Cyber Security Quotes: 5 useful quotes from organisations that have been hacked
It is not uncommon to try to learn lessons from major security breaches. It would be foolish not to want to understand the mistakes or misfortunes of other organisations in an effort to better defend your own data and systems.
Some of these lessons come from the nature of the attack, or the way data was protected, or the ability to detect and respond. However there are other lessons that can be learned from what is said and how that message is delivered.
What can we learn from these cyber security quotes?
If we look at some of the biggest, most memorable cyber security incidents to see what was said, what was meant and what the effects or interpretations were, there are some powerful tips that can be applied not only to how security is managed, but also to how breaches are handled and communicated.
Cyber security quotes – TalkTalk: “We don’t know who is affected”
The two main factors that made the TalkTalk case so significant were the rather trivial nature of the vulnerability that was exploited and the way the communication was handled directly afterwards.
Leaving aside the technical nature of the SQL injection vulnerability the, now famous (infamous?), CEO Dido Harding had to answer questions when the breach first became publicised and in a famous statement, revealed that they didn’t know how many of their customers had been affected.
Immediately this was voiced, the press worked out (from public information) how many customers TalkTalk had, some 4 million, and promptly assumed (sometimes caveated with the words “up to”) that the breach affected all of them.
Now, from the point of view of warning the public that they might have been affected, this is somewhat defensible, and given the heightened interest in the case certainly not surprising. However, the result was that a much more incendiary set of statistics were poured into this vacuum in TalkTalk’s knowledge.
As the days after the breach passed and the story rumbled on TalkTalk then revealed that the total number of customers affected by the attack was closer to 157,000, with only around 16,000 that included bank account numbers and sort codes.
157,000 was only about 4% of TalkTalk’s 4 million customers and a small fraction of the number feared when news of the attack broke, the number of financial records affected was lower still, under 1%.
The conclusion to this is that an absence of knowledge is a bad thing, and in the very early stages of a breach investigation – when some the facts might be unknown – it is important to ensure that a more “thoughtful” or considered message is conveyed which leaves less scope for wild assumption.
One approach may be to state that initial indications are “that only a small number have been affected” and that “you will communicate with them directly” so there is no uncertainty – another would be to understand what numbers of data records are held on which systems so that at least you have some upper bounds. Handling media correctly is key.
Cyber security quotes – Experian: “We take privacy very seriously”
If a company is saying it takes privacy very seriously there is a good chance they have just had a data breach and are about to explain how it happened even despite this.
In the case of Experian, a leading provider of credit checking and identity theft insurance, their breach was quite extended. T-mobile customers registering for finance services between September 2013 through to 2015 were affected – so for a two year period privacy wasn’t being taken that seriously.
However, “upon discovery of the incident, Experian took immediate action”, so privacy did become important at that point.
Interestingly, in November 2015 Experian also flagged the risk of heightened regulatory pressures on security in their half-year results following the later breach at rival Equifax.
What can be learned though is that “privacy must be taken seriously” but on a permanent, continual basis and not just when there has been a breach. This is enshrined in the “privacy by design” concept that is now de rigeur.
Cyber security quotes – NHS: “A relatively unsophisticated attack and could have been prevented by … following basic IT security best practice”
This was actually a quote from the NAO following its investigation into the terrible effects of the WannaCry ransomware attack that affected the NHS.
Widespread system infections, off line systems, lost data, cancelled operations – in an environment where life could be threatened by failure this was rightly seen as a major issue.
The lesson in this case is clear; getting patches applied and vulnerabilities addressed is vital. It means that when a month-old vulnerability is exploited you are up to date and hopefully safe. The challenge is that this is hard for large complex organisations with lots of systems – including ones that might be difficult to patch – it is most definitely not trivial.
However, when a breach occurs, you don’t want it to result from a failure in “basic security practice”.
Cyber security quotes – Maersk: “We expect that the cyber-attack will impact results negatively by USD 200-300m”
The effects of Petya (a relative of WannaCry) on Maersk, the international shipping behemoth, were well publicised. They had to own up to a cost of up to $300m, a not insignificant sum, even for a company of that size.
