This year has been filled with numerous mega breaches that can serve as a wake-up call for organization executives when it comes to risk management and data security’s role within the enterprise. Ashley Madison’s breach is another one of those instances.
Although some of the coverage of breach incidents seems to shame organizations for their lack of security, the headlines need to be catchy to grab the necessary attention of the higher up; but the true value behind the articles lie in the shared insights of what went wrong with the security of those organizations that were breached. It’s a way for the CIO, CEO, and board to know what they don’t want to continue doing if they’re going to secure their environment and sensitive data.
When it comes to the Ashely Madison breach, here is what business executives can learn about the dangers of breach and data security as a whole:
- Publicly posted data of customers is exactly what spear phishers can use to attack the networks of organizations. When Ashley Madison customers receive an email regarding the breach, with a link or downloadable document in it; it is very likely that they will click on the link or download the document. When the email these individuals receive is really being sent by a hacker with the intent of stealing data, this means their computer will likely get infected with malware opening up the way to access whatever network they’re using, even a corporate network.
From this scenario alone, which is probably already taking place for Ashley Madison customers, the actions organizations can take to secure their own data are quite a few. Two that stand out are data breach planning and employee data security training.
When breached, a company should really think about how they plan on informing their customers. Emails are obviously one of the worst ways because it is the first route malicious attackers will take to try and extend their reach into a corporate network.
- Thoroughly think through your organization’s post-breach actions when you’re creating your risk management plan.
Employee data security training
If your employees use a site or shop at a store that has been breached (like Target) and they use their corporate computer or device to check their email; knowing not to click a link or download a document just because the email seems legitimate is something they might not think about on their own.
- Employee data security training is essential for employees to understand what to do or not do when a company or non-company related breach occurs. Employees are not information security experts, they’re not thinking about email links and downloadable documents in the same way that a CIO is looking at them.
When it comes to phishing attacks, the Verizon 2015 Data Breach Investigations Report, found an increase of phishing email recipients opening these emails and clicking on attachments. The findings dealt with regular phishing, indicating that spear phishing attacks tailored to individuals are even more likely to succeed with the recipients opening the email and clicking the link or attachment.
If organizations are going to secure their environment from breaches and post-breach consequences, like the ones taking place with Ashley Madison’s recent breach, they must improve their overall data security posture. This type of implementation doesn’t stop at breach planning or employee security training programs; it involves a holistic view and ongoing implementation.
How far is your organization from implementing a holistic security posture that can save your business?
Photo courtesy of Sergey Nivens