This month, Yahoo! confessed to having compromised the account details of all three billion of its customers, making the 2013 incident the largest cyber-attack in history. But what’s surprising is that it’s taken four years for the company to admit to this.
Why the long delay? Before that, TalkTalk was heavily criticised for a similarly lengthy period of silence for a data breach. The most recent example though that hit headlines was Equifax. The credit monitoring agency revealed an epic data breach in which highly sensitive customer data – including Social Security numbers and credit card details – was potentially accessed by hackers. 143 consumers were affected but it took the company over four months to report the breach, exposing yet another irresponsible attitude to security.
Let’s say you are in similar position to Yahoo!, TalkTalk or Equifax: your firm has (inevitably) been hacked and customer, client or company data is potentially at risk. How should you react?
Crucially, you should not react as Equifax did. During the period in which the company waited to inform its customers of the incident, during which time its senior execs sold over $1.8 million in shares, and, to top off the sorry mess, issued a half-hearted, self-centred apology. “This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologise to consumers and our business customers for the concern and frustration this causes,” said chairman and CEO, Richard F. Smith.
Time is of the essence, and the first 24 hours following a hack are vital. Companies should have a clear and thorough response strategy in place; communicating clearly and openly the details of the breach and how it affects external users and internal employees. Executives should take the lead, explaining to customers, stakeholders and business colleagues how the company will prevent further incidents, and importantly, adopt a more robust security strategy.
Strong authentication to strengthen security
When you consider that the vast majority of hacking-related breaches are the result of cyber criminals exploiting stolen or weak passwords, perhaps of most concern in the Equifax case is that the company is still allowing customers to manage their accounts through passwords and PINs. Whilst preventing against cyber-attacks heavily involves continual monitoring and reporting of IT systems, it also involves bolstering security at the ‘front door.’ This means looking beyond weak and insecure passwords, something which Equifax is not alone in neglecting.
Intercede recently conducted research into how the systems administrators at major UK companies – those who manage operations and access to a company’s IT systems – are protecting sensitive data. A shocking 86% of those with systems administrator access rights are only using basic username and password authentication for on-site computer systems.
Half of respondents in the research also said that business user accounts in their organisations are ‘not very secure’. Despite widespread awareness of the inadequacy of many security systems, not to mention the endless headline-grabbing hacks, too many companies are failing to take action. In order to truly arm themselves against today’s cybercriminals, these companies must adopt a more sophisticated method of authentication and credentials management, which will secure both their customers’ data and their business’s bottom line.
Our research found that more advanced methods of on-site authentication are severely underutilised. Only 2% of firms use biometrics such as fingerprint or facial ID, and just 6% use virtual smart cards and PINs. Effective security technology – including these two approaches and more – is available and accessible today. The challenge now is altering the approach to security, hammering home how easy it is to fall victim to a hack, and educating companies and consumers on how to better protect themselves.
Strong authentication should be adopted, which incorporates three elements: possession (something you have, such as a smartphone), knowledge (something you know, like a PIN), and inherence (something which is physically inherent and unique to you, such as an iris scan). Whenever an employee or a digital service user wishes to access an IT system or personal account, they must prove all three elements, verifying with the company that they are who they say they are, thus establishing ‘digital trust’.
Relying on passwords places service providers and their employees at risk of further cyber-attacks, which could spread far beyond a company’s own IT system or database. If a database is accessed illegally as a result of inadequate password security, the passwords stored on this database can also be stolen. As many of us use the same password to access multiple websites and IT systems, these could then be used by a hacker to gain access to numerous external sites and data, including individuals’ financial and personal information.
Service providers must move beyond the password, and instead deploy digital certificates which reside only on their employees’ computer, smart card or personal device. Even if a hacker does gain access to a company’s centralised database, there will be no login information for them to steal – and potentially use to launch a wider attack.
This approach adds an essential additional layer of security, and makes a hacker’s job far more difficult. In addition, using digital identities significantly reduces the end-user’s exposure to identity fraud in the future.
Fail to plan, plan to fail
With GDPR coming into play next year, and hackers adopting increasingly sophisticated methods of attack, the threat and consequences of a breach loom over any business. Reputational damage, loss of consumer trust and plummeting share prices can all be a major and devastating knock-on effect of a breach on a company.
Don’t do an Equifax. Continuously assess and monitor your IT security, have a clear incident response plan ready that will limit the repercussions and most importantly arm yourself properly by enforcing strong authentication. After all, “if you fail to plan, you’re planning to fail.”
Richard Parris, CEO at Intercede