Menu

A preventative approach to navigating corporate digital landmines 11 Sep 2015

It is becoming increasingly challenging for public and private corporations to manage sensitive and confidential information. From trends in online privacy, intellectual property theft to online security breaches, some organisations seem to have overestimated their capabilities to cope with these threats. These three aspects are so intricately woven that a breach in one may invariably lead to a compromise in the others.
    
To explore the scale of the challenge, let us review the 2015 Internet Security Threat Report (ISTR 2015) released by Information Security Software firm, Symantec. The report’s conclusions include:
•    Cyber attackers are leapfrogging defenses in ways companies lack insight to anticipate. Advanced attackers targeted five out of six large companies in 2014 - representing a 40% increase over the previous year.
•    Attackers are moving faster, but company defenses are not. When attackers notice vulnerabilities in a company’s network, there is usually a mad scramble to exploit these vulnerabilities in clear contrast to the length of time it takes information security vendors to create and roll out patches. The unfortunate part is that if a company’s vendor is affected, it might increase the ease of access to a company’s information and vice versa. Organisations need to learn to think like the bad guys. Those who fail to plan (and act on the plan), invariably make failure inevitable.
•    Attackers are streamlining and upgrading their techniques, while companies struggle to fight old tactics. Even more worrying is the fact that over 60% of all targeted attacks were on small and medium-sized companies. These firms lack basic information security prevention practices and resources.
    
Since 2013, about six major incidents have stood out to remind organizations that they can no longer take these issues for granted. These incidents were as follows:
1.    In October 2013, the details of 38 million customers of computer software giant, Adobe, were exposed after a back-up server was hacked and over 100 accounts accessed;
2.    That same month, over 4 million users of the video messaging app, Snapchat, had their “private photos” leaked after a hack;
3.    In May 2014, e-commerce giant, eBay, admitted that over 140 million user accounts were accessed by unauthorized persons;
4.    In November 2014, Sony Pictures Entertainment publicly acknowledged a massive hack and release of thousands of sensitive emails. The released emails included personal and work-related emails, financial information and highly-valued intellectual materials;
5.    In July 2015, about 35 gigabytes of text from infidelity website, AshleyMadison.com, were shared online to the horror of users. It included personally identifiable details such as credit card transaction details, locations and sexual preferences of over 25 million accounts;
6.    The US and China have been sparring for months after the United States accused the People’s Republic of China of hacking into the databases of several US military and civilian agencies.  
These epic failures are not restricted to these firms. Just like kidnapping, many more organisations are quietly making payments to hacking organisations.

What’s common in all these breaches?

Take threats seriously

In almost all the cases above, the hackers warned the organizations after the breach had occurred. In several instances, such emails were left unattended in the spam boxes of company executives’ emails. It took eBay over a month to find out about the breach, while it is rumoured that the breach at Sony Pictures Entertainment had been ongoing for almost one year. A month after AshleyMadison.com was threatened with exposure if the website did not shut down, user details were shared online.
    
Who is in charge of preventing and managing cyber threats in your organization? In an era of big data where time is the ultimate currency, losing a month might seem like losing a decade.

Opportunists are lurking in the shadows

The sale of such sensitive data is a goldmine in the dark web. From advertisers, blackmailers, organized criminal networks to competitors, there is no shortage of individuals and organizations lying in wait to capitalize on the next breach. Organisations like Wikileaks have profited from the clamour by the public of their right to know.

Defending Wikileaks decision to publish the entire Sony Pictures email archive, Wikileaks’ Julian Assange had this to say:

“This archive shows the inner workings of an influential multinational corporation. It is newsworthy and at the centre of a geo-political conflict. It belongs in the public domain. Wikileaks will ensure it stays there."

How far will you go to prevent and manage a breach?

Count the Cost

Apart from the loss of customer confidence and reputational damage, many organisations have lost significant competitive advantage, which might be irreversible. Sony Pictures announced that it planned to spend $15 million in the first quarter of 2015 to deal with the cyber attack fallout. Should your organisation pay hackers? What are the reward potential whistleblowers receive? Information security is a board-level issue and should be treated as such.

