In 2011 Sony Pictures suffered an easy SQL Injection attack by LulzSec (a hacktivist group), which released around 1 million user accounts, including passwords, email addresses, home addresses, dates of birth, etc. which broke the privacy policy of their service. In the same year, Citigroup suffered exploitation of Insecure Direct Object Reference (changing numbers in URLs after entering valid details), which caused the information leakage of their 200,000 credit card users. Even enterprises like Apple and Uber were under data breaches.

Does this mean that software companies are secured? Are our data and personal information secured? What are large companies with massive data doing to prevent loss of our personal data? Here are some standard practices that are done by companies.

Potential Cost of Data Breaches

Keeping Track of The Data

The most crucial step to securing data is to know where the information is being stored. Knowledge of the location of data at all times helps at finding vulnerabilities. Teams figure out solutions to the weak links.

Most companies use data discovery tools to track the data to see which computer has access to which data and encrypt and delete vulnerable data.

Encryption

Data records get lost and stolen much time. Encryption is designed to protect data while it moves and stored in network storage. Encryption makes the data unreadable without a secret code or decryption code.

Source : Aureon '"Data Encrytion : Why you should protect your business "

From encrypted hard drives, USBs, and phones to data encrypted prior to its transfer to the cloud or onto portable devices, encryption has become a must for all companies looking to secure their sensitive information.

Due to pandemic, most of the work is done by 'work from home.' Thus, most of the devices used by workers are away from the company's safety net and prone to theft or loss. This is prevented by the security provided by encryption.

Protecting the cloud

Companies are storing more and more data to the cloud, making it an integral part of the digitalization of data. This makes the cloud a very lucrative target for hackers to steal data. Thus, protecting the cloud is very important.

Google Cloud has released 'shielded VMs (virtual machines),' a set of security controls set up to harden its security against rootkits and bootkits as well as malicious threats. Other cloud service providers (CSPs) have launched cloud security technologies to prevent hostile attacks.

Examples of CPS

While many argue that CSP's security measures to their servers far exceed what any modest or even large company is likely to apply to its on-site servers, the feeling that their most sensitive data's security is out of their hands makes many organizations nervous. Big companies limit types of data stored in the cloud and encrypt sensitive data in addition to the use of tools specialized in data protection in the cloud.

Educating employees at all levels

Human error is one of the weakest links in the flow of data.  Whether through ignorance or negligence, employees and system glitches account for 49% of data breaches according to a survey conducted by the Ponemon Institute.

The majority of data breaches are caused by employees accidentally falling victim to hacking, skimming, or phishing attacks. According to the Ponemon Institute, these attacks cost an average of $3.5 million (₨. 28.4 crores) to companies.

Considering these figures, it's clear that most organizations have room to enhance their employee cyber education. Ponemon Institute also estimates training employers would save companies $204 (Rs. 14,000) per employee in large companies and $3533 (Rs.2.65 lakhs) in small companies.

Software like Data Loss Prevention solutions can act as an efficient enforcement method by setting clear policies that protect and restrict access to sensitive data. Employees should stay aware while clicking unknown emails and keep systems up to date.

Prevent database attacks

Data entering an organization can be a dangerous vector use to attempt to gain access to the system. Many of these strategies rely on passing dangerous payloads to poorly designed systems, exploiting flaws to gain control.

Source : cWatch

SQL injection is a classic example, occurring when a hacker intentionally appends SQL code to seemingly harmless data like a customer name in a web application. Flaws in the underlying software can result in arbitrary execution of this code, resulting in data being unintentionally returned to the hacker.

These attacks are particularly dangerous because they may not cause an error or other event that might attract the attention of IT administrators overseeing security.

Technology powerhouses like Google, Microsoft, and Apple know how to get security right. They invest in the best technology, processes, and people to ensure that their engineering teams create secure software. Large cyber-security teams are hired to combat data breaches. Response teams are active, and much development in cyber-security is being done, including security solutions with artificial intelligence, machine learning, analytics, and automated incident response orchestration.

Cover Photo Source : FNBC  "Data Privacy Day: Protect Yourself Online"