Avoid data breaches and keep the cyber thieves at bay

NSA Fort Meade Not even the NSA has managed to keep its network and data secure in 2014

If you want to find out how hard it is to avoid becoming victim of a data breach, just ask the NSA.

Technology of Business

Thanks to whistleblower Edward Snowden, the US spying agency has had a really bad year at a time when records for data breaches were being set and broken on a regular basis.

Target, eBay, Adobe, Valve software, Sony and many, many other firms both big and small have all been hit too. Going amiss was customers' personal data including login names, passwords and credit card numbers. Some of those firms lost tens of millions of data records.

Those breaches have real consequences - both for executives and profits. Target boss Gregg Steinhafel resigned in May largely because of the fallout from the breach it suffered last year.

Start Quote

Don't ever assume it's never going to happen to you”

End Quote Anthony Di Bello Guidance Software

And eBay has revised its estimate of how much revenue it will make in 2014 because of the "immediate and dramatic effect" the breach had on sales carried out through the auction site.

And just ask lots of US tech companies about the after-effects of Snowden's leaks. There's no doubt it has cost them contracts and goodwill in Europe.

Attack pattern

"It's not that the defenders are bad at their job," explains Anthony Di Bello, a spokesman for data forensics firm Guidance Software. "It's more that they are being overwhelmed.

"A security team has to be right 100% of the time to keep the attackers out, but the attackers can try hundreds and thousands of times a day."

eBay sign eBay experienced "several distractions" in the second quarter, including a data breach

Evidence suggests they do. Consider for a moment just one category of digital threat - malware. Figures released by security firms reveal they see more than 250,000 novel strains of malicious software every day.

"Don't ever assume it's never going to happen to you," says Mr Di Bello.

The staggering number of ways that cyber thieves try every day to get at the good stuff inside the databases of companies should be sufficient warning, says Rowland Johnson from security testing and compliance firm Nettitude.

Yet, he says, many remain complacent.

"Many organisations just do not believe a data breach will happen to them, so when it does happen it's a real shock."

Target store logo Attackers stole millions of credit card numbers from point-of-sale devices at Target tills
Recipe for disaster

Companies should prepare for the worst, says Mr Johnson, adding that adopting such a stance radically changes how they marshal their digital defences.

In the good old days, he says, all a company had to do to keep data and employees safe was defend their border. Good anti-virus, email scanning, spam filters and firewalls was just about enough to stay safe.

Now? Not so much.

Company borders have become permeable and almost impossible to define thanks to e-commerce, which means suppliers and customers have deep links to the systems inside the heart of a corporation.

Add to this employees who use their phones, tablets and laptops at home, work and on the move and you have a recipe for disaster.

hacker Anyone can fall victim to hackers and cyber thieves

Assuming that a breach is likely means accepting the truth about those porous networks and putting in place systems that help cope with that.

Top of the list is improvements to internal monitoring systems that keep an eye on who does what inside a company.

"The biggest challenge organisations have is that they do not keep enough information about what's going on in their network," he says.

Have a plan

Putting in place network monitoring and intrusion detection systems has a three-fold benefit.

Start Quote

The last thing you want to do is be winging it after the event”

End Quote Rowland Johnson Nettitude

Firstly, it should help spot the bad guys much more quickly as they make their way around a network.

Statistics show that most victims of data breaches take a long time, often months, to spot they have been compromised. And, suggests Verizon's authoritative annual Data Breach Investigations Report, companies usually hear about breaches first from customers and law enforcement agencies rather than their own security teams.

Secondly, this monitoring system should help after the breach to determine what went wrong. Nettitude does a lot of incident response work, says Mr Johnson, and it always helps to have good records.

"If they don't have the logs they need to conduct a forensic investigation it's exceedingly difficult to work out what happened when," he says.

Thirdly, that internal focus can help companies enforce the policies and practices that limit any damage done from a breach. It's far better to lose passwords or credit card details that were properly encrypted or hashed and salted than it is to lose a plain text file.

The best way to handle a data breach starts a long time before data starts to go astray, he says.

Network cables Watching what's happening on your network can help if, and when, the bad guys come calling

Preparation should involve regular penetration tests by companies that copy the methods of the bad guys. Running mock incidents will also help people cope if and when a breach comes to pass.

"Have a plan up front," he says. "The last thing you want to do is be winging it after the event."

That technique can show up vulnerabilities in people, processes and IT systems and help companies do something about them before the real bad guys turn up.

Public exposure

Start Quote

Public disclosure should be handled very carefully. Do not embellish or sugarcoat the messages”

End Quote Paul Pratley Verizon

"That preparation is hugely effective in dealing with an incident once it's occurred," says Paul Pratley, investigations manager for Verizon, who helps firms handle breaches.

"Companies should plan for when an incident occurs and put in place the security controls to detect and cope with it."

