Technology has become more deeply integrated into all aspects of business processes and functions today. One evident example of this is the popularity of connected devices that handle personal information. This digitisation of businesses, however, exposes businesses to an increasing number of threats—especially if security risks are not managed properly.
Experts agree that attacks on security are increasing in sophistication and complexity as time goes on. Today, concerns about cybersecurity do not involve just the IT department anymore; this has become a business issue as well.
In fact, attacks on cybersecurity have greatly affected businesses as a whole. According to the 2017 Cost of Data Breach Study published by IBM Security, the largest component of the total cost of a data breach is lost business. These costs include abnormal turnover of customers, increased customer acquisition cost, reputation losses, and diminished goodwill. This is followed by costs in detection and escalation, such as forensics, root cause determination, organising incident response team, and identifying victims.
The likelihood of experiencing a data breach is now at a global average of 28%. Here are some more figures for particular countries:
The 2017 Verizon Data Breach Report revealed that the top victims of data breaches are: financial organisations (24%), healthcare organisations (15%), retail and accommodation (15%), and public sector entities (12%).
And although we're not halfway through 2018 yet, there are already three big data breaches that have compromised large brands this year.
Perhaps the most talked-about issue today is Facebook's data breach scandal. Last month, it was reported that Facebook's user data was improperly accessed by data-mining firm Cambridge Analytica. Through a third-party quiz app created in 2015, roughly 87 million people's personal information was harvested without the users' consent. According to reports, 70 million of those whose information was harvested are in the US, more than 1 million people in each of the UK, Philippines, and Indonesia, and around 310,000 in Australia.
It was reported that the data might have been used to build psychological profiles of users. In turn, these psychological profiles are used to target voters and place certain ads in their feeds. Looking at the big picture, it is one big effort to influence the outcome of the United States election in 2016.
Last Monday, Facebook has started sending out notifications to those accounts which have been affected by the breach. The notice comes with a link that allows users to see what apps they use and what information has been shared with those apps. There is also an option for users to shut off apps individually or turn off third-party access.
Approximately 150 million app users of MyFitnessPal owned by Under Armour have had their personal details leaked in a data breach. Investigations reveal that the personal details affected by the breach included usernames, email addresses, and passwords, but these were hashed with bcrypt encryption. Payment card data, government-issued IDs such as driver's licenses and social security numbers, and other information, were not affected.
It was also reported that health and running activity data was not specifically accessed; however, the hack opened up the possibility of attackers gaining access to this. Evgeny Chereshnev, CEO of Bilink Tech, explains what this could lead to:
“If these hackers were able to match these stolen login credentials to the users' actual fitness data, just imagine what could happen. Having this level of data would allow hackers to know that 'Mr. Smith' has a very specific and predictable pattern of behaviour. Fitness trackers don't only track calories and the number of steps a person walks in a day, it also knows where people are and at what time.”
It can be noted, however, that Under Armour seems to have responded particularly quickly to the breach. They issued a written statement on March 29th stating that they became aware of the breach on March 25th, when it occurred in late February of the current year. Compared to other high-profile incidents in recent years, Under Armour was able to detect and respond to the attack in a month's time. The Yahoo email data leak from 2013 took the company almost three years to identify the full extent of the attack.
It was discovered last February 5th that a subsidiary of FedEx has stored extremely sensitive data on an open Amazon S3 bucket. The data included thousands of scanned documents such as passports, driving licenses, security IDs, as well as home addresses, postal codes, and phone numbers.
According to Kromtech security researchers, the culprit seems to be Bongo International LLC—a package-forwarding business set up to make buying American goods easier for global customers, which FedEx bought out in 2014. The data they have from American and global citizens dates back to 2009 to 2012. Kromtech's Bob Diachenko stated that anyone who used Bongo International during that period is at risk of having their documents online for years. He adds:
“(It) seems like that bucket has been available for public access for many years in a row. Applications are dated within the 2009-2012 range and it is unknown whether FedEx was aware of that 'heritage' when it bought Bongo International back in 2014."
