The hacking attacks on Equifax and Panera, less than a year apart, were highly publicized events. After all, 146.6 million people were affected by the Equifax breach, and Panera's attack compromised the rewards accounts of more than 37 million customers.
Other than the fact that they were breached by hackers, Equifax and Panera don't have much in common. Equifax might seem like the logical target for data and identity theft because it's one of the country's three major credit bureaus. Panera's breach affected its rewards program.
But what they do have in common is that they were breached through their web applications. In Equifax's case, the breach targeted Apache Struts, the open-source application framework underpinning its dispute portal web application. The vulnerability allowed attackers to run code on servers powering applications that used a web plugin built with Struts. Web applications, or software programs that run on remote servers and are accessed via web browsers, are becoming increasingly popular as more people conduct their business online. The technology exists to make these applications secure, but human error can negate many of those security measures.
Compared to housing your company's applications on local servers, web-based applications offer several important advantages. And web-based applications aren't likely to go anywhere soon, so the key to protecting your company is to give your employees the knowledge and tools they need to avoid puncturing holes in your system through these applications.
More than one type of breach
With Panera's data breach, there was valuable information housed within its rewards program. It wasn't as obviously beneficial as Equifax's, though, but it does present a threat for the consumers affected. It's common for people to use the same email and password combinations for a variety of personal online accounts. And if hackers can gain access to that data, it becomes a lot easier for them to access other online portals – like a rewards member's financial accounts.
Even if your application doesn't collect such information, your company still runs on data. If hackers get in, they can lock you out of the system or commandeer the data until you pay a ransom. Regardless of the type of breach, consequences like hefty fines, lost customer loyalty and the embarrassment of having data stolen from you can hurt your company long after the breach has been resolved.
Hackers don't have to physically access a server to hack into a web application. They won't show up at your office with a thumb drive, and they don't have to steal an employee's laptop. All they have to do is trick someone with access into leaving an online door open. Some of the most common methods of stealing data are phishing and other email scams. One stolen password or careless click, and hackers can access your system from anywhere around the world.
Securing the weak points in web applications
Besides freeing up space on your company's servers, web applications are intended to combine security with convenience. No one has to install a program to access it, and system upgrades can be rolled out simultaneously to everyone who uses the application. But many companies don't take every necessary precaution. Be sure to prioritize these four critical measures.
1. Invest in a good anti-spam filter.
Spam is a hacker's email campaign. It's a zero-cost, infinite-returns investment that allows hackers to send out millions of emails daily. Even if they get only one click in return, their mission was accomplished. Because you can expect spam to keep coming, investing in a good anti-spam filter is worth it. It's one of the most important measures you can take.
It’s also one of the least expensive security features. Most common email platforms, including Office 365 and Gmail, offer highly affordable anti-spam options for their users. No filter is 100 percent effective because spamming techniques are constantly evolving, but they can prevent a majority of scams and phishing emails from getting through.
2. Keep employees updated on phishing techniques.
A good anti-spam filter saves employees from wasting time sifting through garbage emails, but some of them will still make it into the inbox. Those are still a significant threat, so train employees to spot spam emails and avoid falling for them. The first lesson should be to remain suspicious of all unsolicited and unexpected communication.
These days, not all scams are obvious. For instance, hackers broke into LinkedIn's system through a spam campaign that mimicked legitimate email notifications. Train employees to never click on links in an email they didn't solicit and to be wary of other companies offering free goods, cash back and other rewards in exchange for personal information.
3. Train employees on cybersafety.
In addition to avoiding spam emails, it's important to train employees on how to use passwords that aren't easy to crack. They should never use any password for more than one account, and each one should be too complex to guess (i.e., nothing personal). Also, make it mandatory for employees to change their passwords every 60 to 90 days.
The more passwords your employees have to keep up with, the less likely they are to remember them all. Rather than writing them down on paper or saving them in a list on their personal devices, invest in a password storage tool. Most are free or cost less than $12 a year, and employees only have to remember a single complicated master password to access them when necessary.
4. Insure your company against errors and omissions.
As cyberattacks constantly evolve, there is no guarantee that your company will never fall victim. With errors and omissions insurance, you can protect your company and employees in case a breach occurs, provided you take all of the above precautions (and any others that the underwriter deems necessary).
For example, to qualify for the insurance, your company has to routinely train employees on up-to-date cybersecurity and email security protocols. That includes using complex, unique passwords; changing those passwords often; and implementing measures like anti-spam filters and data backups for optimal protection.
Even if you don't own or control your customers' sensitive information, simply having a web application for them to access means hackers are probably watching. Do all you can to keep them out by securing your web application and customer accounts with these few steps.