At the beginning of November 2014 a small group of representatives from Norse Corp, a “threat-
intelligence” firm in Silicon Valley arrived at Sony Pictures Entertainment in the Los Angeles suburb of Culver City. After a quick security check at the front gate the group walked straight into the unlocked firstfloor offices of the information security department. There they were shocked to discover that all the Info Sec was empty. Rows and rows of computers that provided access to Sony’s international data network were left logged in and unattended. If the men from Norse had been criminals they could have done some serious damage.
Hackers aren’t well known for physically entering a property in order to steal information, but in Sony’s case that’s all they would have needed to do. Data security was obviously not their priority. It was only three weeks after the visit from Norse Corp that the most crushing cyberattack in Sony’s history was launched. Within an hour Sony had reverted back to the last century. Company data from 3,262 computers was immediately erased, along with everything on 837 of their servers. The attackers even added a special deleting algorithm that overwrote the data in seven different ways. When it was done, the computers were rendered all but useless.
The aftermath was even worse. Not only was the data destroyed from Sony’s computers, it was now in the hands of the hackers. Over the following weeks batches of confidential files were dumped onto public file sharing sites. Movie scripts, personal emails, salary scripts and social security numbers were all released. So too were four of Sony’s upcoming film releases, which the hackers made available on piracy websites for free viewing. The multinational technology company was reduced to using fax machines and sending communications through the post.
Most jarring of all, Sony’s electronic security was no worse than that of any other company’s. It was weak and outmoded but it was the norm. It should have been a wake up call to companies everywhere. Greater security measures needed to be put in place to safeguard sensitive data or there would be more hacks, more security breaches. However, the lessons of the Sony hack went ignored. It was seen, just like the thousands of recorded hacks before it, as the anomaly; an exception to the rule. They were targeted for specific political reasons and therefore most thought it unlikely that it would happen to anyone else. It would take another year of crippling cyber attacks before data security would be taken as seriously as it needed to be.
When the numbers of data breaches first started being recorded in 2005 by the Privacy Rights Clearinghouse there were 136 recorded incidents. In 2014 that number was up as far as 783, with at least 85.61 million records exposed. That’s an increase of over 500% in less than 10 years. These numbers don’t even account for the breaches that went unreported. In 2015 the trend continued. It seemed that every other week another company was being hacked, with data of unquantifiable quantity and sensitivity being purloined by unknown players. There was the infidelity service Ashley Madison, the telecommunications company Talk Talk, Carphone Warehouse, Uber, IRS. A complete list of 2015’s known data breaches complied by Bromium reveals that no industry was safe, no company too large or too small.
IBM’s 10th annual Cost of Data Breach Study, conducted independently by Ponemon Institute, revealed that the cost of data breaches are increasing. The cost per stolen record has increased in 2015 by 6%. That’s an average of €143 per record. Overall, the total average cost per breach increasing by 23% to €3.5 million. Not the mention the cost of long term damage to reputation and customer trust. With such large stakes at play it is imperative that companies take every precaution.
One of the most common reasons a company gets hacked is because they believe they are too small and insignificant to be a worthwhile target for hackers. Despite such big names being involved in the most highly publicised data breaches, SMBs make up the majority of victims of cyber theft. The Verizon 2013 Data Breach Investigation Report found that 62% of breaches were carried out on smaller organisations. Criminals, just like any other business, prefer easy returns and low risk. This makes small businesses the softer target. Typically SMBs do not have the IT resources or expertise to implement and manage security systems adequately. In fact, a survey by Ponemon Institute found that one third of respondents admitted that they weren’t even sure if a cyber attack occurred at their company or not in the past year.
At the other end of the scale, large companies can become soft targets for hackers when they become too complacent to take appropriate security actions. Though they have the advantage over SMBs in that they can afford to enlist help from established IT security vendors or by contracting an experienced data security expert, they often fail to implement appropriate procedures amongst their own staff to enforce endpoint security.