In the midst of increasingly complex data breaches and higher risks of experiencing security incidents, there are actions and measures that companies and businesses can take for an increased cybersecurity awareness and preparedness.
Here are the Five Pillars of Cybersecurity Readiness, as listed down by Australian Computer Society (ACS) in their Cybersecurity Guide:
1: Education and Awareness
Every business and every firm should have some form of cybersecurity education. As everyone within an organisation shares the same network, they share the responsibility for ensuring that best-practice cybersecurity processes are carried out.
It's also important to consciously stress the importance of cybersecurity inside the company. Only when there is increased awareness of the significance of cybersecurity will there be an effort to include it in the decision-making process, infrastructure investment, and regulatory and governance requirements of the organisation.
Another essential part of any cybersecurity readiness that should not be overlooked is the employment of qualified cybersecurity professionals or certified training for key IT and management staff.
2: Planning and Preparation
Dealing with cybersecurity incidents is more of a when rather than an if, and so with this, preparation is vital. Preparations for data breaches include management systems, best practice policies, IT auditing, and a composing a team dedicated staff responsible for cybersecurity operations.
The CISO (Chief Information Security Officer) or equivalent, will be responsible for good cybersecurity readiness of a firm. Some of his duties are: monitoring and detecting cybersecurity threats regularly, protecting critical systems and information, and ensuring the organisation meets all relevant standards compliance. The CISO should also have an incident response plan ready should a breach occur, as well as a clear business continuity plan to minimise any loss.
3: Detection and Recovery
The promptness of detecting and responding to a data breach plays a key role in minimising losses, whether it be financial, reputational, or others. With this being said, it's important to examine how quick your organisation responds to the data theft or the disabling of key services, or how fast your team can quarantine affected servers or workstations for forensic analysis.
Another important factor to evaluate is the agility of your team to restore lost or corrupted data. It will be helpful to ask these questions as well: What incident response plan do you have? Who are the stakeholders that need to be notified immediately?
When dealing with data breaches, always remember that it is not enough to just close the hole. It is very important to understand how the breach happened so that in the future, other similar breaches could be prevented.
4: Sharing and Collaboration
Collaboration and cooperation are essential not only in mitigating current risks but future risks as well. Sharing the results of your breach analysis with government and with the industry can be helpful in stopping a known attack vector from hitting other organisations. This will be beneficial for your company as well, as you may be able to prevent an exploit by learning from a breach that another organisation shared.
Some organisations may be bound by legislative requirements that impose on them restrictions in reporting an incident. At least, a breach should be reported to government agencies or organisations handling breach concerns.
5: Ethics and Certification
Ethics plays a great role in any company or organisation when it comes to issues concerning cybersecurity. In this context, it will be helpful to keep in mind the difference between a “white hat” hacker and a “black hat” hacker. The term “white hat” refers to a computer security expert who breaks into protected systems and networks to test and assess its security. On the contrary, a “black hat” hacker finds vulnerabilities in computer systems for personal financial gain or other malicious reasons.
Organisations ensure the reputation and respectability of a profession through maintaining standards; there are also organisations which hold a code of ethics that all professionals must abide by to preserve the principles and ideals in their field.
There are now more sophisticated motives behind cyber hacking other than data theft, extortion, and vandalism. Cyber hackers are now onto agendas such as espionage, market manipulation, and disruption of infrastructure, to name a few. More than awareness of security risks, there is a need for businesses today to actively invest in their cybersecurity in order to mitigate threats and risks. While organisations are now taking action to address this concern, there remains a large room for improvement. Ultimately, it is important for an organisation to evaluate what these cyber risks mean not only for the business as a whole but for its customers as well.
Build your dev team fast and risk-free with Cloud Employee. You can hire developers with us across these technologies. Learn how Cloud Employee works, check out our Developer Pricing Guide, or talk to us.