You may also want to train your staff on how to recognize a computer virus infection. Some typical symptoms are:
- System will not start normally (e.g., “blue screen of death”).
- System repeatedly crashes for no obvious reason.
- Internet browser goes to unwanted Web pages.
- Anti-virus software appears not to be working.
- Many unwanted advertisements pop up on the screen.
- The user cannot control the mouse/pointer.
Use a firewall – Unless you have a database that is totally disconnected from the Internet, it should have a firewall to protect against intrusions and threats from outside sources. While anti-virus software will help to find and destroy malicious software that has already entered, a firewall’s job is to prevent intruders from entering in the first place.
Secure socket layer – If you are handling credit card transactions, make sure that your payment system includes a secure socket layer to encrypt all of the important data of each customer.
Control physical access – Not only must assets like files and information be secured, the devices that your employee use must also be safe from unauthorized access. The single most common way that protected health information is compromised is through the loss of devices themselves, whether this happens through theft or accidentally.
Limit network access – Limit access to your most important data to only a few individuals in your organization.
Plan for the unexpected – Fire, flood, hurricane, earthquake and other natural or man-made disasters can strike at any time. Important health care records and other vital assets must be protected against loss from these events. There are two key parts to this practice: creating backups and having a sound recovery plan.
Configuration management – New computers and software packages are delivered with a dizzying array of options, but little guidance on how to configure them so that the system is secure. In the face of this complexity, it can be difficult to know which options to permit and which to turn off. Here are some rules of thumb:
- Uninstall any software application that is not essential to running your business (e.g., games, IM clients, photo-sharing tools).
- Do not simply accept defaults or standard configurations when installing software. Step through each option, understand the choices, and obtain technical assistance where necessary.
- Disable remote file sharing and remote printing within the operating system configuration. Allowing these could result in the accidental sharing or printing of files to locations where unauthorized individuals could view them.
Protect mobile devices – Laptops, smart phones and portable storage media are even more vulnerable to hacking, making it easier for hackers to gain entrance to your company data. Because of their mobility, these devices are easy to lose and vulnerable to theft. Make sure they are protected, too.
Establish a security culture – None of the above measures can be effective unless your staff is willing and able to implement them, and you enforce policies that require these safeguards to be used. In short, you must instill and support a security-minded organizational culture.