Cybersecurity Breaches: Why Do Organizations Still Allow Themselves to Remain Vulnerable?
Get started on your Homeland Security Degree at American Public University.
By Susan Hoffman
Note: This blog article was originally published on InCyberDefense.
In the past few years, some major hacks have cost companies millions of dollars. For example, the 2013 Target hack cost the giant retailer an estimated $248 million. In addition, the hackers gained personal information on 70 million Target customers and 40 million credit and debit cards.
Home Depot experienced a similar hack in 2014, costing Home Depot up to $263 million in expenses, including the cost of an investigation, legal costs, and providing customers with credit monitoring and identity protection services. The Home Depot hackers also managed to take 53 million customer email addresses and 56 million customer credit and debit card accounts.
Earlier this year, hackers penetrated Equifax, one of the three main credit reporting bureaus, and stole the personal information of over 143 million consumers. The final cost of that breach is still being determined, but is likely to be in the tens of millions of dollars.
In addition, Equifax further compounded its security problems. The hack was not disclosed to the public until September 2017 and Equifax invited consumers to a website where they could check to see if the hack affected them.
Unfortunately, a cloned version of that Equifax site was in existence and the cloned version was so convincing that an Equifax employee was sharing it. One of the people managing Equifax’s Twitter account accidentally sent users the link to the cloned site for several weeks. Also, the original Equifax website should have had sufficient safeguards to prevent it from being cloned.
There is ample evidence that companies that fail to protect themselves against hackers seeking data, money or bragging rights suffer considerable financial losses. Despite the news covering these massive security breaches, some organizations still fail to protect the information entrusted to them.
The Complicated Factors behind Security Breaches
Preventing a hack is complex because hackers use multiple ways to attack you. For example, a hacker can:
- Secretly install keylogging software or ransomware in computers
- Take down a site or server in a Distributed Denial of Service (DDoS) attack
- Set up a fake Wi-Fi hotspot in a public place, such as a coffee shop or library
- Trick you into clicking on a link in an email or direct message that leads you to a spoof site that gathers information from you
- Cause you to unwittingly download malware on your computer or mobile device
In addition, some companies don’t want to go to the expense of keeping their software updated or training company employees how to recognize hacker penetration attempts. There is a general attitude of “it couldn’t happen to us.”
But according to the FBI, any organization that holds personal or financial data is vulnerable to an attack. Those organizations include hospitals, school districts, state and local governments, law enforcement agencies, and small and large businesses.
What Else Can We Do Prevent Costly Data Breaches in the Future?
Some of the cybersecurity fixes are obvious. For instance, more money needs to be allocated to keeping anti-virus software updated.
In addition, companies need to devote more time to training employees from C-level to front-line personnel to recognize and stop hacking attempts. Because cyber threats constantly evolve, education and training are vital in helping organizations to prevent hacks or recover from hacks.
But there are other preventative measures organizations can take. For example, data vendors should be thoroughly screened to ensure that they act as another barrier to hackers. In the Home Depot case, the attackers used the logon credentials from a third-party vendor to penetrate the Home Depot corporate environment, according to writer Brett Hawkins in a 2015 white paper for Maryland’s SANS Institute.
Also, cybersecurity experts within an organization must improve their communication skills so that C-level executives and boards of directors clearly understand the immense cost and scope of cyber threats.
In a 2015 In Homeland Security interview, cybersecurity expert John Felker said, “It’s incumbent upon us [cybersecurity experts] to talk about those threats in terms that the CEO can understand – as it impacts the bottom line or their ability to conduct missions. This is not an easy thing to do. But better communication drives resource allocation and strategic planning and reduces an organization’s cybersecurity vulnerabilities.”
Finally, any hack should be studied in depth to determine what happened and what lessons can be learned from the hack to further improve the field of cybersecurity knowledge. As technology such as biometrics continues to improve, it too could be harnessed to provide an extra layer of security.