Information security is quickly becoming a major consideration for businesses and governments all over the world. The last few years have seen a sharp uptick in the incidence of hacks and breaches. The lesson is clear: everyone needs to start taking information security seriously, because otherwise hackers will find and exploit any and all weaknesses they can find. This is especially true for companies that control valuable customer data, as hackers can use that for identity theft. In this post, we will discuss the top 2015 data breaches in the context of the biggest lessons from hacks in 2015, so that you will be prepared to handle every hack attempt 2016 brings.
There are still companies that fail to encrypt their data in 2015. UCLA Health saw hackers make off with 4.5 million records that contained extremely detailed medical data, names, Social Security numbers, and other information because none of it was encrypted. It should be a no-brainer at this point, but the truth bears repeating: encrypt any and all sensitive data. No exceptions. Use strong and reliable encryption, which you should check at least twice a year. The landscape is littered with encryption techniques that were supposed to be uncrackable- few actually survive for long in today’s hack-happy environment. Not only are attacks becoming stronger and more frequent, but hackers are getting better at sneaking inside networks by any means necessary. That means the correct stance is to treat a breach as a question of “when” not “if.” Assume that in the near future, a hostile group will gain unlawful access to your data. If that happened, would your company be safe? You are much better off telling customers their data is safe because it was encrypted and that you are doing everything possible to prevent another attack than if you have to say that you lost millions of records and all of those people are now at risk for identity theft. Find a good encryption technique, but don’t get attached to it, because history shows that sooner or later it will fall, and those who don’t adapt become vulnerable.
One of the most important lessons from 2015 is actually based on a hack that took place before 2015. This September, the credit agency Experian reported that about 15 million customer records had been stolen, all of which were people who had used Experian to apply for a phone plan from T-Mobile. Current reports indicate that the breach actually took place somewhere around two years ago, and that Experian’s system has been compromised ever since. Although the haul in terms of data was limited to non-financial personal information belonging to T-Mobile customers, the fact that the breach went unnoticed for so long is disturbing. That’s just one example of something that has come up several times in 2015- the idea that there might be a large delay between when an attacker gains access to a company and when the company notices the problem. The company might be tipped off by an investigator or consultant, or the attacker might give themselves away by making an obvious move, but the point is that many companies are lax about checking and rechecking their networks to see if they have already been compromised. Of course, it is not easy to scan for past breaches and it can take a lot of time, but the alternative is an attacker who can sit in the network for years and skim off whatever they want. That puts the company in a dangerous position, because it’s difficult to tell exactly what the attackers might have obtained or accessed. Preventative maintenance is key to sweeping out the system- follow up on any and all unusual activity.
Improve Internal Policy
Some major hacks in 2015 were actually leaks. For example, Securus, the company that manages phone lines for prisons, saw a leak of 70 million recordings of conversations between prisoners and people outside prisons. This was especially embarrassing because the leak revealed the company had been recording conversations between prisoners and lawyers, which is highly illegal. The lesson is clear- maintain strong internal protocols that make it difficult to leak documents. Impose strict restrictions on who has access to which data. It’s not clear who was behind the Securus leak, but there are very few people in the company who should have had that kind of access. Protocols are not just to prevent leaks from disgruntled employees. They also help thwart social engineering attacks and phishing. Many hacking teams use emails and phone conversations to attempt to steal passwords or other sensitive security information. They frequently pose as members of the IT department or as managers and ask employees for their passwords. Set restrictions on sharing passwords over email and require daily passphrases or some other security technique to make it impossible for an external party to successfully mimic an internal worker. It does take additional time and effort, but the investment is well worth it. If a hacker gets one password and gains access to a single account on the network, there’s no telling how far they can get. That is another reason to have strong and restrictive security protocols- so that a breach in one area cannot open up access to everything. It’s like a preemptive quarantine policy.
Cybersecurity is an ever-evolving field. Hackers are acting with greater aggression than ever before, because there is an unprecedented number of companies with massive data troves and weak protection. Don’t be another headline. Read these lessons from the biggest 2015 data breaches and conduct deep, honest security audits at regular intervals. It’s better to find a vulnerability than a breach.