Though all vastly different in scale and impact, the breaches at the Office of Personnel Management (OPM), Sally Beauty Supply, Starbucks, Anthem, Adult Friend Finder, and Penn State teach valuable lessons and reminders about security vulnerabilities and the need to do more to protect against attackers.
When data has been stolen, the breached organizations are in the spotlight. As they try to do damage control, those who have yet to fall victim to invasion wonder how they can avoid future public scrutiny.
"A lot of these breaches don't teach us, they remind us of things. There are few novel things in breaches. Most breaches are same old, same old: security is poor," said Jonathan Sander strategy and research officer at STEALTHBits Technologies.
Sander also noted, "From a PR perspective, security is a losing game. No one will ever congratulate you for prevention, but everyone will flog you for failure." In order to barricade themselves during flogging, organizations queue the protocols, drop the blinds, and close the gates once they've been breached.
I reached out to several companies who have recently been breached, and repeatedly I received a kind note explaining that no one was available to speak to me. It felt like one of those dark family secrets that everybody knows about but no one will actually discuss.
Corporations are no different from families when it comes to protecting their reputations. To their credit, several of those recently breached are taking all the right steps. Penn State, Sally Beauty Holdings, Adult Friend Finder, and Anthem have all posted press releases outlining their responses to the attacks, which include bringing in third party forensics and legal counsel.
If the scope and depth of the OPM breach confirms anything about information security, "It reminds us that any time documents flow back and forth, you have a very heightened risk that demands special attention," Sander said.
Starbucks serves as an imperative reminder that end users don't protect their passwords. "In the case of Starbucks, the hackers got known password and email combinations," said Sander. If people are using the same password on a silly chat site as they use for their bank, they are making their accounts vulnerable.
"Users treat security of their own data haphazardly. Users need to take responsibility," Sander said.
Human error on the user end is not the only gateway for criminals to hack into a network, so companies need to focus on risk assessment to effectively plan for prevention, detection, and response. "There is no way to understand all the ways something can be breached," Sander said, "because the ways to be exploited are far greater."
Sign up for CIO Asia eNewsletters.