Don't underestimate and downplay the risks and threats

Even when the initial leaks came to light, most of these firms downplayed the impact. Some claimed their security systems were robust. Others failed to take action before the breach happened. During and after the breach, there was often more of a knee jerk approach. Customers were not informed in time about the security breaches. Others blamed the media for promoting the work of hackers and threatened media firms and social networks with lawsuits if they did not remove articles and mentions of the hacks.

It sometimes starts within

A number of hacks were perpetuated after hackers gained access to the login credentials of employees. With password integrity and security still much of an issue, it is not unsurprising that internal breaches can and have continued to play a significant role in increasing the vulnerability of organisations.

Be careful what you claim

AshleyMadison.com charged users twenty dollars ($20) to delete their profiles. It claimed that no one would be able to steal the details of users who paid for this premium service. The bold dare provided, amongst other things, the motivation for those with the means (hackers). Today, trusting users have been hung out in the rain while private investigators, divorce and client confidentiality lawyers are smiling to the bank. The mistake users of platforms like AshleyMadison.com made was assuming that they could maintain anonymity on a paid online platform. Except one is using a stolen credit card, how anonymous can one be?

How prepared are you?

Luck has been popularly defined as “opportunity meeting preparation”.
    
Online data theft is not a matter of if but of who and when. It is a matter of who has the means and the motivation to break into the servers of any competitor.

According to Opeyemi Onifade, the President of the Information Systems Audit and Control Association (ISACA) Nigeria, Abuja Chapter, and the practice leader at Afenoid Enterprise:
“Leaders of IT-enabled organizations need to prepare against cyber threats by understanding and approaching cyber security as an enterprise-wide risk issue and not merely an IT issue. The directors also need to ensure that their organization is equipped with cyber security expertise and make cyber-risk board meeting agenda.

In order for their business to be resilient, decision-makers should be involved in the rigour of determining which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.”

Onifade further averred: “It is now the duty of top management to put in place the key enablers to ensure effective information security governance. The enablers are: framework, principles and policies, processes, organization structure, culture, ethics and behaviour, information for decision-making, people, skills and competencies, services, infrastructures and applications.”

To effectively navigate information security landmines, executive management will need to run with a sense of urgency.

Who are your information security consultants?

There has been a rapid demand for information security consulting services. Discerning organisations need to get the right experts to analyze their vulnerabilities and help chart the right path towards securing their data. The first step to preventing potential information security landmines is to get your dedicated information security consultant. Now is the best time to do so!

What are they likely to do?

•    Review the appropriateness and adequacy of your information security policies and practices (if you have any) against best practice guidelines
•    Review the knowledge of employees about information security
•    Review employee practices regarding the mis(use) of company data
•    Identity your organisation’s competence in handling potential information security breaches. This should include the technological tools and software in use vis-à-vis what is available in the market
•    Review knowledge management policies and practices within the organization
•    Identity threats and vulnerabilities to securing company data and rank vulnerabilities according to perceived threat levels
•    Create a roadmap for improving the organisation’s responsiveness to information security threats
•    Implement the roadmap – elements of which might include making the required changes in policies, practices, people and tools.
 
What are your employees up to?

Educating employees about defensive information security practices should no longer be taken for granted. Where possible, employees should have access to sensitive information and documents on a need-to-have basis.

Organizations need to enforce restrictions to employees signing up to unofficial web services using their official email addresses. What makes it worse is that some employees sign up with the same passwords they use in the office. I am aware of an e-commerce site where about 10% of its users signed up with their official email addresses.  Even when such employees exit these organisations, such email addresses are available to be exploited. Thousands of company email addresses were used to sign up on AshleyMadison.com. There are reports that employees whose details are on AshleyMadison.com have been blackmailed to provide company secrets or risk public exposure and shame.

Employees are key gateways to securing your information infrastructure. The online actions of those who man your critical functions must not be allowed to jeopardize your brand. And policies must be put in place to mitigate an AshleyMadison-type scenario.