It’s now commonplace to hear of high profile organisations suffering cyber attacks.
The standout stories now are when the breach goes undetected by the victim organisation for a prolonged period of time, and that’s when the reputational damage to organisations really hits.
Recent headlines have focused on an infiltration of Yahoo’s infrastructure that went on surreptitiously for two years.
500 million accounts were reportedly hacked, making it the largest breach in history, and yet the company did not discover the intrusion until customer information went up for sale on the Dark Web.
This example demonstrates a new approach by attackers: gone are the days of smash and grab – it’s now about softly softly catchee monkey; the monkey being data – emails, passwords, addresses, bank details etc.
>See also: 7 key lessons from TalkTalk’s data breach
Yahoo can take small comfort in the fact that it is not the first company to be unaware that it was under attack and that its customers’ private information was continuously accessed.
TalkTalk and JD Weatherspoon have found themselves in a similar position in recent years. But when trust is such an important component of customer and investor relations, the impact of an undetected breach on the businesses’ reputation can be devastating.
TalkTalk lost 100,000 customers after data that included credit cards, bank account numbers, names and phone numbers was revealed to have been stolen.
For Yahoo, the previously agreed sale of its internet business to Verizon is in jeopardy, starting with the latter demanding a $1 billion discount.
As if negative publicity and brand deterioration wasn’t bad enough, if stolen customer details are sold by the perpetrators, the victim organisation can expect a hefty fine by the data authorities.
TalkTalk was ordered to pay a record £400,000 for failing to stop the theft of 150,000 customer details, and it’s only going to get tougher: new EU legislation is set to introduce higher penalties for security breaches.
In the US organisations can expect to be liable for significant victim payouts: Yahoo is being sued by an individual customer as part of a class-action suit on behalf of all those affected in the US.
Yahoo will no doubt argue that the breach was not due to carelessness or incompetence, but the fact is that cyber attackers and hackers are always several steps ahead of the latest security measures. They are continuously creating new methods of infiltration.
That’s why security experts have to discover them first and then devise a patch. As the world creates, and becomes increasingly dependent on, data, hackers will find more opportunities to exploit vulnerabilities.
Digitisation, big data and IoT are all fuelling rapid growth of the number of devices connected to the internet, affording hackers more access points.
While organisations must do everything they can to secure their systems, we all have to accept that there simply is no such thing as 100 per cent security.
Cyber security is no longer an optional extra for businesses, but it would be naive to assume that whatever protection we have is going to keep hackers out universally.
The insurance that companies rely on for data privacy and cybersecurity is important but will not cover the fines and lawsuits if the breaches are deemed to be from negligence. It will also not cover loss of reputation. Thus, businesses need a plan of what to do when (not if) their security is compromised.
The first part of this is realising that it has been compromised.
Yahoo and other victims were only alerted once the stolen data went up for sale.
Businesses need to have breach detection (is “breach detection” the correct word? technology to monitor anomalous behaviour on the network and detect when data is compromised.
As attacks tend to the bespoke nowadays, old technology will not be up to the job.
Businesses need next generation breach detection (again?) designed for big data and evolving cyber attack techniques.
The sooner you know you have been breached, the quicker you can react and manage the situation.
Large companies face huge challenges to prevent data from leaking out through multiple exit points scattered across the enterprise.
Organisations must identify and strive to bolster weak points and improve practices throughout the organisation to increase awareness and vigilance.
One of the weakest points in an organisation is via its employees: using multiple devices to connect on to the corporate network, possibly via unsecured wi-fi; creating obvious passwords and leaving them out in the open on a post-it note are all common lapses.
Accordingly, staff training on basic security practice and awareness of cyber threats is paramount.
Cyber attacks should be viewed along the lines of a fire risk, with employees running through drills periodically, exploring “what-ifs”.
Organisations need to keep updating security and adding in new layers as they grow and become more digitised.
>See also: Yahoo data leak: the biggest on record
The most important layer is encryption. Once the hackers have gained entry to your network, you can still keep them out of confidential data.
If TalkTalk had deployed a more rigorous data security regime and encrypted all of its customer data then the theft could have been prevented and huge fines avoided.
The Yahoo breach also suggests a lack of encryption and could reverberate on to corporates as some users would have undoubtedly accessed their work networks via their Yahoo account.
Data should be regarded as the crown jewels – protect the Tower as much as possible but assume someone determined can get in.
Put that extra layer of security around your most valuable assets, but if they do manage to run off with your data, you have to know about it and what your next steps will be: make sure the alarm is sounded and your dogs immediately run out snapping at the hacker’s heels.
Sourced by Richard Whomes, senior director at Rocket Software