[BreachExchange] Why Data Breaches are all About Trust

[Destry Winant]

https://www.infosecurity-magazine.com/next-gen-infosec/data-breaches-trust/

Let’s start this article off with a tally. How many times today have
you had to put trust in someone or something? From trusting that the
toothpaste you bought from the corner store wasn’t poison, to trusting
that the car at the pelican crossing wouldn’t run a red light. We are
surrounded by situations that rely on us making decisions based on
trust.

There is a great quote from Frank Sonnenberg, author of Follow Your
Conscience, and it describes trust quite nicely. It states: "Trust is
like blood pressure. It's silent, vital to good health, and if abused
it can be deadly.”

When it comes to computer security, we require trust more than most.
Your network engineer, your SOC analyst and your software developer
all need to be in positions of privilege to do what they do. This,
however, isn’t the only way that trust affects us in the industry.

If you’re in internet circles for long enough you’ll probably have
seen a meme that goes something along the lines of “If it’s on the
internet then it must be true.” I’m risking being that guy that
explains the joke, it’s funny because the truth couldn’t be further
from it. From political leanings and celebrity crushes to upbringing
and beliefs, we all have biases and different ways of looking at the
world.

These biases all play into who and what we trust. Why is it that two
media distributions can explain the same events in completely
different ways, why is it that there has been a massive rise of ‘fake
news’, and why is it that the internet is full ‘garbage’? Well, all in
all, it comes down to just this. It comes down to the fact that we all
have these biases and trust different things.

Putting our security shades back on, how are we affected by trust? In
March 2015, the web hosting provider 000webhost suffered a major data
breach that exposed almost 15 million customer accounts. In October
2013, 153 million Adobe accounts were breached. In May 2014, the Avast
anti-virus forum was hacked and 423 thousand accounts were exposed. We
can see where this is going, these organizations have all suffered
massive data breaches in one form or another. In turn their customers
have lost, at least some, of their trust.

The quotes been reworded countlessly since its creation, however, the
one form by Robert Mueller says it best:  “There are only two types of
companies: those that have been hacked and those that will be. And
even they are converging into one category: companies that have been
hacked and will be hacked again.”

This article isn’t about bashing companies that have been breached,
because quite simply, at the end of the day most companies have.

The final question we're left with is two-fold, how might this form of
trust be regained, after a data breach, and why should we bother? We
can answer both of these questions by casting our minds back to
October 2015. The TalkTalk breach of 2015 affected 156,959 customers -
including 15,656 bank account numbers and sort codes.

Looking at the TalkTalk breach we can break the way that we respond to
an attack down into three main areas: Pre-breach, immediate
post-breach, and post-breach. Having a strong foundation in each of
these areas is key to keeping a strong brand and not losing the trust
of those that matter.

Using the TalkTalk breach we can see an example of failing in each of
these categories. In the pre-breach phase we can see that TalkTalk
failed to encrypt key parts of customer data, of which should have
been a general best practice for the company.

Immediately after the breach, they failed to deliver a sufficient
response and continuity between these responses. Finally, sometime
after the breach they failed to treat their customers with empathy as
they only allowed customers to leave their plans if they paid a
termination fee.

All in all we can see that that each of these stages came down to a
decision. This series of decisions then lead to TalkTalk, not four
months after the breach, losing £60m and 101,000 customers.

It all comes down to trust, and the fact that the decisions we make
affect the trust that others have in us. Finally as Warren Buffett
said "It takes 20 years to build a reputation and five minutes to ruin
it."