[BreachExchange] From VTech to Ashley Madison: How the hacks of 2015 are reshaping cyber security

Audrey McNeil audrey at riskbasedsecurity.com
Tue Apr 26 21:53:29 EDT 2016


http://thenextweb.com/insider/2016/04/25/vtech-ashley-madison-cyber-security/

It was around halfway through 2015 when a group of cyber-attackers who
called themselves “The Impact Team” stole the data of 37 million users of
controversial dating site Ashley Madison, and published the details online.

Such details included people’s email addresses, dates of birth and their
credit card transactions. As a stand-alone event this is fascinating, great
for small talk in the office, but it’s unlikely to strike fear into the
hearts of senior professionals in organizations. However, the Ashley
Madison breach was not the only cyber-attack to take a dramatic toll on an
organization last year.

The VTech cyber-attack saw the personal details of 6.3 million children
being leaked, those behind the Experian cyber-attack stole the records of
15 million customers, and this is to name just a few. Suddenly it’s become
clear that organizations have every reason to fear for the security of
their data and welfare of their customers.

We have a pressing problem with cyber-attacks which needs to be addressed.
But how can we be sure the actions organizations are taking to tackle this
problem are effective?

I teach and conduct research in the field of online security at Nyenrode
Business Universiteit, focusing on topics such as fraud prevention,
integrity issues, and public-private collaborations in the security
industry. I’m also a member of the Netherlands Intelligence Study
Association (NISA).

Using this experience, I pinpointed four key developments in cyber
security, as a result of the cyber-attacks in 2015, which an organization
would need to harness in order to tackle the challenges posed by last
year’s crisis for 2016 and beyond.

Increase cyber security spending

Understanding and managing cyber security risks is certainly a significant
priority for leaders both in businesses and governments for 2016, and the
first step for organizations is to assess how much they invest in cyber
defences and question “Is this really enough?”

Organizations are beginning to take action – PWC recently used the insights
fromThe Global State of Information Security survey to reveal that 24
 percent of respondents boosted their information security budgets, and 69
percent of companies incorporated cloud-based cyber security into their
strategic initiatives during 2015.

It’s a good start, but simply increasing budgets does not go far enough.

Taking responsibility in the boardroom

It is important to acknowledge that cyber-attacks are beyond an
organization’s control, but what can be controlled is how an organization
chooses to respond.

This is why there should be an increase in the number of Chief Information
Officers (CIOs) and even Chief Information Security Officers on corporate
boards, to help ensure appropriate actions can be taken.

In the previous decade, we’ve seen an increase in the number of Chief
Financial Officers serving on corporate boards as a direct response to the
global financial crisis.

Developing comprehensive cyber security plans requires a similar culture at
boardroom level, developing an awareness of the importance of security that
extends from the C-suite to the professionals in each function since
breaches can occur at any level and in any department.

It’s important for management to communicate their support in complying
with new cyber security policies if they are to strengthen the resilience
their employees have in responding to potential cyber incidents.

We need to clarify the responsibilities of external security providers and
organizations.

In the wake of the VTech cyber-attack, the company was widely criticised by
the media for their poor security and lack of encryption. But who was to
blame really?

It could have been down to the internal IT staff, but there’s also the
possibility that an external provider’s product failed to be effective.

If greater transparency and responsibility are to be encouraged between
companies, external providers and customers, we need to gain an
understanding of the ongoing interweaving that takes place between the
public and private domain.

For organizations to understand where breaches typically occur and how to
best protect against them, they must ask themselves two relevant questions:
Who is doing what for whom and who can we hold accountable in the event of
a breach?

Employees need formal training for cyber-attacks

Aside from encryptions and firewalls, a company’s first line of defence is
its staff – yet there’s a lack of formal education within organizations,
despite regular security decisions they make, such as: “Should I click on
this potentially shady link?” or “Should I enter my password on this form?”

Knowledge typically comes from incidental and informal learning, such as
news articles or the experiences of friends and family, rather than from
management. The media’s focus is on who conducts the attacks, whereas
expert information focuses instead on how attacks are conducted.

These differences prevent staff from understanding how persistent more
mundane threats like viruses or phishing are, and how to protect against
them.

Organizations need to encourage employees to be consistently alert and
should take steps to educate them on cyber security, in an informal but
efficient way.

In teaching employees to recognize when and how these threats occur,
business leaders are taking the steps to clarify the responsibilities of
dealing with cyber threats accordingly. In addition, they can easily
identify the areas of security that need to be discussed at boardroom level.

This will vary according to the organization but, by having this system in
place, we’ll finally be ahead in the cyber war.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160426/4b196696/attachment.html>


More information about the BreachExchange mailing list