Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
It is good to try to learn lessons from major security breaches. It would be foolish to not want to understand the mistakes or misfortunes of other organisations in an effort to better defend your own data and systems.
Some of these lessons come from the nature of the attack, or the way data was protected, or the ability to detect and respond. However, there are other lessons that can be learned from what is said and how that message is delivered.
If we look at some of the biggest, most memorable cyber security incidents to see what was said, what was meant and what the effects or interpretations were, there are some powerful tips that can be applied not only to how security is managed, but also to how breaches are handled and communicated.
Explore how to measure your security risk
The two main factors that made the TalkTalk case so significant were the rather trivial nature of the vulnerability that was exploited and the way the communication was handled directly afterwards.
Leaving aside the technical nature of the SQL injection vulnerability the, now famous (infamous?), CEO Dido Harding had to answer questions when the breach was first publicised and famously revealed that Talktalk didn’t know how many of their customers had been affected.
Immediately the press worked out (from public information) how many customers TalkTalk had (4 million) and assumed that the breach affected all of them, or “up to” all of them.
As a warning to the public that they might have been affected, this is defensible and not surprising, given the interest in the case. However, the result was a much more alarmist set of statistics being published in the absence of real ones.
As the days passed, TalkTalk then revealed that the total number of customers affected by the attack was closer to 157,000, with only around 16,000 including their bank account numbers and sort codes.
157,000 was only about 4% of TalkTalk’s 4 million customers and a small fraction of the number feared when news of the attack broke, the number of financial records affected was lower still, under 1%.
So the absence of knowledge is a bad thing, and in the very early stages of a breach investigation – when some facts might be unknown – it is important to ensure that a more “thoughtful” or considered message is conveyed which leaves less scope for wild assumptions.
One approach may be to state that initial indications are “that only a small number have been affected” and that “you will communicate with them directly” so there is less uncertainty – another would be to understand what numbers of data records are held on which systems so that at least you have some upper bounds. Handling the media correctly is key.
If a company says it takes privacy very seriously, there is a good chance they have just had a data breach and are about to explain how it happened despite this.
In the case of Experian, a leading provider of credit checking and identity theft insurance, their breach was quite extended. T-mobile customers registering for finance services between September 2013 through to 2015 were affected – so for a two year period privacy wasn’t being taken that seriously.
However, “upon discovery of the incident, Experian took immediate action”, so privacy did become important at that point.
Interestingly, in November 2015 Experian also flagged the risk of heightened regulatory pressures on security in their half-year results following the later breach at rival Equifax.
What can be learned though is that “privacy must be taken seriously” but on a permanent, continual basis and not just when there has been a breach. This is enshrined in the “privacy by design” concept that is now de rigeur.
This was actually a quote from the NAO following its investigation into the terrible effects of the WannaCry ransomware attack that affected the NHS.
Widespread system infections, off line systems, lost data, cancelled operations – in an environment where life could be threatened by failure this was rightly seen as a major issue.
The lesson in this case is clear; getting patches applied and vulnerabilities addressed is vital. It means that when a month-old vulnerability is exploited you are up to date and hopefully safe. The challenge is that this is hard for large complex organisations with lots of systems – including ones that might be difficult to patch – it is most definitely not trivial.
However, when a breach occurs, you don’t want it to result from a failure in “basic security practice”.
The effects of Petya (a relative of WannaCry) on Maersk, the international shipping behemoth, were well publicised. They had to own up to a cost of up to $300m, a not insignificant sum, even for a company of that size.
Following the attack, they did then have to take steps to improve security, of course and invest further in security technologies and management practices.
For one thing this shows that security issues can have a real impact on the bottom line. It also highlights that saving money on security is a serious false economy – it is the door you leave half open that the attacker sneaks through, and then you have the cost of downtime, lost data and the investigation PLUS you will still have to (under pressure from investors, customers or regulators) invest in better controls anyway.
Ignore the word “seriously”, we have covered that above. The important part of this quote is the word “responsibility”. It can be shortened to:
“Protecting the security of information is a responsibility”
This means several things:
Equifax, as one of the leading providers of credit checking and identity theft protection, had failed in their responsibility to safeguard information. Having suffered a breach, how did Equifax “make it right”? Again, there are some lessons to learn, as their (laudable) response was to provide identity theft insurance for affected customers:
Equifax has established a dedicated website, www.equifaxsecurity2017.com, to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection … all complimentary to U.S. consumers for one year.
However, this approach was not entirely satisfactory as can be seen from this post which in summary describes how:
All in all, it wasn’t a good day for Equifax or the 143 million people who it held details on. Taking responsibility for information and the remediation of a breach is not easy it seems. See our blog post on this.
The quotes used here deliberately highlight some lessons:
In cyber security, learning from the misfortune or mistakes of others is still a big part of the day job.
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.