Following the attack, they did then have to take steps to improve security, of course and invest further in security technologies and management practices.
For one thing this shows that security issues can have a real impact on the bottom line. It also highlights that saving money on security is a serious false economy – it is the door you leave half open that the attacker sneaks through, and then you have the cost of downtime, lost data and the investigation PLUS you will still have to (under pressure from investors, customers or regulators) invest in better controls anyway.
Cyber security quotes – Equifax: “Protecting the security of the information in our possession is a responsibility we take very seriously”
Ignore the word “seriously”, we have covered that above. The important part of this quote is the word “responsibility”. It can be shortened to:
“Protecting the security of information is a responsibility”
This means several things:
- Treating information as if it is owned by the data subjects rather than as the property of the organisation
- Making sure that it is protected from unauthorised access, loss, leakage, or corruption;
- Having suitably thorough monitoring, detection and analysis capabilities to identify breaches or misuse; and
- When a problem is uncovered, being able to move swiftly to stem any losses, rectify any issues, understand the exposure and make everything right!
So Equifax, as one of the leading providers of credit checking and identity theft protection, had failed in their responsibility to safeguard information.
Having suffered a breach, how did Equifax do at “making it right”? Again, there are some lessons to learn, as their (laudable) response was to provide identity theft insurance for affected customers:
Equifax has established a dedicated website, www.equifaxsecurity2017.com, to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection. The offering, called TrustedID Premier, includes 3-Bureau credit monitoring of Equifax, Experian and TransUnion credit reports; copies of Equifax credit reports; the ability to lock and unlock Equifax credit reports; identity theft insurance; and Internet scanning for Social Security numbers – all complimentary to U.S. consumers for one year.
However, this approach was not entirely satisfactory as can be seen from this post which in summary describes how:
- The initial terms and conditions (presumably standard ones) implied that customers waived some legal rights including the ability to bring class action lawsuits. In the post-breach flurry of criticism this did not go down well, and the language/terms were quickly modified/clarified under public pressure.
- There was concern that the organisation providing the credit monitoring service was itself the one that had suffered the breach (was their data correct/safe to rely on).
- The delay in getting the offering set up, around a month – might well have been too late for the fast-acting criminal fraternity as stolen data is often sold and used quickly before such provisions are in place.
All in all, not a good day for Equifax or the 143 million people who it held details on. Taking responsibility for information and the remediation of a breach is, it seems, not easy. See our blog post on this.
Cyber security quotes that tell a story
The quotes used here are deliberately designed to highlight lessons:
- When you have a breach any lack of knowledge is a bad thing – you need to fill in the blanks quickly and anticipate situations or facts about which you are uncertain so you can manage the message.
- “Taking privacy seriously” when you have just had a major breach is a given! Of course you are taking (the recent loss of) privacy seriously! Taking it seriously the rest of the time is what matters, as that means breaches can be avoided in the first place. For customers or data subjects, having their privacy taken seriously on a continuous basis is quite important.
- When a security breach does occur – and prevailing wisdom is that it is a matter of “when” not “if” – you don’t want it to result from a failure in “basic security practice” or result from well-understood and easy to fix vulnerabilities – weak passwords, lax access controls, web SQL injection holes or missing patches are perennial problems (and in some cases hard to fix) but don’t expect sympathy if the means of attack was viewed as being trivial.
- Security does cost money, but not as much as a security failure can. If you underinvest in protection and detection then the resulting losses and the money you have to spend on response can be significant and far outweigh the costs of appropriate, risk-based controls in the first place.
- Finally, as we saw in the Equifax case, taking responsibility for information protection; effective monitoring and oversight and acting in a “responsible” way when a breach has occurred takes effort and is fraught with pitfalls – speed of response, the public perception, your credibility as an organisation are factors that are vital but hard to manage.
Learning from the misfortune or mistakes of others is, in cyber security, still a big part of the day job.