On September 7, 2018, British Airways disclosed that a data breach had impacted customer information taken from approximately 380,000 booking transactions conducted between August 21 and September 5, 2018.
Although the attack wasn’t elaborate, it was effective. A cyber attacker installed malware on British Airways’ website using a known security vulnerability to introduce malicious code that altered the behavior of the booking website—without penetrating the network or servers in a way that could trigger additional alerts.
The security vulnerability that made this breach possible may have seemed like a relatively minor issue before the breach was exposed, but it has resulted in massive—and costly—consequences. Although unlikely, if British Airlines is punished to the full extent of the law, this incident has the potential to put the company out of business. Between a class-action lawsuit and potential GDPR fines alone, the breach could cost British Airways over $1 billion.
Why Getting the Security Basics Right Matters
Unfortunately, major security breaches like this one often stem from small security vulnerabilities. Hackers continue to use tried and tested techniques because their victims are still making the same basic mistakes, like not patching known vulnerabilities, according to the Verizon 2018 Data Breach Investigation Report.
In 2017, there were 159,700 cyber incidents globally—93 percent of which could have been prevented. In the U.S. alone, there were over 130 large-scale, targeted breaches, a number that is growing 27 percent year-over-year.
The reality is, most large-scale breaches can be traced back to neglected application maintenance, failure to modernize platforms, or not having modern security technologies in place. And although there’s no such thing as perfect security, there’s also no excuse for not taking the steps to protect your organization. While organizations need to secure and defend every port, service, application, end-user device, and server, cybercriminals only need to find one vulnerability.
All of this points to the fact that, while cybersecurity attacks are now an inevitability, their success is often preventable. Organizations need to be vigilant when it comes to cybersecurity, and that starts with doing the basics right. Although you can’t completely eliminate the risk of being attacked or breached, organizations can stop the majority of threats by implementing fundamental security best practices. After all, most attackers are looking for easy prey; if they encounter resistance, they are likely to move on to an easier target.
To help your organization mitigate the risk of a cyberattack and limit the damage an attacker can do in the event that one does occur, here are the first three of 10 steps your organization should be taking:
1. Start with a Response Plan
The military is fond of saying that “Prior planning prevents poor performance,” and the same rings true with cyber incident response. Cyber attacks are going to happen, so you should start with the mindset that at some point, one will be successful. Being prepared in the event that a breach occurs can dramatically reduce the ensuing damage and expense.
However, 77 percent of IT professionals say that their organization does not have an incident response plan in place. The importance of having a plan in place that tells each stakeholder what to do and when they should act in the event of a security breach cannot be understated.
Ultimately, cyberattacks are not just a problem for security professionals; their impact reverberates across the whole organization. Legal teams can be involved in litigation, customer service representatives are on the front lines of managing customer reactions, and management teams are left wondering where to go next.
The incident response plan should cover how to identify and mitigate a data breach, including which parties need to be notified, when to get legal representation involved, and what should be said to customers and stakeholders.
Once completed, the incident response plan needs to be given to each person with a role in its execution, and acknowledgment of their understanding needs to be documented. Finally, the incident response plan needs to be reviewed regularly for applicability and potential changes in roles, tools, and systems, as well as be reviewed by those that play a role in the response.
2. Implement Data Privacy Best Practices
Although having a plan in place lays the groundwork for a strong organizational response, organizations should also adopt data privacy best practices that will have an immediate impact on organizational security.
With GDPR recently going into effect and high-profile breaches of user privacy in the news, data privacy is more critical than ever. Your organization needs to understand its data and also any applicable data privacy laws and regulations. More specifically: Is sensitive data correctly classified, where does it reside, and is that data adequately protected?
Your organization should have procedures in place for storing and sharing sensitive and confidential information as well. For example, does your organization have processes in place for discontinuing storage of old or outdated sensitive information, and are you ensuring that sensitive information is properly encrypted when it’s shared?
It’s important to evaluate existing security and data privacy policies to see if any updates are needed. These changes may be as foundational as updating your corporate password policy or revising provisioning policies. Make sure policies are enforceable and establish ways to measure their impact. Security isn’t “set it and forget it,” so this should be done on a regular, ongoing basis!
And finally, don’t forget about your supply chain—privacy policies must extend to an organization’s vendors and third parties as well.
3. Educate Users with Ongoing Training
Breaches are often caused by human error, rather than malicious action taken by an outsider. According to the Verizon report, over a quarter (28 percent) of attacks involve insiders.
Unwitting of their role or not, insiders can facilitate access to sensitive systems, reveal account login information, or provide information about office layouts, hours of operation, or often overlooked security practices. Ultimately, it is difficult to spot the signs of someone using legitimate access for criminal purposes. Similarly, simple errors on the part of employees—ranging from a misconfigured device to a misspelled email address to an email full of attachments—play a role in 17 percent of breaches, according to Verizon.
While a strong, security-minded employee culture can help make up for gaps in security controls by providing staff with the tools and know-how to prevent a breach, a poor and/or uneducated security culture can easily overcome adequate controls. Therefore, it is important to educate users about their roles in creating and maintaining a strong cyberdefense, including proper password management, how to escalate suspicious communications, common signs of malware, and other common threats.
Some organizations use ongoing training opportunities to help both the technical staff and other employees stay up to date on the latest technologies and help build security requirements into product/system design, decision processes, and job descriptions.
Making security training a focus can pay off even in the event of a breach. One study found that companies that conducted regular security awareness training for employees had an average financial loss of $162,000, while companies without training reported an average of $683,000.
Going the extra mile by testing your users’ know-how through periodic internal phishing tests and security exams can further reduce security risks for your organization. In fact, random security training can reduce the likelihood of a successful attack by 10-15 percent. Furthermore, one study that looked at the impact of simulated phishing attacks found that there was an 84 percent decrease in susceptibility to the threat if employees who were tricked by the phishing test were given follow-up feedback and training.
The ability for organizations to thrive in our digital world is dependent on their ability to create and maintain an information technology environment that is not only functional, but secure. Although the days of setting a simple, single layer of cyberdefense are behind us, organizations still need to make the basic, tried-and-true components of a strong security posture an ongoing priority.
Creating an incident response plan and reinforcing the roles that employees play in its execution, regularly implementing data privacy best practices, and investing resources to train employees on their roles in maintaining and supporting cybersecurity are just three steps your organization should be taking.
In the next part of this three-part series, we will discuss the next three ways to help mitigate risk and limit the damage an attacker can do.