Cybersecurity is not a new topic, but the number of incidents is increasing year over year. According to the Identity Theft Resource Center, the number of U.S. data breaches hit a record high in 2017 with a total of 1,579 breaches, demonstrating a 44.7% increase over 2016. By the beginning of December 2018, the number of breaches had reached 1,138 with an estimated 561,782,485 records exposed. Clearly, the need to evolve existing cybersecurity strategies is more crucial than ever. Examining the shortcomings that resulted in high-profile cyber incidents can teach us several cybersecurity lessons.
The attack: Brian Krebs broke a story that Panera Bread leaked millions of customer records. The journalist received the tip from Dylan Houlihan, a security researcher who had discovered that Panera’s website was releasing plaintext customer data, including names, emails and digits of payment cards. Houlihan attempted to report the vulnerability directly to Panera’s information security team in August 2017; his report was dismissed by the company as a scam. The story broke eight months after Panera received the initial tip, which led to Panera taking their site offline to patch the issue. It’s estimated that 37 million customer records were compromised.
Lesson learned: Most recognize the importance of having a cybersecurity strategy. Panera has an entire department designated to it. This incident highlights that even with information security controls in place, you are still at risk if they fail to work properly. Regularly reviewing those controls, including testing your software development lifecycle, can improve your team’s security awareness and reduce the risk that your web applications are live with potentially critical vulnerabilities. Third parties take testing a step further as they can uncover shortcomings not obvious to your development or security team. They can also create specific remediation plans to address any gaps. At a minimum, plan to conduct tests on internal and external facing applications to account for hacker sophistication and technology development.
The attack: Delta Airlines outsources components of customer service to 7.ai, an online chat services platform. 7.ai alerted Delta that they had experienced a data breach, forcing Delta to notify thousands of customers that their information had been exposed. They revealed that customer payment information may have been accessed but assured customers that personal information such as passport, government ID or SkyMiles information was not impacted. Retailers Best Buy and Sears Holding Corporation later announced that their customers may also have been affected by this breach.
Lesson learned: Your cybersecurity strategy is only as strong as the third-party vendors on which you rely. The breach occurred on 7.ai’s end, but it’s the responsibility of companies using their services to ensure that 7.ai’s security controls meet their standards. Do your vendors’ security protocols meet or exceed your standards? Depending on your customers and types of data you collect, consider working with vendors who have had SOC 2, Type 2 performed by a licensed CPA firm, are ISO 27001 certified, are PCI DSS and HIPAA compliant, or are HITRUST Certified. You can delegate duties to outside vendors, but you can’t delegate the responsibility of securing your customers’ information.
The attack: In late 2015, hundreds of thousands of Facebook users were paid to take a personality test through an integrated app called “thisisyourdigitallife.” Built by Aleksandr Kogan, a Cambridge University academic, the app was claimed to be for psychology research. The tests collected information from opted-in users such as the city they lived in and the content they interacted with. It went further and harvested this information from friends of the opted-in users with low privacy settings who had never opted in themselves. The data was shared with Cambridge Analytica, a firm that performed analysis services for political campaigns and organizations. They analyzed the data to identify voter personalities and influence behavior. This use breached Facebook’s platform policies, and once alerted Facebook admitted to users that their information may have been compromised. Facebook was scrutinized, however, because it took limited steps to secure the data and ensure that the leaked information was destroyed. It is estimated that 87 million Facebook users were affected.
Lesson learned: When customers release their sensitive information to you, they trust that you have the procedures in place to protect them. While Facebook had platform policies, they were ultimately violated by a partner application. This highlights the importance of having incident response and crisis communication plans in place. Your strategy should account for the reality that something might happen and include steps to maintain operations when it does. Important components include identifying key individuals, steps to respond and recover from the incident, and internal and external communications protocols. Employees need to know how this affects their work environment, and customers will want to know how this affects their information. Take into consideration any required breach notification procedures.
Consider covering yourself further with a cyber liability insurance policy. These policies address two critical risks: first, the liability risk to you if sensitive information is compromised and second, the substantial cost of notifying customers, credit monitoring, fines, legal fees and forensics. Your policy should work as an extension of an incident response plan and not replace it.