The Ashley Madison data breach has rocked the world and dominated media headlines for weeks. The data leaks from the Ashley Madison accounts was the culmination of a month-long digital stand-off between the company behind the extra-marital affair dating site and a hacktivist group called the Impact Team.
The average data breach costs Australian organisations $2.8 million[i], as well the long term impact on shareholder value and brand image. According to Trend Micro’s 2014 security roundup report, companies suffered financial, legal, operational, and productivity losses after getting hit by massive data breaches.
The Ashley Madison attack has already proved the crippling reputational effects and additional costs associated with data breaches. Ashley Madison founder and CEO, Noel Biderman, has resigned amid the hacking scandal, and reports have surfaced that customers are already suing the company.
What the Ashley Madison hack means for Australian businesses
The Ashley Madison leak has shown that many organisations are not ready to deal with a data breach, either by preventing one in the first place or managing one after it’s occurred. This is problematic given the real-world implications of data breaches.
The severity of this attack and its effect have revealed that the risks of becoming the next victim of a cyberattack have become higher. These kinds of cyberattacks can happen to companies in any industry and of any size.
Across Australia we have already seen an eightfold increase in enquiries this year after analysts forecasted another big year for data breaches. With so many high profile attacks in the past 12 months, organisations are beginning to recognise that prevention is cheaper than a cure.
Merely dealing with threats as they surface is no longer enough; acting on risk assessment results prior to security incidents is actually more beneficial. Australian organisations need to rethink their current cybersecurity strategy so they can easily respond to and mitigate attacks.
It is critical for organisations to plan ahead so they can instantly take action. Attackers are both tenacious and persistent in stealing data and intellectual property. To effectively deal with this reality, organisations in Australia need the ability to detect unexpected and unseen attacks and indications of attacker behaviour across all nooks and crevices of their networks.
Mitigating the risks
All in all, it’s a combination of identifying what’s most important, deploying the right technologies and educating users.
In an ideal scenario, security measures against data breaches should be put in place before such incidents occur. For example, organisations should assess the type of data that they ask from users. Do they really need certain specifics beyond contact and financial information? Even non-essential nuggets of information can be seen as sensitive — especially when used as building blocks to complete a victim’s profile.
Encrypting sensitive information and restricting access to it goes a long way in mitigating possible intrusions, especially from internal hackers. Some have speculated that the Ashley Madison breach was an inside job; if that were the case, stricter access control could have made it harder to get the data.
When it comes to data breaches, it is no longer an issue of ‘if’ but ‘when.’ So even with these preventive measures in place, organisations should assume that there is an intruder in the network. With that thought, continuous monitoring of systems should be implemented to look for suspicious activity.
With all this in mind, organisations need to deploy a concrete multi-layered defence system as a proactive step against data breaches, as follows:
- Regularly test the web sites and applications for critical security risks found in the Open Web Application Security Project (OWASP) top ten vulnerabilities list.
- Deploy web application firewalls (WAF) to establish rules that block exploits especially when patches or fixes are still underway.
- Deploy data loss prevention (DLP) solutions to identify, track, and secure corporate data and minimise liability.
- Deploy a trusted breach detection system (BDS) that does not only catch a broad spectrum of Web-, email- and file-based threats, but also detects targeted attacks and advanced threats.
If you do find your organisation has suffered a data breach, there are a few initial first steps to take. Firstly, you need to confirm that a breach did occur. Customers and victims should learn of the breach from your organisation, never from the media. Organisations then need to be open and honest about the details of the breach, stating everything that is currently known about the incident – such as the time the incident occurred – and keep their customers updated as more information arises.
[i] Ponemon Institute Report: 2014 Cost of Data Breach Study: Australia