2018 will likely go down in history for the sheer scale of consumer data that was hacked, leaked, stolen and otherwise compromised by cyberattacks throughout the year. Estimates show that during the first six months alone, 4.5 billion records were exposed over 945 data breaches leading to mass identify theft and financial fraud.
On the one hand, this is deeply concerning. On the other hand, it’s not very surprising at all.
Among the biggest breaches which occurred during 2018, Facebook, Quora and Marriot Hotels stood out for the simple reason that these were the very companies that should have been safe. When industry giants fall to attackers, small firms and businesses don’t stand a significantly better chance.
As regulators turn a critical eye to data breaches and consumer privacy, the time for businesses to pay sharp attention has come. If protecting the good faith of consumers isn’t enough incentive, financial loss in the form of penalties and theft should be.
In this article, we’ll look at five key lessons that stand out from the past year of cyberattacks, and what businesses can learn from them.
- Complacency Kills
Marketing firm Exactis has comprehensive data on nearly every citizen in the U.S – 340 million records, to be exact. Last year, security researcher Vinny Troia discovered that all those records had been stored on a publicly accessible database which was easily found with a simple search query.
Soon after the leak was publicized, the company made its records private: something which should have been done the moment they were created. Exactis justly received large amounts of negative publicity for failing to take this crucial step earlier.
Similarly, when data was stolen from 500 million patrons of the Marriot hotel chain, an investigation revealed that hackers had been in Marriot’s system for four whole years before they were discovered. Alarm bells had warned security administrators of this activity on several occasions, but never resulted in adequate measures to assess the full level of intrusion.
Takeaway: Nothing does more for attackers than a simple lack of vigilance across the board. A robust risk prevention protocol coupled with serious attention to every red flag is key to avoiding and addressing cyberattacks.
- Never Postpone Disclosure
In the past, companies have been reluctant to admit a data breach occurred. Last year, ride-sharing company Uber settled for $148 million dollars in court after failing to disclose a data breach which occurred in 2016, compromising the personal information of 600,000 drivers. Similarly, the U.K’s Ticketmaster knew about a breach for seven months before finally revealing it.
Hiding a breach doesn’t do a company any favors – if the intention is to avoid bad publicity, it only prolongs and exacerbates the inevitable. In the meantime, fixing existing issues and mitigating the damage becomes more difficult.
In the wake of GDPR which mandates that companies must reveal a breach within 72 hours of its occurrence, the number of reports coming out of the U.K have quadrupled, showing just how common delayed acknowledgment was before the legislation.
Takeaway: Companies should take a hint from Quora, which immediately disclosed a vulnerability that had exposed 100 million of its users, responded to the incident by resetting account passwords and created an informational site in the wake of the breach – all within a 72-hour window.
- Anything Can Be A Flaw
Data breaches take many unexpected forms. Last year, Facebook turned off – and has not yet turned back on – a seemingly benign feature which allowed users to view their profiles as a visitor would. The “view as” feature contained a critical bug enabling hackers to access 50 million user accounts.
Meanwhile in New York City, Saks Fifth Avenue and Lord & Taylor found that a device had been inserted into their card readers which stole the account information of nearly 5 million customers.
These exploits couldn’t be more different – one completely physical, and one involving complex digital hijinks. But they show that attacks can come in many forms, and no detail should be overlooked when it comes to data.
Takeaway: Web designers should eliminate unnecessary features that could constitute a vulnerability user experience. Businesses should also invest in penetration testing for digital properties, while businesses should regularly monitor their facilities and point-of-sale (POS) systems for malicious hardware.
- Beware of Third-Party Apps
Third party applications have become an indispensable part of the digital ecosystem, as businesses depend on them to process transactions and provide essential functions to their websites. Unfortunately, third party applications have also become a primary route that hackers use to compromise businesses.
2018 saw two high-profile breaches of third-party apps. Mobile linking platform Branch.io was attacked, potentially exposing the information of 685 million users across services like Tinder, Shopify and Yelp. MacAfee reports that the sales support platform 7.ai may have leaked credit card info and social security numbers from thousands of users.
As long as they are in charge of building their services, a business can defend them. But third-party apps are controlled on the outside, and often reflect a different set of security prerogatives. For instance, a website may securely encrypt its traffic while an unsecured plugin transmits it in plain text.
Takeaway: Businesses must be especially wary of the third-party apps which support their site. In some cases, they may not even realize how many dependencies they employ and should conduct regular inventories to ensure the safety of their users.
- Pay Attention to Insider Threats
In April of last year, SunTrust Bank announced that 1.5 million customer records had been stolen with criminal intent. The culprit, the institution claimed, was likely one of its own employees.
Insider threats are one of the biggest and most unpredictable threats an organization can face, and they aren’t always malicious. Simple user error can cost an organization billions of dollars. As Verizon’s 2018 Data Breach Investigations Report states:
Companies are nearly three times more likely to get breached by social attacks than via actual vulnerabilities, emphasizing the need for ongoing employee cybersecurity education.
As an example, the average cost of a phishing attack – which occurs when a user clicks on an illegitimate email – was $1.6 million dollars in 2018. When such a simple action can cause such devastating consequences, no organization is safe from risk.
Takeaway: In order to stay safe, companies must be looking in both directions. Educating personnel on security protocol is one important way to monitor insider threats; monitoring behavior for signs of malignancy is also essential.
Securicon offers comprehensive digital security and compliance solutions to organizations. Our services include penetration testing and social engineering assessments which are trusted by critical infrastructure companies across the U.S and other critical organizations to find vulnerabilities and maximize safety. In 2019, there’s no room to be lax about security – contact us today!