5 Steps to Website Security

Website security is more important than ever. Cyber criminals are constantly looking for improperly secured websites to attack; therefore, it is essential to secure servers and the network infrastructure that supports them. The consequences of a security breach may include loss of revenue, damage to credibility, legal liability and loss of customer trust.

Web servers, which host the data and other content available to your customers on the Internet, are often the most targeted and attacked components of a company’s network. By securing your Web server, you protect customers and prospects that use your company website. The following are examples of specific security threats to Web servers:

  • Cyber criminals may exploit software bugs in the Web server, underlying operating system or active content to gain unauthorized access to the Web server.
  • Denial-of-service attacks may be directed at the Web server or its supporting network infrastructure to prevent or hinder your website users from making use of its services. This can include preventing the user from accessing email, websites, online accounts or other services. The most common attack is flooding a network with information, so that it can’t process the user’s request.
  • Sensitive information on the Web server may be read or modified without authorization.
  • Information on the Web server may be changed for malicious purposes.
  • Cyber criminals may gain unauthorized access to resources elsewhere in the organization’s network with a successful attack on the Web server.
  • The server may be used as a distribution point for attack tools, pornography or illegally copied software.

Take the following five steps to protect your company from the threats listed above.

Step 1: Form a plan and utilize the right people.

Because it is much more difficult to address security once deployment and implementation have occurred, security should be considered from the initial planning stage. Businesses are more likely to make decisions about configuring computers appropriately and consistently when they develop and use a detailed, well-designed deployment plan. Developing such a plan will support Web server administrators in making the inevitable trade-off decisions between usability, performance and risk.

Make sure to define appropriate management security practices, such as identification of your company’s information system assets and the development, documentation and implementation of policies, as well as guidelines to help ensure the confidentiality, integrity and availability of information system resources.

Businesses also need to consider the human resources requirements for the deployment and continued operation of the Web server and supporting infrastructure. Consider the personnel you will need on your team—for example, system and Web server administrators, webmasters, network administrators and information systems security personnel. Additionally, consider the level of training (initial and ongoing) that will be required to maintain this team.

Step 2: Ensure that Web server operating systems and applications meet your organization’s security requirements.

When securing a Web server, you must first secure the underlying operating system. Most Web servers operate on a general-purpose operating system. Many security issues can be avoided if the operating systems underlying Web servers are configured appropriately. Default hardware and software configurations are typically set by manufacturers to emphasize features, functions and ease of use at the expense of security. Because manufacturers are not aware of each organization’s security needs, Web server administrators must configure new servers to reflect their business’ security requirements and reconfigure them as those requirements change. Make sure to take the following steps as appropriate to your business:

  • Patch and upgrade the operating system.
  • Change all default passwords.
  • Remove or disable unnecessary services and applications.
  • Configure operating system user authentication.
  • Configure resource controls.
  • Install and configure additional security controls.
  • Perform security testing of the operating system.

Step 3: Publish only appropriate information.

Company websites are often one of the first places cyber criminals search for valuable information. Still, many businesses lack a Web publishing process or policy that determines what type of information to publish openly, what information to publish with restricted access and what information should not be published to any publicly accessible repository. Some generally accepted examples of what should not be published, or what should at least be carefully examined and reviewed before being published on a public website, include the following:

  • Classified or proprietary business information
  • Sensitive information relating to your business’ security
  • A business’ detailed physical and information security safeguards
  • Details about a business’ network and information system infrastructure—for example, address ranges, naming conventions and access numbers
  • Information that specifies or implies physical security vulnerabilities
  • Detailed plans, maps, diagrams, aerial photographs and architectural drawings of business buildings, properties or installations
  • Any sensitive information about individuals that might be subject to privacy laws

Step 4: Prevent unauthorized access or modification on your site.

It is important to ensure that the information on your website cannot be modified without authorization. Users of such information rely on its integrity. Content on publicly accessible Web servers is inherently more vulnerable than information that is inaccessible from the Internet, and this vulnerability means businesses need to protect public Web content through the appropriate configuration of Web server resource controls. Examples of resource control practices include the following:

  • Install or enable only necessary services.
  • Install Web content on a dedicated hard drive or logical partition.
  • Limit uploads to directories that are not readable by the Web server.
  • Define a single directory for all external scripts or programs executed as part of Web content.
  • Disable the use of hard or symbolic links.
  • Define a complete Web content access matrix identifying which folders and files in the Web server document directory are restricted and which are accessible, and by whom.
  • Disable directory listings.
  • Deploy user authentication to identify approved users, digital signatures and other cryptographic mechanisms as appropriate.
  • Use intrusion detection systems, intrusion prevention systems and file integrity checkers to spot intrusions and verify Web content.
  • Protect each backend server (i.e., database server or directory server) from command injection attacks.

Step 5: Continuously protect and monitor Web security.

Maintaining a secure Web server requires constant effort, resources and vigilance. Securely administering a Web server on a daily basis is essential. Maintaining the security of a Web server will usually involve the following steps:

  • Configuring, protecting and analyzing log files
  • Backing up critical information frequently
  • Maintaining a protected authoritative copy of your organization’s Web content
  • Establishing and following procedures for recovering from compromise
  • Testing and applying patches in a timely manner
  • Testing security periodically

Taking proactive measures to secure your website by carefully setting up and maintaining your Web server can save your business from experiencing crushing losses of revenue, customer loyalty and proprietary information. For more information about how to mitigate your cyber risk, contact your broker today.

