News Corp usually sets the news agenda, but the media giant recently hit the headlines when it emerged it had been targeted in a lengthy data breach.
“News Corp understands that, between February 2020 and January 2022, an unauthorized party gained access to certain business documents and emails from a limited number of its personnel’s accounts,” said an employee notice.
The company added that employee data may have been compromised in the breach, which could include names, dates of birth, driver’s license numbers, passport numbers, financial account information, medical information and health insurance information.
While News Corp says there’s no suggestion that the personal information has been used to conduct identity theft or fraud, the case is a timely reminder that data theft is a lucrative business for cyber-criminals. And unfortunately, every business is at risk of being targeted.
“When sensitive information falls into hackers’ hands, it can potentially be used to commit downstream cybercrimes,” Chief Information Officer Chris Crowther tells the Business Cyber Centre. “This could include applying for credit cards or loans in someone else’s name, accessing bank accounts and applying for fraudulent passports. The data can also be sold to other criminals on the dark web.”
From a business perspective – no matter whether you’re a multinational or an SME – data theft has the potential to cause devastating losses. Not only is the employer duty-bound to inform everyone affected, but if a third party, such as a client, is impacted, there is the potential for legal action. There’s also the interruption to your business to consider, plus the potential damage to your reputation.
Chris adds, “Within all this chaos, there is also the likely need to inform the UK Information Commissioner’s Office, or its European equivalents. This can lead to significant fines if the investigation proves negligence in ensuring that suitable policies, processes, controls and testing are in place.
“For any business, fighting cyber-crime is about hygiene and diligence. “Just as you wash your hands every day and cough into your sleeve, good habits take a bit more effort, but they will keep you going in the long run.”
Know your assets: The first line of defence is to understand the boundary of your info-structure. Write a list of every piece of IT used by your business. Include laptops, phones and other devices, such as iPads and even printers.
Separate work and play: Keep work devices for work only, and only install the software that you need to do your job. If your computers are loaded with gaming software, personal email accounts and other packages you don’t need, this can leave you more vulnerable to hackers. This “bloatware” quickly becomes forgotten about, doesn’t get patched and becomes vulnerable to cybercriminals.
Patch and protect: You might feel too busy to check for patches and software updates, but don’t delay security updates. Alert your team when a software update is due, and give them a deadline to see it through – this should happen every few weeks. Ensure every device on your list is covered, to help keep your network secure.
Limit account access: Ensure your team operates on a ‘need to know’ basis. Of course, employees need to log in and do their day job, but don’t give them the rights to download new software.
Add additional controls: As an absolute minimum, limit how many administrative accounts you have on your info-structure. These accounts must also have additional controls, to prevent criminals from getting super access to your data.