Subscribe Now

* You will receive the latest news and updates on the Canadian IT marketplace.

Trending News

Blog Post

Beating business breaches

Beating business breaches 

Several large corporations learned the hard way that without a proper defence strategy in place, security breaches are more likely to occur. JP Morgan took note of this, and subsequently made a huge investment into digital security, shelling out $250 million to ensure that their sensitive corporate data remained under wraps.

However, unlike JP Morgan, most companies cannot afford such a hefty price tag for protection. But there is hope for smaller businesses with tighter budgets. As security architect David Lam explains, there are some solutions that won’t force SMBs to break the bank.

“It has to be managed like every other critical business function, like sales or operations,” says Lam.

To better illustrate this point, Lam highlighted a recent example of a security downfall suffered by a prominent international hotel chain.

“There was a huge flaw in Hilton’s coding where if you logged into an account and you were a member and knew a Hilton Honours number, you could see any account holder’s information, change the password, transfer the (reward) points and send yourself the debit card number,” Lam says.

Rather than using a user-generated password to log in, Hilton Honours members accessed their accounts with four-digit PINs instead. This, says Lam, was the key flaw that allowed their members’ accounts to become compromised.

“Hilton didn’t do some of the things that are considered standard practices in security, one of which was the fact that they didn’t use any sort of password for the accounts. Instead, they used a four-digit PIN,” he says. “All you would need to do is keep guessing that four-digit PIN, and you would eventually get in, as there are a limited number of possible combinations.”

Mistakes like this one can prove very costly for major corporations. If one person can figure out a PIN or change a password or rewards program number at will, they will gain access to thousands of accounts almost instantly. Businesses can’t afford to shoulder widespread security breaches like this, which is why Lam believes they should implement a series of standard protection procedures.

“The first thing to do is ensure that there is someone in charge and responsible. If no one is in charge and able to respond to these issues, everything will fall apart,” says Lam.

“The second thing is to introduce an information security management system. It starts with ensuring that your programs, operating system and apps are patched, and it goes down to when you place code on the Internet, you should use an established process to make sure it’s secure. This is called a secure software development life cycle.”

In addition to being a data defence issue, attacks can also have a significant financial impact on enterprises. Productivity and profit are often lost to extended periods of downtime, and the hiring of third-party firms to combat security threats can also become a hefty expense.

“When you bring in companies to respond to an incident, it can cost tens of millions of dollars,” Lam says. “It can be outrageously expensive to mitigate. You have to have someone go in and figure out who’s in your network, what they are doing, how they got in, and how you can prevent them from coming back. And that ranges from small businesses on up.”

The financial consequences of attacks can be so severe, they can sometimes force smaller businesses and start-ups to shut down outright.

“A recent study showed that approximately 60 per cent of companies that were hacked went out of business within six months,” says Lam. “Small businesses account for about 30 per cent of those hacked, and when they get hacked, there is not enough (money) to pay for $10 million worth of solutions.”

In addition to putting up a strong defence and keeping an eye on the books, businesses also need to ensure that they can protect themselves against some of the most common types of cyber attacks.

“The most common attacks right now are phishing and watering hole attacks. A phishing attack is a piece of malware that comes in an email, and these are very difficult for anti-malware software to detect because there are tens of thousands of new malware variants created every day,” says Lam.

“A watering hole attack is where the hacker looks at the websites a company visits most often, and places malware on one or more of them. That becomes a very large threat because if I’m (logged) in with my credentials, and I have access to a company’s bank accounts, I can order things online or get company financials or trade secrets because I’ve got full access to whatever that user has on their workstation or laptop.”

When it comes to weathering attacks, there’s always strength in numbers. As a result, Lam believes that collaboration and information sharing can help businesses to stay two steps ahead of hackers.

“I think we are coming to a time of more information sharing. The NIST cyber security framework has some great guidelines on how people can collaborate together and really improve the security of their networks,” he says.

“I think IT professionals are just starting to understand more about security and cloud services are evolving rapidly to provide better security. We are making more progress towards securer systems as people are becoming more aware of underlying digital threats.”

Related posts