Data breaches are happening on a daily basis worldwide. According to the Breach Level Index Report, in the first half of 2017 there were 918 data breaches with 1.9 billion data records exposed to threat.
Cyber hacks ruin customer confidence
The 2017 WannaCry attack on the NHS saw 300,000 systems compromised, whilst the Equifax data breach saw 145.5 million accounts affected. Similarly, Uber and Yahoo also suffered data breaches that saw 57 million records and 3 billion accounts compromised respectively.
We also saw electronics retail company Dixons Carphone admit a huge data breach. Dating back to 2017, the breach involved some 5.9 million payment cards and up to 1.2 million personal data records were implicated. This event saw shares drop by 3% with the immediate concern being the impact of the breach on consumer trust.
As a result, the use of consumer data and how it is used and protected by organisations has never been so prevalent in the customer consciousness. Because of these events consumer confidence and trust in brands is at a record low.
Cyber attacks are no longer an “IT issue”. They are a major business threat and one, with regulations such as Sarbanes-Oxley Act, that is now very much a part of an entire company’s responsibility.
So, in light of the recent GDPR regulations and considering that free and open tools available to hackers are getting more sophisticated, how should organisations go about protecting consumer data and re-establish consumer trust?
Cyber attacks are sophisticated
Increasingly, businesses and consumers are finding it difficult to tell the real message from the fake ones. The rise of Business Email Compromise (BEC) is a good example of this where scammers make specific approaches to targeting individuals within companies rather than a mass phishing approach.
By taking on the email and impersonating a C-level exec to approach another employee within an organisation, the scam becomes a lot more ‘believable’ and persuasive. This makes it more likely to succeed and a lot harder to control.
The BEC threat and others like it are a nod to the biggest weakness in most organisations, their internal infrastructure, and employees. The “internal threat” remains greatest for organisations with security controls that do not match the sophistication of the threat. Poor coding standards that have remained unchecked for years means that less sophisticated threats such as SQL injection and Cross-site scripting (XXS) are still able to get through.
Preparation is paramount
Preparing a response ahead of an attack is mandatory. Using analysis software and forensic techniques, such as reverse malware engineering, host-based intrusion detection and network analysis, companies can define the breach vector and most importantly, how it took place. With this information the Chief Information Security Officer (CISO), can determine the aims and impact it will have on the organisation.
“Penetration testing” at a high level can ensure routes currently open to criminals through web applications and out of date network security are identified and closed. Websites can be hacked through applications such as shopping baskets and login pages unless standards and practices are kept up to date.
The more sophisticated threats such as those we have seen in the Dixons Carphone example including social engineering, malware and ransomeware means companies have to take further measures to ensure a proactive response. The education of employees is a key aspect of this – they remain on the whole, and in most cases unwittingly, the main route to success for criminals. Giving employees the knowledge and tools to deal with an increasing level of sophisticated threats is crucial.
Auditing cyber security systems can help organisations understand network vulnerabilities. This can be done through the simulation of dummy cyber-attacks on corporate networks to see if there are weaknesses and if they need to neutralise any threats. Red and blue team testing is a good example of this.
Playing the role of an attacker (Red team) can help your IT team identify the gaps in defence in your security infrastructure. The defending Blue team also gets practice at identifying an incoming threat, what it looks like and how to deal with it. It is a concept that military and government organisations have run for years, and as the level of sophisticated threat rises, the role-play exercise becomes more important for the corporate environment.
Be clear to consumers
This is a comprehensive (although not exhaustive) list of actions companies can take to reduce risk. But when it comes to maintaining consumer trust, it is very simple. Transparency and clear communication are the key elements. If a data breach occurs, consumers want to see how a brand responds to the situation. This is why it is vital that organisations understand the nature of cyber-attacks and the information accessed by hackers.
Organisations need to begin to look at the people behind the data, rather than just the data itself. Consumers want to know that a company is being both candid and careful with their information, and for them to offer accurate disclosure if a breach takes place. Generally speaking, consumers are not naturally attuned to security unless a threat is under way. Therefore, companies need to be the vanguard of cyber security before customers even have cause to think about it.
Respond to the threat and respect your customers
Being prepared pre-breach as well as post-breach is crucial, as is communication between departments. The entire C-suite all need to be a part of the security conversation at the beginning of the process to ensure that the right information is disseminated and communicated both internally and externally.
Organisations need to be accurate, timely and at the forefront of cyber security. They must do this to reinforce customer loyalty and highlight the fact that they value and understand the people behind the data.
By Chris Underhill, CTO at Equiniti Cyber Security