What we can learn from three key 2015 data breaches
No matter who you are, or what your business is, you may be a target
As we look back on the companies that experienced data breaches or hacks in 2015, we can quickly ascertain that there is no longer a traditional target for a data breach.
The traditional data breach target organization would have data that an attacker could use for monetary or personal gain, such as financial institutions or companies that hold personal or health information. All of this data can be used to fraudulently establish credit or health services.
It seems that there has been a shift in 2015. Do not get me wrong – we still saw a fair share of the traditional targets with organizations such as the U.S. Office of Personnel Management, Anthem, Premera and Experian making the news.
However, looking back at the 2015 hacks, it is the nontraditional targets, such as Ashley Madison, the Hacking Team and VTech, that prove most interesting. The target only depends on the motivation of the attacker. Let’s take a deeper look into the nontraditional hacks.
• Ashley Madison, the online personals and dating destination for married people looking to have extramarital affairs, had 32 million of its customer records posted publicly. As for the motivation, those who claimed responsibility for the hack, the “Impact Team” stated it was a matter of morals. However, all is not necessarily as you would think. The company that owns the site promised to delete customer data from the site for a fee of $19, which the company failed to do.
• The Hacking Team is an Italian cybersecurity company that builds security solutions for law enforcement agencies, and it was hacked in 2015. Following the announcement of the hack, it was learned that the company built and sold software that is capable of spying on users of iPhones and iPads, as well as Skype, WhatsApp, and Viber conservations. Motivation is speculated as being retaliation.
• The VTech hack really puts the nontraditional target into perspective, with hackers stealing the personal information of millions of children (including their pictures) and personal information of their parents. This hack and data breach truly hits home and demonstrates that as we bring technology into our inner most personal lives through our homes, we are placing a lot of trust with those businesses who product the products.
What have we learned in hindsight from the 2015 hacks and data breaches? That no matter who you are, or what your business is, you may be a target.
The important thing is to recognize the potential risk to your business with a “risk profile” and begin to identify how best to protect your business. It may seem like a daunting task, and it may be, if you don’t prioritize according to risk. It’s like protecting your home: In order to protect it properly, you want to start with the basics, such as using a lock and/or deadbolt on your doors. If you live in the city or a higher-than-average risk area, you may consider a dog or a security system for extra protection.
Protecting your business needs the same approach. Start with the basics by applying best practices, such as good password management for your systems, applying patches as they come out. Then understand the “neighborhood” in which you reside in on the Internet. What extra precautions do you need to put into place? If you are not sure, I would highly recommend that you have someone come in and perform a risk assessment. It’s not as expensive as you think, and it will save you money in the long run by prioritizing your safeguards and identifying your “biggest bang for your buck.”
The most important thing for us to learn from 2015 is that we need to do something. Ignoring the risks will not make them go away.
Candy Alexander is a New Hampshire-based cybersecurity consultant and a member of the board of directors of the Information Systems Security Association.