The ABTA breach is a cyber-warning to small businesses

Last week ABTA – the UK’s largest travel trade organisation – admitted it had suffered a data breach, potentially putting more than  40,000 users at risk of identity theft.

NB: This is a viewpoint by Lee Munson, security researcher for

Individuals and businesses were hit, and while there is a lot of advice for the former, the latter need to pay attention.

Data breaches truly are scary, both for the company that has been attacked, and for the customers of that organisation. The primary area of concern surrounding a breach is the loss of information. While corporate data often has some value, customer records are often the real target and, yes, that should worry those whose information is stolen.

Personal data, such as names, postal addresses, email addresses and credit card details can be used to commit identity theft and other types of fraud, as well as to perpetrate convincing phishing scams that often reference the original breach itself.

While passwords are an important means of protecting an account – assuming they are strong (a mix of letters, numbers and symbols, at least twelve characters long and not words found in the dictionary) and unique to every account – they may or may not be helpful in the event of a breach. If the compromised company did not hash and salt the records under its control, no password will keep the attacker out.  Therefore, good defence is needed.

Further tips for small businesses

Personal security extends into the business, so if individuals are practicing good security hygiene at home, it’s likely to carry on in the office. Learn to identify phishing emails that can be sent to business email addresses as well as personal ones, so staff need to be aware of the dangers of clicking on a link in an email.

And it is imperative that staff know about the importance of passwords. Employers should reinforce to staff the importance of not using the same email for their personal account as for business ones.

A good defence of intellectual property and customer data begins at the perimeter of a business. To this end all servers, desktops and other devices should be protected with security software and networks locked down with a firewall. Once installed, keep all operating systems and other software up to date at all times doing regular checks and updates.

Next comes risk assessment – knowing what data is valuable, where it is held within the company, who is responsible, how much value it has to an intruder and how easy it is to steal or compromise. An informal or informal audit along these lines can help small businesses focus its attention and limited resources in an appropriate and cost-effective manner.

Once the information is identified, backup important data regularly and check the integrity of those backups, keeping them off-site.  Companies should also implement encryption wherever there is a business need to do so, particularly if it holds sensitive or confidential information.

It also helps if the organisation is aware of the common types of internet attack.

Contrary to popular opinion, it is often not the technology itself that leaves a company open to a data breach or other form of attack; rather it is poor implementation or misguided choices by those who engage with it.

Letting employees know about the theory and practice of breaches is important. Human error (deliberate or otherwise) is a common theme when it comes to data breaches. A little bit of awareness training goes a long way in minimising the risks posed by common attack methods such as phishing emails, email links to undesirable websites and the threat of ransomware entering the company’s network.

Furthermore, they should also ensure that all staff is familiar with their roles and responsibilities when something does go wrong as the biggest risk around technology is often that of human failure.

NB: This is a viewpoint by Lee Munson, security researcher for

NB2: Image by Kenishirotie/BigStock

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *