Amid the maelstrom of tech change that the world is navigating, data breaches have become common and powerful, leaving nobody safe to guarantee impenetrable security.
Security companies themselves are not exempt from this rule, with OneLogin, a company centred upon managing enterprise identities, passwords and logins also falling victim to a breach earlier this year.
With OneLogin dusting itself down from the disastrous event, CBR had the opportunity to speak to the CEO of the company, Brad Brooks, who gave us insight into the breach which impacted thousands of OneLogin customers and, more importantly, what it takes to move on boldly from an event such as this.
“You hear it time and again, whether we like it or not, a data incident like what we experienced, every company is probably going to go through it at some point. It is the nature of the beast, there is just too much surface area that is out there,” said Mr Brooks.
“How we went through it, and the fact we went through it is unacceptable. We do not ever want to repeat it again, but at the same time just like anybody that has been through a life changing experience in their personal life, once you have gone through it and gotten to the other side, you have become a stronger, better person because of it. We have certainly become a stronger, better company because of it.”
With cybersecurity awareness still lacking across the world, an organisation hit by a data breach is forced to learn quickly, and in a primal way, as an animal learns to avoid poisonous plants in the wild. When hit by a breach an organisation is faced immediately with the reality of the cyber threat, and must work hard to retain credibility.
Mr Brooks outlined the approach taken at OneLogin to re-establish some security confidence., he said: “We have had preeminent experts in the field come in and audit our entire process, everything from our product and how it is coded, to the processes of how we run our business, to social penetration testing, having mystery people come into our offices and try to gain access.”
“We have gone through all of that over the last several months to find out every potential area where there might be an issue. We have come up with a whole set of remediation steps, everything about how we encrypt data, to the level of encryption, to how we wall off access to certain parts of the product.
“We are hiring new resources specifically around security, and upgrading them with a security first mind-set like a company of ours need to do. It is the top priority for us, we will continue to learn going forward, we have no expectation that we will ever be breached again, but at the same time, we have to manage like it could happen at any moment.”
NCSC Director: Imminent ‘category one’ cyberattack will be undefendable
Windows XP puts UK police at ransomware attack risk
Despite employing expansive new precautions and testing in the defence of an organisation against data breaches, the inability to guarantee security remains. The OneLogin CEO outlined the reasons that anyone would be naïve to guarantee security.
“Two things will happen if you say that, number one is that you will paint a bull’s-eye on yourself that will make every hacker out want to prove that you are wrong, and the second thing is, it has a way of creating a false sense of security and lack of paranoia that you do not want to permeate the company with,” Brooks said.