With the data breach at Anthem exposing health records for 80 million people, IT departments around the country got a gut check. Despite high data security standards and increasing awareness of cyber threats, yet another major company was hacked.
How did criminals break into Anthem's IT? The hackers were able to access Anthem's secure (and normally encrypted) records after they got access to an admin's credentials. In the cyber security world, that's like losing the keys to the kingdom. With admin-level access, it wasn't hard for hackers to steal millions of records.
As an IT consultant, you're probably tired of reading sensationalist news stories about data breaches, so let's look at this story in terms of what you can learn from Anthem's mistakes.
How to Hack the Nation's Second Largest Healthcare Company
MIT Technology Review's write up of the Anthem hack points out that hackers had access to at least five employee accounts. Experts figure that hackers used a spear-phishing attack to focus on employee accounts that were most likely to have access to secure data.
How does a spear-phishing attack work? Like other phishing attacks, spear-phishing campaigns trick users into opening malware-laced emails. What makes spear-phishing attacks so much more dangerous is that they target specific high-level users.
A quick social media and LinkedIn search would allow hackers to glean information on what technology Anthem used to secure its network and which employees were in charge. With that information, hackers would have been able to customize an attack that would give them high-level access to Anthem's systems.
Read "Re: Your Recent Spear Phishing Attack" to learn more about how these attacks work.
3 Things IT Consultants Can Learn from the Anthem Data Breach
When a huge company is hacked, it's not always clear what it means for the small-business owner or IT contractor. But here are three takeaways that are relevant for every tech professional:
- Data encryption is not foolproof. After many data breaches, the refrain you hear is that so-and-so should have encrypted their data (ahem, Sony Pictures). But because high-level accounts were compromised in this data breach, encryption may not have mattered because these accounts usually have permissions that allow them to access and unlock encrypted records.
- Access to data should be limited, even among admins. Some security experts are arguing for different types of encryption that only allow admins to have segmented access to data. Theoretically, this strategy could limit some of the damage of an intrusion. The growth of more targeted spear-phishing attacks suggest that this is a smart plan.
- Breaches aren't going away. USA Today reports that at a recent cyber security conference, the FBI warned that 500 million financial records have been hacked in the last 12 months. The totals are startling. The last year and a half has seen an epidemic of data breaches, but there have also been an increase in phishing attacks on small businesses.
Whether you have clients that work in healthcare or just businesses looking to protect their customer records, your IT business is seeing an increased exposure to data security risks. The good news is that even as your clients are more concerned with security, the same small business insurance can cover your professional liabilities.
Errors and Omissions Insurance (also called Professional Liability Insurance) pays for lawsuit costs when clients are hacked. Whether it's a spear-phishing attack or a strand of malware that slips past your client's security software, E&O Insurance can pay your legal expenses when a client sues you.
For cost estimates on E&O, see our sample insurance quotes for IT professionals.
