Uber's recent mega breach, and subsequent attempt to hush the incident up, have shocked users around the world. Here is a company which allegedly paid off the hackers to protect its own reputation, at the expense of doing right by its customers and regulators. Consumers will wonder how many other firms they do business with could follow a similar route. In fact, if you live in the UK, the chances are your personal information has already been hacked and traded on the dark web. That's what the cyber-crime lead for the National Police Chiefs' Council believes, and he should know.
Unfortunately, the truth is that organisations are still under-investing in the key areas of access controls and incident response. With new EU data protection legislation next May threatening huge monetary fines if best practice security is ignored, things will have to change pretty quickly.
Everyone gets hacked
Last November, the former CEOs of Yahoo and Equifax were grilled by US senators about data breaches affecting billions of consumers globally. This scrutiny by the upper chamber of Congress in the US is a timely reminder of the growing significance of these incidents, and the gravity with which they're being treated by lawmakers. In the meantime, breaches continue to hit the headlines. Uber is the one everyone's talking about today, but UK high street pawnbroker Cash Converters and DIY chain Jewson have also recently spilled customer details, including passwords. These could be used to launch follow-on phishing attacks and even directly hijack user accounts.
What many people will find difficult to understand is how it took the likes of Uber, Equifax and Yahoo so long to reveal the breach to their customers. Yahoo was attacked in 2013, but it took the internet pioneer until October 2017 before it could finally reveal that all three billion global user accounts had been compromised.
Equifax spilled data on 145.5 million US customers and 700,000 British consumers. It finally came clean in early September, over two months after first learning of the incident. This kind of delay is legal in the US, but it soon won't be according to the strict 72-hour breach notification window mandated by the EU General Data Protection Regulation (GDPR). Uber, meanwhile, was attacked in “late 2016”.
CEOs and IT leaders must remove their collective heads from the sand and face up to the new reality of doing business today. Breaches are inevitable, but there are things that you can do to reduce their impact — and paying off the hackers to avoid bad publicity isn't one of them. Plan now for the worst-case scenario, including key stakeholders from all over the organisation, and rehearse that plan at regular intervals. The best incident response plans will see the organisation remediate any issues to contain the breach, communicate details in a timely manner to customers and regulators, and include concrete steps to prevent similar incidents happening again.
The password problem
The root of the problem when it comes to many data breach incidents is the use of password-based authentication systems. This is a security challenge on two levels: first because it allows hackers to infiltrate privileged accounts internally en route to sensitive data; and second because it exposes customer accounts to the mass hacking, cracking or guessing of log-ins. Google research indicates there are currently 1.9 billion usernames and passwords being traded on the black market.
The first issue is perhaps most relevant to the data breach discussion, in that it can provide hackers with an easy path to your organisation's most sensitive customer data and IP. Intercede research from earlier this year found that a staggering 86 percent of UK IT decision makers still use basic usernames and passwords to access IT systems on-site, while over half (54 percent) do so remotely. It's believed that Uber's attackers located the firm's Amazon Web Services account log-ins on GitHub.
Fortunately, some industries are moving in a different direction. Intercede found that 19 percent of financial services firms and 11 percent of IT organisations are using virtual smart cards with PINs. One-time passwords are starting to gain popularity in manufacturing (nine percent), while biometrics are beginning to catch on in the retail sector (eight percent).
It's vital that these multi-factor authentication systems become the industry standard for securing both customer and internal IT accounts. By replacing the outdated password-username combination, hackers are outfoxed and unable to successfully impersonate the victim because there are simply no static usernames and passwords to steal. Instead, such systems rely on something the user owns (like a device), something they know (ie, a PIN), and often also something unique to them (a fingerprint or facial scan).
Cyber-criminals would need to have access to a smartphone, PIN or biometric reading to be able to compromise a system – something which is naturally a lot more difficult than obtaining a simple password. By having these different elements, businesses can not only bolster security at the “front door” but also check that the person accessing the service (an unauthorised party like a hacker versus a bonafide employee or customer) is who they say they are. Attempts at access can be limited if any of these elements are missing or incorrectly inputted. Authentication systems of this nature that integrate multi-level security provide one thing that passwords right now do not – ‘digital trust' and the knowledge that only the right people are able to access the appropriate parts of a service or network.
From May 2018, the GDPR and the NIS Directive — which demands critical infrastructure firms put in place best practice security — will levy harsh fines of up to four percent of global annual turnover or £17 million on failing organisations. It's time we all got better at mitigating the risk of data breaches. That means binning those static password systems and responding more quickly and efficiently to security incidents.
Contributed by Richard Parris, Chairman and CEO, Intercede
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.