Are cyber breaches a fact of life now?
By Kevin Haywood Crouch and Jacqui Sanaghan.
Ask yourself, are cyber breaches a fact of life now? Yahoo, the Bahamas corporate registry, Mossack Fonseca, World Anti-Doping Agency (WADA), the list is growing, and the profile of these hacks and leaks is no longer the traditional mining of personal or financial information to be sold to identity thieves for future exploitation. Instead, there are now many more cyber events where broader motivations clearly determine the target. Take for example the WADA attack. This involved the publication of private medical information about dozens of targeted Olympians, particularly those competing from the United States and United Kingdom. This release is considered to be a retaliatory gesture following the banning of Russian athletes from Rio 2016 after the findings of an independent report found Russia operated a state-sponsored doping program during the 2014 Sochi Winter Games.
Similarly, the leak of the Panama Papers and the more recent leak of 1.3m internal files from the company register of the Bahamas are specifically targeted attacks. In each case, the releases have brought to light details of the financial interests of high profile politicians, entrepreneurs, financiers, as well as fraudsters, which in the case of some of the former hadn’t always been appropriately disclosed. These leaks, and subsequent releases, are intended to pierce corporate veils, where otherwise legitimate attempts to do so might be thwarted under local law.
And what of the recently announced hack of 500 million Yahoo accounts, the largest disclosed known hack of any corporate entity so far? Hacked in 2014, but only now being made public, this was initially thought to be just another trawl for account holder names, email addresses, passwords, telephone numbers and other similar personal information. Instead, according to Yahoo, this was a ‘state-sponsored’ attack, with a suggestion that the real target was the security questions and answers attached to each account. Of course many security questions are common across multiple internet accounts so a haul of the magnitude of the Yahoo breach is potentially a golden prize.
It is now predicted that there are approximately 1 million victims of cybercrime per day. Though many of these are still victims of the older approach of hackers casting their nets as wide as possible and then selling what information they gather anonymously for others to exploit, targeted attacks are increasingly becoming more common. This makes it imperative that businesses assess the safety of their data (client and business proprietary) as well as their data protection responsibilities and those of their employees on an ongoing basis. This is also why all companies need to be cybersecurity leaders, not followers.
To avoid disillusion, this issue doesn’t just affect large high profile corporations or public sector targets. All shapes and sizes of business are at risk and capable of being directly targeted if the incentives or motivations are there.
From a preventative perspective, IT related cybersecurity measures can be implemented to reduce the probability, and most importantly the impact, of a cyber-attack or breach. Measures, such as independent data vulnerability and information security reviews – which are now often being requested by insurers, as the risk of payouts in relation to data loss/theft increases – are recommended. Impartial security reviews allow gaps or inadequacies to be identified and remedied. Active measures such as ‘Intrusion detection and prevention systems’ and firewalls that detect and prevent attacks also come highly recommended.
Preventative measures can also ensure a quick response to an incident, preserving data and systems, identifying the source of the attack and reducing its impact. Remediation and disaster recovery planning can further reduce the impact of a cyber-attack or data leak incident.
In addition to these IT related measures, employee and board level awareness and understanding of the risks throughout the business is key to protecting your business and clients. Of course, the highest risk still comes from those within the business. Whether intentional or unintentional, employees can often facilitate the information leak or destroy data or systems, as well as enable outsider attacks. It is generally accepted that an IT system’s single-biggest weak point are the human operators, so data theft will always continue to be a fact of life. Some of the most vital, but also most cost effective, counter cyber breach measures therefore relate to the implementation of policies and procedures, including user awareness training that ensures that employees throughout a business have an awareness of all the main cyber risks and their individual responsibilities for them. This also means enforcing good habits, such as locking computers, ensuring passwords and data are not left lying around and are disposed of properly as well as showing caution when clicking on links and reporting of any incidents should be regarded as second nature.
In this day and age of increasingly targeted attacks, it is the combination of prevention, detection, adequate recovery planning and organisation-wide education that is now almost the minimum requirement to lessen the impact of cybercrime, and reduce the size of the target on your back.
KRyS Global provides forensic technology services which include, data mining and analytics, computer forensics, electronic discovery and hosted litigation solutions. Find out more about what KRyS Global can do for your business by clicking the links below to our Cybercrime Services or Forensic Technology Services.