It is good to try to learn lessons from major security breaches. It would be foolish to not want to understand the mistakes or misfortunes of other organisations in an effort to better defend your own data and systems.
Some of these lessons come from the nature of the attack, or the way data was protected, or the ability to detect and respond. However, there are other lessons that can be learned from what is said and how that message is delivered.
What can we learn from these cyber security quotes?
If we look at some of the biggest, most memorable cyber security incidents to see what was said, what was meant and what the effects or interpretations were, there are some powerful tips that can be applied not only to how security is managed, but also to how breaches are handled and communicated.
Explore how to measure your security risk
Cyber security quotes – TalkTalk: “We don’t know who is affected”
The two main factors that made the TalkTalk case so significant were the rather trivial nature of the vulnerability that was exploited and the way the communication was handled directly afterwards.
Leaving aside the technical nature of the SQL injection vulnerability the, now famous (infamous?), CEO Dido Harding had to answer questions when the breach was first publicised and famously revealed that Talktalk didn’t know how many of their customers had been affected.
Immediately the press worked out (from public information) how many customers TalkTalk had (4 million) and assumed that the breach affected all of them, or “up to” all of them.
As a warning to the public that they might have been affected, this is defensible and not surprising, given the interest in the case. However, the result was a much more alarmist set of statistics being published in the absence of real ones.
As the days passed, TalkTalk then revealed that the total number of customers affected by the attack was closer to 157,000, with only around 16,000 including their bank account numbers and sort codes.
157,000 was only about 4% of TalkTalk’s 4 million customers and a small fraction of the number feared when news of the attack broke, the number of financial records affected was lower still, under 1%.
So the absence of knowledge is a bad thing, and in the very early stages of a breach investigation – when some facts might be unknown – it is important to ensure that a more “thoughtful” or considered message is conveyed which leaves less scope for wild assumptions.
One approach may be to state that initial indications are “that only a small number have been affected” and that “you will communicate with them directly” so there is less uncertainty – another would be to understand what numbers of data records are held on which systems so that at least you have some upper bounds. Handling the media correctly is key.
Cyber security quotes – Experian: “We take privacy very seriously”
If a company says it takes privacy very seriously, there is a good chance they have just had a data breach and are about to explain how it happened despite this.
In the case of Experian, a leading provider of credit checking and identity theft insurance, their breach was quite extended. T-mobile customers registering for finance services between September 2013 through to 2015 were affected – so for a two year period privacy wasn’t being taken that seriously.
However, “upon discovery of the incident, Experian took immediate action”, so privacy did become important at that point.
Interestingly, in November 2015 Experian also flagged the risk of heightened regulatory pressures on security in their half-year results following the later breach at rival Equifax.
What can be learned though is that “privacy must be taken seriously” but on a permanent, continual basis and not just when there has been a breach. This is enshrined in the “privacy by design” concept that is now de rigeur.
Cyber security quotes – NHS: “A relatively unsophisticated attack and could have been prevented by … following basic IT security best practice”
This was actually a quote from the NAO following its investigation into the terrible effects of the WannaCry ransomware attack that affected the NHS.
Widespread system infections, off line systems, lost data, cancelled operations – in an environment where life could be threatened by failure this was rightly seen as a major issue.
The lesson in this case is clear; getting patches applied and vulnerabilities addressed is vital. It means that when a month-old vulnerability is exploited you are up to date and hopefully safe. The challenge is that this is hard for large complex organisations with lots of systems – including ones that might be difficult to patch – it is most definitely not trivial.
However, when a breach occurs, you don’t want it to result from a failure in “basic security practice”.
Cyber security quotes – Maersk: “We expect that the cyber-attack will impact results negatively by USD 200-300m”
The effects of Petya (a relative of WannaCry) on Maersk, the international shipping behemoth, were well publicised. They had to own up to a cost of up to $300m, a not insignificant sum, even for a company of that size.
Following the attack, they did then have to take steps to improve security, of course and invest further in security technologies and management practices.
For one thing this shows that security issues can have a real impact on the bottom line. It also highlights that saving money on security is a serious false economy – it is the door you leave half open that the attacker sneaks through, and then you have the cost of downtime, lost data and the investigation PLUS you will still have to (under pressure from investors, customers or regulators) invest in better controls anyway.
Cyber security quotes – Equifax: “Protecting the security of the information in our possession is a responsibility we take very seriously”
Ignore the word “seriously”, we have covered that above. The important part of this quote is the word “responsibility”. It can be shortened to:
“Protecting the security of information is a responsibility”
This means several things:
- Treating information as if it is owned by the data subjects rather than the organisation
- Ensuring it is protected from unauthorised access, loss, leakage, or corruption;
- Having thorough monitoring, detection and analysis capabilities to identify breaches or misuse; and
- Being able to move swiftly to stem any losses, rectify any issues, understand the exposure and make everything right when a problem occurs!
Equifax, as one of the leading providers of credit checking and identity theft protection, had failed in their responsibility to safeguard information. Having suffered a breach, how did Equifax “make it right”? Again, there are some lessons to learn, as their (laudable) response was to provide identity theft insurance for affected customers:
Equifax has established a dedicated website, www.equifaxsecurity2017.com, to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection … all complimentary to U.S. consumers for one year.
However, this approach was not entirely satisfactory as can be seen from this post which in summary describes how:
- The standard T&Cs implied that customers waived some legal rights including the ability to bring class-action lawsuits. In the post-breach flurry of criticism this did not go down well, and the language/terms were quickly modified.
- There was concern that the organisation providing the credit monitoring service was the one that had suffered the breach.
- The delay in getting the offering set up, around a month – might well have been too late for a fast-acting criminal as stolen data is often sold and used quickly before such provisions are in place.
All in all, it wasn’t a good day for Equifax or the 143 million people who it held details on. Taking responsibility for information and the remediation of a breach is not easy it seems. See our blog post on this.
Cyber security quotes that tell a story
The quotes used here deliberately highlight some lessons:
- When you have a breach any lack of knowledge is a bad thing – you need to fill in the blanks quickly and anticipate situations or facts about which you are uncertain so you can manage the message.
- “Taking privacy seriously” when you have just had a major breach is a given! Of course you are taking (the recent loss of) privacy seriously! Taking it seriously the rest of the time is what matters, as that means breaches can be avoided in the first place. For customers or data subjects, having their privacy taken seriously on a continuous basis is quite important.
- When a security breach does occur – and prevailing wisdom is that it is a matter of “when” not “if” – you don’t want it to result from a failure in “basic security practice” or result from well-understood and easy to fix vulnerabilities – weak passwords, lax access controls, web SQL injection holes or missing patches are perennial problems (and in some cases hard to fix) but don’t expect sympathy if the means of attack was viewed as being trivial.
- Security does cost money, but not as much as a security failure can. If you underinvest in protection and detection then the resulting losses and the money you have to spend on response can be significant and far outweigh the costs of appropriate, risk-based controls in the first place.
- Finally, as we saw in the Equifax case, taking responsibility for information protection; effective monitoring and oversight and acting in a “responsible” way when a breach has occurred is hard – speed of response, the public perception, your credibility as an organisation are all factors that are vital and hard to manage.
In cyber security, learning from the misfortune or mistakes of others is still a big part of the day job.
Products
Solutions by Industry
Learning & Resources
About Huntsman