If the worst does happen companies should take steps to preserve data, hopefully gleaned from those internal monitors, and then start investigating what went wrong.

This investigations, he cautions, should be done on copies of live data not the actual bits and bytes logged day by day.

And then the hard task of communicating with customers can begin. Even then, he says, having a plan can help to reassure people that a company has not been caught napping.

As soon as possible companies should pass on information about what was lost, what they did to stop it happening and what customers need to do to stay safe.

"Public disclosure should be handled very carefully," says Mr Pratley. "Do not embellish or sugarcoat the messages."

And, he adds, there is one message that should be obvious given how many breaches there have been and what has happened in their wake.

"Everyone should understand how bad it is going to get if they do nothing."

More on This Story

Technology of Business

The BBC is not responsible for the content of external Internet sites

More Business stories


Business Live

    07:26: Greece euro exit? BBC Radio 4

    Greece should tell Europe it will not pay its debt and will exit the eurozone, Lord Desai tells Today. He says the country has to decide whether it wants "misery now or misery forever". He suggests that has to be the starting point of any negotiations with the Troika - the IMF, ECB and EU. He adds no country has ever paid debts like this in the past. Germany did not pay all its reparations, he says. "The international community has to recognise you can't put such a incredible burden on a people regardless of whose fault it was," he adds.

    Via Twitter Rory Cellan-Jones Technology correspondent

    tweets: Amazing Apple quarter: record $18bn profit, 74m iPhones - most profitable product in history? But iPads disappoint

    06:57: Greek euro exit? BBC Radio 4

    Lord Desai says most of the debt Greece owes is to public bodies such as the European Union and IMF. Greece cannot continue to pay off its debts for the next 20 years, he adds, and Greece and Germany have to decide whether they can afford for Greece to leave the eurozone. Anne Richardson of Aberdeen Asset Management points out £8bn of bank deposits have left Greek banks since November because investors see a so-called Grexit as having come "one step closer".

    Via Twitter Stephanie McGovern Breakfast business reporter

    tweets: Morning from the Port of Tyne - where today I'm talking about exports. #economy

    06:44: Greek euro exit? BBC Radio 4
    Greece"s Prime Minister Alexis Tsipras is accompanied by associates

    Now that the Greek election has been won by Syriza, thoughts have begun to turn to negotiations over the country's debts. Greece could request to pay no interest on those debts for about five years, Lord Desai, economist and chairman of the Official Monetary and Financial Institutions Forum, tells Today. "That would save them about 4% of GDP," he says. But, he adds, there "really is no human way that Greece can pay the debt without ruining at least one generation's future."

    06:31: GDP growth Radio 5 live

    Anne Richards, chief investment officer of Aberdeen Asset Management is the markets guest on Wake Up to Money. "You have to be a wee bit careful with quarterly numbers as they are subject to a lot of revision," she says. "The overall picture for the year was reasonably positive." Low construction growth was "a bit worrying." Strong sterling is a drag on GDP growth. Reliance on services rather than making things is also a challenge, she says. More engineers are needed.

    06:20: Apple profit Radio 5 live
    The Apple logo

    The biggest quarterly profit ever for a company: $18bn, has been posted by phone pedlars Apple. Daniel Eran Dilger who writes for AppleInsider tells Wake Up to Money. Apple makes a load of margin from its high-end phones. They also make a lot when you break your power cable and have to splurge £65 on a new one, as presenter Adam Parsons learned earlier this week.

    06:12: Services growth Radio 5 live

    More from Greg Madigan, the boss Subway UK and Ireland on Wake Up to Money. Hospitals, service stations and forecourts, or "non-traditional locations" are a big area of growth for the firm, he says. He used to be an air traffic controller, he adds.

    06:01: Services growth Radio 5 live

    Services is what's propping up GDP growth, we learned yesterday. Greg Madigan, the boss Subway UK and Ireland is on Wake Up to Money. "The price of oil has come down putting more money in peoples pocket... one of the things that benefit from more discretionary spending is food retail," he says. They have 2,000 stores in the UK and Ireland now.

    06:00: Howard Mustoe Business reporter

    Good morning. Keep your thoughts on today's news rolling in via email bizlivepage@bbc.co.uk and on twitter @BBCBusiness

    06:00: Matthew West Business Reporter

    Morning everyone. In case you missed it EDF became the last of the "Big Six" energy suppliers to cut its gas prices last night. And US tech giant Apple reported the largest quarterly profit in corporate history. Today sees trading updates come from Brewin Dolphin, Johnson Matthey, Sage and Anglo American. We'll bring you those numbers and more as we get them.



From BBC Capital


  • A computer generated model of a lift shaftClick Watch

    The future of elevator technology - lifts that can climb up to 1km in the air and even travel sideways

Copyright © 2015 BBC. The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.