Data breaches are happening on a daily basis worldwide, with the number of attacks increasing and the scale escalating
In the first half of 2017 alone there were 918 data breaches with 1.9 billion data records exposed to threat according to the Breach Level Index Report.
The 2017 WannaCry attack on the NHS saw 300,000 systems compromised, whilst the Equifax data breach saw 145.5 million accounts affected. Similarly, Uber and Yahoo also suffered data breaches that saw 57 million records and three billion accounts compromised respectively.
As a result, the use of consumer data and how it is used and protected by organisations has never before been so prevalent in the customer consciousness, and inarguably it’s because of this that consumer confidence and trust in brands is at an all-time low.
Indeed, more recently we saw Dixons Carphone admit a huge data breach, dating back to 2017 involving 5.9 million payment cards and 1.2 million personal data records. The financial implications of this saw shares drop by 3 percent by afternoon trading with the immediate concern being the impact of the breach on consumer trust.
Cyber-attacks are no longer an ‘IT issue’ but rather, a major business threat and one, with regulations such as Sarbanes-Oxley, which is now very much a part of the board’s responsibility. In light of the recent GDPR regulations and bearing in mind that free and open tools available to hackers are getting more sophisticated, how should organisations go about protecting consumer data and re-establish consumer trust in a brand once a data breach has taken place?
Increasingly, businesses and consumers are finding it difficult to tell the real message from the fake ones. The rise of Business Email Compromise (BEC) is a good example of this where scammers make specific approaches to targeted individuals within companies rather than a mass phishing approach. By taking on the email and impersonating a C-level exec to approach another employee within an organisation the scam becomes a lot more ‘believable’ and persuasive, and therefore more likely to succeed and a lot harder to manage.
The BEC threat and others like it are a nod to the biggest weakness in most organisations, the internal infrastructure and employees. The ‘internal threat’ remains the largest to organisations with security controls that do not match the sophistication of the threat. Poor coding standards that generally have remained unchecked for years means that less sophisticated threats such as SQL injection andXXS are still able to get through. Penetration testing at a high level can ensure routes currently open to criminals through web applications and out of date network security are identified and closed. Websites can be hacked through applications such as shopping baskets and login pages, unless standards and practices are kept up-to-date, it remains an easy access point.
However, the more sophisticated threats such as those we have seen in the Dixons Carphone example including social engineering, malware and ransomeware means companies have to take further measures. The education of employees is a key aspect of this – they remain on the whole, and in most cases unwittingly, the main route to success for criminals. Giving employees the knowledge and tools to deal with an increasing level of sophisticated threats is crucial.
Preparing a response ahead of an attack is also mandatory. Using analysis software and forensic techniques, such as reverse malware engineering, host-based intrusion detection and network analysis, helps to define the breach vector and importantly, how it took place. With that information the Chief Information Security Officer (CISO), can determine the aims and impact it will have on the organisation.
Auditing cyber security systems and Pen-testing can help organisations to understand network vulnerabilities through the simulation of dummy cyber-attacks on corporate networks in order to understand if there are weaknesses and where they are in order to neutralise any threats. Red and blue team testing is a good example of this. Playing the role of an attacker (Red team) can help your IT team identify the gaps in defence in your security infrastructure and plugging them. The defending Blue team also gets practice at identifying an incoming threat, what it looks like and how to deal with it. It is a concept that military and government organisations have run for years, and as the level of sophisticated threat rises so the role-play exercise becomes more important for the corporate environment.
This is a comprehensive (although not exhaustive) list of actions companies can take to reduce risk. However, when it comes to consumers and maintaining their trust, it is very simple. Transparency and clear communication are the key elements. If a data breach occurs, consumers want to see how a brand responds to the situation, which is why it is vital that organisations understand the nature of cyber-attacks and the information accessed by hackers. Having information security policies that define incident management and crisis management strategies ready to deal with the fallout are crucial.
Organisations need to begin to look at the people behind the data, rather than just the data itself. Consumers want to know that a company is being both candid and careful with their information, and for it to offer accurate disclosure if a breach takes place. Generally speaking, consumers are not naturally attuned to security unless a threat is under way. Therefore, companies need to be the vanguard of cyber security before customers even have cause to think about it.
Being prepared pre-breach as well as post-breach is crucial, as is communication between departments. The entire C-suite all need to be a part of the security conversation at the beginning of the process to ensure that the right information is disseminated and communicated both internally and externally.
Ultimately, organisations need to be accurate, timely and at the forefront of cyber security to not only reinforce customer loyalty but to highlight the fact that they value and understand the people behind the data.
About the Author
Chris Underhill A.Inst.ISP is Chief Technology Officer at Equiniti Cyber Security, a division of Equiniti Data, responsible for their product research and development of cyber security solutions. Chris has extensive experience in software and security having worked with Microsoft, Virgin, O2, and the BBC. He now brings these skills to help Equiniti clients with their cyber threat surveillance. Equiniti Cyber Security utilises cutting-edge software and technology to create a range of cyber threat detection and prevention solutions for businesses.