Cyber threats have become so commoditised today that no organisation should assume
they are invulnerable.
A perfect storm of highly motivated attackers, poor organisational security and expansive digital systems has led to breaches, data theft and service outages on an unprecedented scale. Yet these attacks can and should be caught much earlier on in the kill chain. In many cases, organisations don’t even know they’ve been breached until a third-party steps in.
In grading terms the cybersecurity efforts of Yahoo, TalkTalk, Equifax and many others would earn them an “F”. IT departments need to get the message and start following industry best practices. That means effective incident response, and ditching the cybersecurity car crash that is the username and password. With new EU regulations set to land next May, there’s no time to lose.
What will surprise and concern many looking at these big-name breaches is just how long it took the affected organisations to come clean to their customers. In Yahoo’s case, the firm was hit all the way back in 2013, yet it took until October this year to reveal the full extent of the breach: three billion accounts. Equifax has also come under heavy criticism for its response to a breach of 145.5m US and 700,000 UK customers it discovered in July. The attack went undetected for over two-and-a-half months and came as the result of a known software vulnerability that wasn’t patched up properly.
When it finally informed customers – over a month after it detected the breach and after senior execs had sold over $1.8 million in shares – things didn’t get any better. It directed victims desperate for more information to a separate domain – equifaxsecurity2017.com – which looked to many like a phishing domain and itself contained security vulnerabilities. The firm then compounded its problems by tweeting an incorrect link out several times.
Given the goldmine of personal and financial information Equifax was sitting on, this kind of shoddy incident response is inexcusable. That’s not even to mention the half-hearted apology issued by now departed CEO Richard Smith. But it’s by no means alone in its poor handling of the incident.
The Department of Health (DoH) has also been recently heavily criticised for its handling of the WannaCry ransomware incident which caused thousands of cancelled operations and appointments in May. Although the DoH had developed a plan, it had not been tested at a local level. As a result, it wasn’t clear who should lead the response, and communications broke down because email was unavailable, the National Audit Office said.
It’s not a case of “if” but “when” your organisation is hit by a serious cyber attack: according to the government, almost half (46%) of UK firms have suffered an attack or breach in the past 12 months. That makes it essential to craft and test a comprehensive incident or breach response plan – involving representatives from all across the organisation: HR, legal, IT, finance and so on.
The first 24-hours following an attack are particularly crucial. Firms should be as transparent as possible with the details they have to hand and how the incident impacts customers and employees. Senior management needs to take the lead here and customers want to see evidence they’re putting steps in place to prevent a similar incident happening again.
The weakest link
Let’s be clear about the cause of most of these incidents: password-based authentication systems. According to Verizon, 81% of hacking-related breaches are made possible by exploiting stolen or weak passwords. They can be phished, cracked and even guessed by attackers – giving them the virtual keys to walk through the cyber front door to your organisation. Privileged account passwords are even more dangerous in the wrong hands, helping attackers get straight to those customer databases and stores of sensitive IP.
In a recent survey of IT decision makers we conducted, 86% of those with sysadmin-level access rights said they used only basic username and password authentication to access IT systems. What’s more, over half (54%) said they rely on the same credential-based systems to access accounts when off-site. It’s more than a little concerning that only half of those surveyed admitted that the business user accounts in their organisations are “not very secure.” What will it take before these companies, who are supposed to be the bastions of consumer data, realise they are treading on thin ice by relying on frankly inadequate and insecure methods of security?
This isn’t just a theoretical problem. Even an organisation as cyber-savvy and well-resourced as Deloitte can be found wanting. A serious breach of client data in September came after an attacker compromised a global email server via an admin account protected by a single password. Even more recently, cryptocurrency miner Coinhive was hacked after hackers compromised an insecure password for a corporate Cloudflare account – allowing them to divert funds from the firm.
It all adds up to one thing: password-based systems are the weakest link in your cybersecurity chain. They should be replaced both internally and for customers, who are themselves exposed to a greater risk of fraud and financial loss which could ultimately come back to bite your brand.
A new approach
What’s the answer? Stronger authentication built on the three pillars of possession, knowledge and inherence: that is, something you have (like a smartphone); something you know (like a PIN); and something unique to you (like a fingerprint). This type of security method is much more robust and verifies that the person accessing the service is exactly who say they are.
Passwords are simply no longer fit-for-purpose in our always-on, digital-centric world. There’s too much at stake in persisting with them and it’s time this stale method of authentication is shunned by all. If the cautionary tales listed above aren’t enough to persuade companies, then maybe fines of up to 4% of global annual turnover, or £17m, will. They’ll be handed out by regulators of the EU GDPR and the NIS Directive from May next year. The former will apply to any firm managing EU customer data while the latter covers providers of “essential services.” Both mandate strict best practice security requirements which will include multi-factor authentication and effective incident response.
The clock’s ticking.