2018 was a year of both highs and lows for information security, asserts Guy Bunker. The enforcement of the EU’s General Data Protection Regulation (GDPR) took full effect in May which brought the importance of protecting sensitive customer data to the forefront of people’s minds in both the business and consumer landscapes. However, the headlines were still filled with one company after another reporting data breaches or receiving huge fines for sensitive information having been compromised.
What was interesting to see unfold over the last year was how many of the security incidents reported by organisations could have been avoided. Avoidance came down to implementing the correct security policies and technologies to tackle cyber security issues. Even major news such as the O2 network outage could have been avoided if the network provider had the correct measures in place to ensure the software was updated correctly.
Last September, Uber was retrospectively fined US$148 million for failing to notify drivers it had been hacked – with driver data being stolen – back in 2016. The company took just over a year to declare that the personal information of 600,000 drivers had been compromised and even paid $100,000 in ransom to ensure the breach was covered up.
The key takeaway from this is that paying a ransom will never remove the problem. The Internet never forgets, and the truth will eventually come out.
For Uber, this was a significant fine for the business to receive, but the episode has also been about reputational damage to the brand name. Trying to hide what went on has had a far-reaching impact on the company when a more honest approach would have resulted in rebuilding trust, rather than further damaging it.
It’s vital that all companies have a plan in place to manage a data breach should one occur. This includes having a process in place around communications to the various stakeholders, rapidly getting to the bottom of what happened and creating statements that can quickly and easily be released to customers, suppliers and, here in the UK, the Information Commissioner’s Office (ICO).
Just one month after the GDPR came into full effect, Ticketmaster announced that the data of multiple thousands of customers was accessed via a malicious hack on a third party support product. While we’re still waiting to understand the full extent of the breach and hear the final decision on a fine from the ICO, what we can learn from this incident is the importance of securing the extended enterprise.
With 75% of security incidents occurring as a result of episodes involving the extended enterprise – including customers, suppliers and partners –it’s important to ensure that security technology and processes are up-to-date across the entire network of companies.
The security of the supply chain is only as strong as the weakest link, so organisations need to ask suppliers and partners about their information security policies and procedures. If they’re not at least as good as ‘in-house’ then alternative solutions should be considered.
Implementing data loss prevention technologies that can stop critical information from being shared outside of the extended enterprise is a vital step in ensuring that all shared data is kept secure, no matter where it’s stored.
After a year of the breach going undetected, last June also saw Dixons Carphone announce that ten million customers’ data – including names and e-mail addresses – had been stolen. While around 100,000 payment cards without Chip and PIN protection were compromised, having access to the other information makes it much easier for hackers to launch a phishing attack on customers and gain full bank or credit card details. All the information that’s required is there to make it appear like the e-mail has originated from the targeted company.
As a huge organisation that holds and processes millions of customer records each year, Dixons Carphone should have had an information security solution in place that protected its customer databases effectively in order to stop this kind of attack from being carried out.
Threat detection technology is a ‘must’ for companies that handle large amounts of client data – including payment details – as it’s able to detect when someone’s trying to take structured data across the organisation’s boundary and has the ability to prevent it from leaving.
Towards the end of last year, Morrisons lost its challenge to a High Court ruling, meaning the supermarket giant was held accountable for a 2014 malicious data breach that saw thousands of its employees’ details posted online.
Stolen data, including salary and bank details, was leaked and Morrisons has since then been arguing that it could not be held responsible for such criminal misuse of data. In fact, and the GDPR has made this very clear, data breaches caused by employees – whether they are maliciously motivated or just a mistake – are the responsibility of the host organisation. For those organisations who share information with other third parties, the responsibility is the same – if they suffer a breach, then they are also held accountable.
While much of the process behind ensuring that employees handle critical data correctly comes down to educating them, in the case of a malicious insider, having technology solutions in place to detect misuse is a must. Data loss prevention technologies, and associated functionalities, offer the greatest chance to mitigate data leaks by providing visibility into both malicious and inadvertent data leak activity.
Having the ability to detect and either redact or stop any critical information from being shared outside of the organisation is a ‘must’ and ensures the information the malicious user is trying to steal cannot leave the network.
Recently, the UK’s second biggest mobile network provider, O2, suffered a major network collapse due to an expired software certificate. Over 25 million customers were affected and had no access to mobile data. Many suffered the loss of text and call capabilities.
Digital Certificates are an essential part of an IT infrastructure. They’re small pieces of code created using sophisticated mathematics to ensure that communications between devices or websites can be trusted and are therefore secure. Having an out of date certificate means that devices no longer trust each other and simply refuse to connect. This is exactly what happened in O2’s case. The end result? Chaos.
The ever-increasing complexity of IT infrastructure makes it ever-more challenging for IT professionals to stay ahead. While certificates are one issue, it’s the patching of the Operating System and applications in general which also causes problems (a key example of where this can go wrong being 2017’s WannaCry incident). Organisations of all sizes need to implement Best Practice around the patching of systems, as well as ensuring there are processes in place to regularly check on other critical items such as certificates.
Mitigating data breaches in 2019 and beyond
Looking back on 2018 and the number of data breaches that occurred certainly highlighted that many organisations – both large and small – need to increase their focus on cyber risk prevention. This could be anything from investing in cyber training for employees to improving preventative processes and deploying new solutions to address the new risks which are coming to the fore.
Cyber attacks and data leaks are, unfortunately, now more prevalent than they’ve ever been, while the consequences of breach episodes for targeted organisations are higher than ever before.
The top cyber security focus and investment areas that businesses should be addressing in 2019 are:
Investment in people Provide the required amount of resources with the right skills such that the organisation can effectively maintain systems and review and update security policies and procedures. Develop cyber training and awareness programmes that educate staff and drive information security as a core part of the organisation’s culture
Investment in technology Technology is available to enforce policies and support people to collaborate safely online. Today’s advanced solutions can mitigate both inbound information-borne cyber attacks as well as outbound data loss risks at the same time (either of which can cause a major data breach with potentially damning financial and reputational consequences).
Dr Guy Bunker is Senior Vice-President of Products at Clearswift