Guest post from Danielle Adams at Fiber.net
2016 was a banner year for security breaches, and so far, 2017 hasn’t been much better. With so many companies reporting breaches and incursions, it’s bound to make you wonder: “Is there any way to be safe?”
The important thing to remember is that data breaches are explorations of flaws in a system. While no system is flawless, a secure system is attainable, as long as we are willing to learn from past mistakes and make cyber security a priority. To illustrate this, let’s take a look at a few recent breaches, to see how learning from history will help avoid repeating it.
Yahoo
Yahoo has not had very good luck in recent years. In 2016, they finally disclosed two massive breaches, one of them the biggest in history. What’s disconcerting is that these breaches happened several years previously, with users only being warned now that their information is floating around on the web.
Worse yet, back in February 2017, Yahoo reported yet another breach, where hackers apparently were able to review proprietary code and learn how to forge cookies for use in accessing emails without login information. These back-to-back breaches have caused a severe loss of trust with the company, and rightly so.
What we can learn from Yahoo is, first, that even big companies are vulnerable if they don’t protect themselves. After that, important lessons here are: disclose breaches promptly, and close vulnerabilities promptly and effectively. Improperly closed breaches or symptoms that are addressed without resolving core vulnerabilities will result in repeated breaches as hackers find their way back in.
Democratic National Committee
2016 saw government-funded hackers sticking their fingers in the DNC, leaking emails from party officials to WikiLeaks. The FBI and DHS looked into things, and then put together some recommendations detailing how the breach happened, and how to prevent a similar breach in the future. That’s good news for everyone involved.
The only problem (and here’s where we get to the lesson learned on this one) is that the document they released just enumerated security guidelines that had already been put in place by NIST. In other words, this whole thing could have been avoided if the DNC was following proper security protocols. Their lax security is what made the breach possible.
In short, don’t ignore the problem. Familiarize yourself with security procedures and then make sure they’re being followed (or hire someone to do it for you).
Utah Department of Health
This one is less recent but more local. In 2012, Utah’s Department of Health was hacked, and 780,000 individuals had sensitive information stolen. The breach ultimately cost local government $9 million in damage control—not an easy pill to swallow. It’s not even uncommon: IBM estimates the average cost of a data breach is at least $4 million
The lesson here is that breaches will cost you, if not handled properly.
Gmail
This one has somewhat of a happy ending. Recently, users of Google’s Gmail service were targeted by a phishing scam that proved rather effective. The sophisticated attack asked users to click on a link, which directed them to a real Google security page, where they were prompted to give access to a fake Google Docs app.
This was an intelligent and well-designed attack. However, even though it affected an estimated 1 million users, Google was able to shut it down within an hour. The combination of careful monitoring of the system and an experienced security team enabled Google to cut the scam short—even though it was primarily a user-based issue.
The lesson here is Google’s example: security breaches are going to happen, but they can be handled effectively, and damage can be minimized. There’s an enormous difference between Google’s 1 million phishing victims and Yahoo’s 1 billion victims of a data breach.
If you’re looking for someone to help you make security a reality for your business, consider contracting with a cyber security firm. They can help you to secure your system and, as in the Gmail example, control damage on breaches that do happen. You’ll save on the startup costs of hiring your own security team, and you’ll be safe in the hands of security experts.