So how does a company prevent being hacked? The short answer is, well, they can’t. No matter what security measures are taken, there is no foolproof way of preventing sophisticated and determined hackers from infiltrating a network. However, this is not to say that a company should just accept its faith and carry on using the safe old prevention measures that it has been using all along. As previously stated, criminals want a return on their investment. The harder it becomes to hack a network, the more likely they are to give up. With this in mind, we have compiled a list of measure that should be taken to secure private data that should be put in place no matter what the size of the company.
End User Security Awareness
Recently, the cybersecurity firm Symantec admitted to the Wall Street Journal that antivirus software is “dead”. Antivirus, antispam or firewall software simply isn’t good enough as a one- stop solution to data protection. As more and more companies increasingly move their data to cloud based services so too do they increase the risk of having their data compromised. Building a hard wall around data is no longer sufficient. The priority must shift from protecting data from the outside in to ensuring that it is secure from the insideout. This means that all employees need to be trained in data security protocol.
As the line between personal and business devices blur, and as the practice of accessing information from remote locations increases, it is becoming harder and harder to keep track of were business critical data ends up. Tools used to sync and share cloud data only increase the risk of a data breach. The best way for a company to defend against this risk is to establish data security policies by which all employees must abide. Organisations need to be aware of who has access to the data, and if, when and where it is being shared. A “securityfirst” mindset needs to be established, and the only way to do this to provide adequate training within the organisation.
One of the first things a company needs to do when it comes to data protection is assess the data that it is storing. They need to determine what data is most vulnerable; what data is most likely to be targeted by attackers; what safety measures have been put in place to protect it; and who will be affected if it gets infiltrated. Assessing data is the best way to avoid the pitfall of overi investing in Personally Identifiable Information security. PII protection is a serious matter, but its prioritisation has often led to the neglect of other digital assets, such as intellectual property, executive communications about sensitive matters, private conversations, as well as other important business and financial information. Any of these can cause an equal amount of damage to a company’s reputation or value if they are breached by hackers.
A data assessment can also help identify and track what data is being collected and stored. This will also encourage more careful thought about what kinds of data is being stored. Up to now, companies have been cultivating the notion that data and information are always an asset, and so they have collected it diligently and indiscriminately. However, sometimes data can be more of a liability that an advantage. Consider the example of the Target hack in 2013. Hackers attained the four digit pin numbers of Target’s customers’ debit cards. This was information that that no reason to be collecting. And yet they did, causing irrevocable damage to their reputation.
Most people feel fairly safe shopping on Amazon. They may not know it, but their peace of mind can mostly be attributed to the fact that their card numbers are being protected by encryption. Encryption is one of the best ways to keep cyber criminals away from sensitive data. If data is encrypted, then even if there is a data breach, the information taken will be unusable. This is especially useful if information is stored on the cloud. Ultimately, companies that don’t use encryption will be the less attractive option when compared to those that do.
Encryption is not infallible. It can be broken. However, this usually has to be done by brute force. A hacker has to try every possible key combination until the right one fits. With a long key this becomes a difficult task. And as has been reiterated before, hackers want a quick return in their investment. If an attack takes too much time and effort they will be deterred.
Create a Response Plan
Companies usually have an emergency plan. If there is a fire or a flood, they need to be prepared for what to do next. The reason for this is that the immediate responses to such emergencies are pivotal. In the same way, the immediate responses to a data breach are pivotal, yet many companies don’t have a plan of action for such an event.
The new thinking in data security is to take on the assumption that at some point or another there will be a breach. When it becomes an inevitability, having a response plan is the best defense. A data breach can happen at any time. It can happen in the middle of the night or at the weekend. In such events keys members of staff need to be prepped to make quick decisions. A protocol needs to be drafted to encompass all relevant aspects of the organisation. For instance, the IT department will need to know their next response, disclosure requirements will need to be met, and public relations will need to be approached with care and caution. How the aftermath of a data breach is handled can have huge consequences on a company’s reputation.
Get Rid of the Computers
If a company isn’t willing to take on any of the above measure, then they may as well.