Successful corporations hold the trust of their clients: it is the responsibility of the corporation to hold a client’s data securely and to protect their privacy. Without these basic requirements, a company can fall to the ground in the event of a breach and lose their customer’s trust – as well as being heavily fined by government agencies such as the UK’s ICO (Information Commissioner’s Office).
Examples where companies’ reputations were risked
Facebook fined $1.6 billion
A recognizable example of where a corporation took a large hit and lost a significant amount of trust was in September 2018. Hackers were able to exploit one of the sites features which allowed attackers to expose the personal data of over 50 million users. The attackers were then able to steal access tokens which would allow them access to user’s accounts. Subsequently, the announcement was broadcasted to public and the company lost a large majority of its user’s trust. The IDPC (Irish Data Protection Commission) also opened an investigation and set up a fine to the company of $1.6 billion.
All of eBay’s user’s data exposed
eBay suffered a similar attack in May 2014 which allowed hackers access to personal data such as names, D.O.B., addresses and encrypted passwords of all of their users. The attack wasn’t completed using a brute force style attack; instead, it was completed using employee credentials. This shows the need for internal security as well as external. The CEO reported that the breach resulted in a decline of user activity – ultimately due to losing a majority of its user’s confidence in their service.
Uber’s attempt to hide attack
Another attack which shows the importance of internal security was the Uber attack in 2016. Attackers were able to get access to Uber’s AWS servers which allowed them access to personal data including driving license numbers. The thing that made this attack notable is how Uber dealt which the attack. They paid the hacker’s $100K to delete the data they stole, however there was no guarantee that the hackers actually would. Uber’s valuation subsequently dropped from $68 billion, earlier in the year, to $48 billion by the end of the year.
These are just a tiny fraction of all the attacks which take place; however, they really show the importance of data security and privacy. Not only is external protection (DDOS, XSS, etc.) a necessity, but so is internal protection. Corporations need to implement policies and training for scenarios. Uber dealt with the situation poorly, but if they had a security and privacy policy in place then it wouldn’t have been as bad as a situation as it turned out. The unethical decision to keep it a secret and the attempt to pay the hackers to keep quiet costed the company billions and permanently destroyed their reputation.
How attacks can happen
Nearly half of all data breaches aren’t due to a malicious attack: around 36% of the time it is due to human error and 5% of the time is due to system malfunctions. A main human error source is due to social engineering attacks – this is the process of tricking someone into handing over sensitive data such as login details or files. On the malicious attacking side of things, if software isn’t updated then already discovered exploits, which are openly posted online, can be performed by anyone with nearly to no hacking experience required. However, an attack doesn’t have to be one or the other. Attacks can be combined using social engineering to gain access and then planting malicious code.
Prevention
As one of the main causes of breaches is due to negligence, it is important to have policies in places to deal with situations like these.
Policies and training
A corporation should have a policy guide to follow in the event of an attack so that it can be handled ethically and legally. This will also help regain a corporation’s client’s trust as it shows professionalism. It is also crucial to train employees against data breaches – social engineering attacks mainly take advantage of customer service agents to gain access to sensitive areas.
Encryption
All corporate computers should be encrypted. From user’s browser to server, the connection through which the data is passing should have encryption. This is one of the best preventions for data breaches as even if a hacker gains access to a database, it renders the accessed data useless as it is encrypted and cannot be understood. When we talk about SSL, EV SSL certificate is one of the best SSL certificates that enables green bar with highest business authenticity.
Updates
As mentioned above, all software should be updated regularly as vulnerabilities in previous versions of software are often posted online. The updates patch these vulnerabilities in an efficient and safe way.
Penetration tests
For larger corporations it is highly recommended to hire a third party to carry out a cyber security analysis test. These will highlight threats found and may also offer ways to prevent the threat being exploited. This is a good long-term option as it can save billions in the future. It is crucial to perform these regularly as systems can change often.
Human error
As human error accounts for 5% of breaches it is worth trying to minimalise human interaction as much as possible: repetitive tasks usually performed by humans should be performed by a system instead.
Backup data
Although not a prevention, backing up data will help with the recovery process in the event of an attack. If data is destroyed or corrupted and no backups have been performed, a lot of user data will be lost forever. Therefore, frequent backups help the restoration of a corporation.
Ben is an Associate Producer at Compare the Cloud and Disruptive.LIVE He's a quiet person who doesn't speak much but we have managed to discover that he likes football and tech...