2018 has been a year of ups and downs for information security. We’ve seen the enforcement of the EU’s GDPR take full effect, bringing the importance of protecting sensitive data to the forefront of people’s minds, with practical steps being taken to ensure compliance. However, while 2018 should have been the year that cyber security incidents fell, the headlines were, once again, filled with one company after another reporting breaches or receiving huge fines for compromised sensitive data.
What has been interesting to see unfold this year is how many data breach incidents were reported that actually could have been avoided should the correct security policies and technologies been put in place. Even huge news such as the recent O2 network outage could have been avoided if the organization had correct measures in place to ensure employees updated the software correctly.
Below are 5 major cyber security incidents that have occurred this year that could have (and should have) been avoided:
In September, Uber was retrospectively fined USD$148m for failing to notify drivers they had been hacked back in 2016. The company took just over a year to declare that personal information of 600,000 drivers had been stolen and even paid USD$100,000 in ransom to ensure the breach was covered up.
The key takeaway from this is paying a ransom never gets rid of the problem. The Internet never forgets, and the truth will (eventually) come out. For Uber, this was a significant fine, but it is also about reputational damage. Trying to hide what went on has a far reaching impact on the company when a more honest approach would have resulted in rebuilding trust rather than further damaging it. It’s vital that all companies have a plan in place to manage a data breach should one occur. This includes having a process in place around communications to the various stakeholders, rapidly getting to the bottom of what happened and creating statements that can quickly and easily be released to customers, suppliers and in the UK, to the ICO.
Technology should be leveraged to enhance threat prevention. Advanced solutions can remove embedded active-content from weaponized documents - a common source of ransomware distribution - as well as malicious links from innocuous looking email and web pages. Clearswift’s SECURE Email and Web products have these advanced features inbuilt to inspect and detect active content in email communications, including attachments such as documents, web links and images. This ensures that any cyber-attack on the organization is halted at the boundary, removing the risk of employees making a simple error of clicking a malicious link or opening a weaponized document, and protecting the network from a malware infection.
Just one month after GDPR came into full effect, Ticketmaster announced that the data of its 40,000 customers’ was accessed due to a malicious hack on a 3rd party support product. While we’re still waiting to understand the full extent of the breach and hear the final decision on a fine from the ICO, what we can learn from this incident is the importance of securing the extended enterprise.
Nearly a quarter (24%) of security incidents occur as a result of the actions of those within the extended enterprise – including customers, suppliers and partners – so it’s important to ensure that security technology and processes are up to date across the entire network of companies. Security is only as strong as the weakest link. Organizations need to ask suppliers and partners about their information security policies and procedures. If they are not at least as good as ‘in-house’, then they should consider alternatives. Implementing technologies such as Adaptive Data Loss Prevention (A-DLP) across the extended enterprise will be a vital step in ensuring all shared data is kept secure no matter where it is stored.
3. Dixons Carphone
After a year of the breach going undetected, June also saw Dixons Carphone announce 10 million customers’ data – including names and email addresses – had been stolen. Around 100,000 payment cards without chip and pin protection were compromised. However, having access to the other information makes it much easier for hackers to launch a phishing attack on customers and gain their full bank or credit card details. All the information which is required is there to make it appear that the email has come from the targeted company.
As a huge organization that handles millions of customer details each year, it is vital that Dixons Carphone have an information security solution in place that is able to protect their customer databases effectively and essentially stop this kind of attack from happening. Clearswift’s SECURE Web Gateway provides an unprecedented layer of threat detection and Active Code sanitization to prevent attacks being successfully distributed into the network. In addition, its Adaptive Data Loss Prevention functionality would have been able to detect the large amount of structured data attempting to be passed across the organizational boundary and would have stopped it from leaving.
Morrisons has recently lost its challenge to a High Court ruling, meaning the supermarket giant is liable for a 2014 data breach that saw thousands of its employees' details posted online. Employee Andrew Skelton stole data, including salary and bank details, and leaked the information and Morrisons has been arguing that it could not be held responsible for this criminal misuse of data. But in fact, and GDPR has made this very clear, data breaches caused by employees – whether they are maliciously motivated or just a mistake – are the responsibility of the organization. For those organizations who share information with other third parties, the responsibility is the same – if they suffer a breach, then you are also held accountable.
While much of the process behind ensuring employees handle critical data correctly comes down to educating them, in the case of a malicious insider, having technology solutions in place to detect misuse is a must. A-DLP technology, and its associated functionalities, offers the greatest chance to mitigate data leaks as it provides visibility into both malicious and inadvertent data leak activity. Using the Adaptive Redaction technology, it has the ability to detect and either remove or stop any critical information from being shared outside the organization. By automatically removing information which breaks policy, the inadvertent mistake doesn’t result in a ‘stop and block’ approach which damages collaboration. While for the malicious user, the information they were trying to steal has gone.
Recently, the UK’s second biggest mobile network provider, O2, suffered a major network collapse due to an expired software certificate. Over 25 million customers were affected and had no access to mobile data – and many suffered loss of text and call capabilities.
Digital Certificates are an essential part of IT infrastructure. They are small pieces of code created using sophisticated mathematics to ensure that communication between devices or websites can be trusted and are therefore secure. Having an out of date certificate means devices no longer trust each other and simply refuse to connect. This is exactly what happened in O2’s case. The end result? Chaos.
The ever-increasing complexity of IT infrastructure makes it ever more challenging for IT professionals to stay ahead. While certificates are one issue, it is the patching of the Operating System and applications in general which also causes problems – a key example of where this goes wrong being 2017’s Wannacry incident. Organizations of all sizes need to implement best practices around patching of systems, as well as ensuring there are processes in place to regularly check on other critical items, such as certificates.
Mitigating data breach risks in 2019 and beyond
Looking back on 2018 and the number of data breaches that took place, it certainly highlighted that many organizations – both large and small – need to increase focus on cyber risk prevention. Whether this is investing in training for employees, or deploying new solutions to address the new risks which are coming to the fore – ‘cyber’ should be at the top of all monthly business meeting agendas. Cyber-attacks and data leaks are, unfortunately, more prevalent than they have ever been and the consequences to organizations are higher than ever.
The top cyber focus and investment areas that organizations should be addressing in 2019 are:
- Investment in people: Provide the required amount of resources to effectively maintain systems, review and update security policies and procedures. Develop cyber training and awareness programs to educate staff and drive information security as part of the organizations culture.
- Investment in technology: Technology is available to enforce policies and support people to collaborate safely online. Today’s advanced solutions can mitigate both inbound information borne cyber-attacks as well as outbound data loss risks at the same time – either of which can cause a breach and resulting consequences.
Clearswift is proud to be recognized on the Gartner Magic Quadrant for Enterprise Data Loss Prevention technology. Contact our team for a discussion to find out more about our products and solutions; how they can help mitigate cyber risks and enhance data protection through business collaboration channels.