With the news that broke about Bell Canada succumbing to another hack on January 23 of this year, it really is a stark reminder for all. Especially is it a critical reminder for all business owners and directors alike who must take seriously the need to have exceptional IT security protecting their company and customers.
This attack was reported to have affected just less than 100,000 of their customers without their having full knowledge of and to the extent to which information that was stolen. What they did know was that the information obtained in the latest breach included details such as names, email addresses, account usernames, and numbers, as well as phone numbers.
And this is not the first time this has happened. It was reported in May 2017 that Bell Canada’s systems were hacked. The hackers evidently stole 1.9 million email addresses and approximately 1,700 names and phone numbers from an internal database.
In both cases, it was unknown if payment information, in the form of bank account numbers or credit card numbers, were taken also. Even so, can you imagine the dangers that still exist should a hack expose customer contact details? Previously hacked websites have proven to have exposed their customers to cases of fraud with social engineering and phishing scams. Large batches of email addresses that are confirmed as active are worth thousands of dollars on the dark web, as it gives hackers the ability to accurately and cleverly phish private information from each of the harvested clients.
When a company inadvertently leaks or otherwise improperly secures information about their customers, they are effectively handing it over directly to the hands of the hackers. This calls into question the very reputation of the company who was compromised. Let’s look at some examples.
The Hacks
Think for a moment about industry names, such as Target, Sony Pictures, or Equifax and what resulted from their hacks.
Target leaked contact and credit info for 70 million of their customers in the hack of the 2014 holiday season. In an effort to re-establish trust with the end consumer, they offered one year of free credit monitoring and identity theft protection to all customers who shopped in U.S. stores. They ended up settling in US courts for $18 Million in a class action lawsuit and were ordered to improve and train their employees in ITsec corporation-wide. Target reported that this hack had cost them some $202 million overall.
In 2014, Sony Pictures reportedly lost 100 terabytes of data to hackers. This resulted in embarrassing revelations of internal operative
and administrative abuses, which lead to senior executive resignations and many embarrassing apologies. Not to forget that they evidently lost somewhere in the neighborhood of $100 million from films being released to the public over the internet
and from their stocks suffering on the open markets.
In the most scathing of the reports, and just this past year, Equifax had reportedly been hacked in July resulting in the personal and credit information of 143,000,000 American citizens and up to 100,000 Canadian citizens being stolen. That was not the only problem. Before finally reporting the hack to authorities in September, executives within Equifax sold off $1.8 million worth of company shares, essentially staging a massive insider trading scheme.
The Results
Each of the above-mentioned companies has national and global reach with billions of dollars in sales. Yet, their expansive in-house IT professionals all the way to their senior executives did not take the necessary steps to prevent the hacks from occurring. Target apparently had found the issue in an internal audit before it became a nightmare, but executives chose not to move on repairing the problem until after the fallout. Sony had opened themselves up to implementing mobile devices within their company’s large workforce but did little to protect and encrypt them. Equifax had apparently implemented lax website security with mixed port 80 and 443 traffic, possibly from offshoring their security to one of their global offices.
Many ensuing public relations headaches and financial problems result from not securing data properly, worst of them being the smearing of a company’s reputation. Steps must be taken to avoid these attacks, even at relatively high initial costs. This is because the resulting costs for the clean up of a hack will always be far more expensive than the initial cost to secure it. Unfortunately, many businesses both large and small find this out the hard way.
The Solution
The issue really is then, that for whatever it is that you are trying to secure, you need to have two eyes on it. Just as dual factor authentication, redundant servers, or offsite backup systems offer a dual-pronged approach, business leaders need to understand the importance of having multiple layers of security and multiple parties securing it.
Your in-house IT team can lock down most of which you have, but it is most recommended to have another approved third-party vendor hired to review, test and otherwise attempt to find weaknesses by exerting stress on a system regularly. And once that process and report are complete after each successful attempt, IT teams and management need to work together to bring these issues to the attention of the board or to the owners with the solution and budget of how they can repair the problem. Finally, board members and owners alike must heed the caution of their own IT and management teams who are there to protect their interests.
Without these steps, it will only be a matter of time before a company succumbs to another hack. That is why Cloud9 Solutions offers Security Consulting as a Service to all businesses and companies in order to strengthen their IT security. From an initial security assessment with ongoing reviews to improvement work and IT security compliance checks, our security consultants are available to make sure that you are ready for an attack on your systems. We hope that you will be ready!