© Zywave, Inc. All rights reserved

Is Data Quality the Unspoken Risk of Connected Devices?

Source: Insurance Business

Our lives are becoming more and more data-centric. Sally next door uses an average of 897 kWh of electricity per month, and about 90 gallons of water each day. She’s had one costly car accident, multiple speeding fines, and her car has been broken into twice because she parks it overnight on an unlit street.

Sally’s insurance premiums are calculated using this data. We know what utilities she uses because of her home sensor device, and her connected car is catching out her heavy-footed acceleration tendencies.

Connected devices and the Internet of Things (IoT) are proliferating fast. Experts at the leading research and advisory company Gartner suggest there could be more than 20 billion connected devices in use across the world by 2020, up from 8.4 billion connected things in 2017.

As the number of IoT devices continues to boom, so will the amount of analytical data insurers will have at their fingertips. But can we always trust this data?

“Data quality is a risk we might need to consider as the world becomes more connected,” said Jeff Wargin, vice president, product management at Duck Creek Technologies. “As we get access to more and more data, we’re bound to come across false positives and false negatives. Insurance companies need to have analytics experts and data scientists working through the data and eliminating the poor-quality false positive and false negative results.

“Until that process becomes automated and we can identify the poor data with ease, I think we all run the risk of doing things we shouldn’t be, whether that’s during the underwriting process, claims adjusting, or any purpose outside of insurance.”

Connected devices are not perfect. With the global market booming the way it is, manufacturers are under pressure to release state-of-the-art products ahead of the competition. The occasional slip-up or malfunction is to be expected.

“As the number of connected devices continues to proliferate, and the amount of data we receive increases, it’s going to get harder to spot the problem areas,” Wargin added. “There’s a risk that poor data could slip through the cracks.”

Up to 100,000 Bell Customers Impacted by Data Breach

Bell Canada, one of the nation’s largest telecommunications companies, announced Tuesday, Jan. 23 that up to 100,000 customers were affected by a data breach. The company has said that hackers likely obtained sensitive customer information, including subscriber names, phone numbers, account names and email addresses. At this time, there is no indication that credit card numbers or other banking information was compromised.

The company is advising customers to change their passwords and security questions. Affected users should also be on the lookout for suspicious activity, as cyber criminals will likely use the lost email addresses and user profiles to carry out more harmful phishing and social engineering scams.

Bell is currently working with law enforcement and the Office of the Privacy Commissioner of Canada to investigate the event. Officials are looking to determine how the breach occurred, what Bell is doing to mitigate the situation and potential follow-up actions.

This latest breach comes just eight months after 1.9 million customer emails were stolen from Bell’s database by an anonymous hacker. High-profile cyber security events are becoming commonplace, and organizations must continue to conduct security audits, review their record retention polices and provide employee training if they are to prevent future breaches. While customers can’t prevent companies from being hacked, they can take the following steps to reduce the risk of losing personal information:

  • Encrypt data whenever possible.
  • Back up data.
  • Use anti-malware protection.
  • Update phones and computers regularly.
  • Secure wireless networks.
  • Use a firewall.
  • Make passwords complex and change them often.
  • Avoid clicking suspicious links or navigating to deceptive websites.

To read the official statement from Bell regarding its most recent data breach, click here.

© Zywave, Inc. All rights reserved

Critical Cyber Exploits Affect Nearly All Computers

Cyber security researchers recently announced the discovery of two major security flaws that could allow hackers to bypass regular security measures and obtain normally inaccessible data. The flaws, referred to as Meltdown and Spectre, are both caused by design flaws found in nearly all modern processors. These vulnerabilities can be exploited to access all of the data found in personal computers, servers, cloud computing services and mobile devices.

Because Meltdown and Spectre are both caused by design flaws, experts believe that they will be harder to fix than traditional security exploits. Additionally, software patches that have already been released to help address the vulnerabilities can cause computer systems to slow down significantly, which may impact their ability to perform regular tasks.

Researchers believe that Meltdown and Spectre may be limited to processors manufactured by different companies, but also warn that the design flaws that contribute to Meltdown and Spectre have been present for years. Here are some key details about each flaw:

  • Meltdown: This flaw can be used to break down the security barriers between a device’s applications and operating system in order to access all of the device’s data. Meltdown can be used to access desktop, laptop, server and cloud computer systems, and can even be used to steal data from multiple users who share one device. Although researchers have only been able to verify that Meltdown affects processors made by Intel, other processors may also be affected. Many software developers have already released updates that prevent hackers from exploiting Meltdown.
  • Spectre: This flaw can be used to break down the security barriers between a device’s different applications and access sensitive data like passwords, photos and documents, even if those applications adhere to regular security checks. Spectre affects almost every type of computer system, including computers, servers and smartphones. Additionally, researchers have confirmed that the design flaw that enables Spectre is present in Intel, AMD and ARM processors that are used by nearly every computer and mobile device. Software developers are currently working on a patch to prevent the exploitation of Spectre, but some experts believe that future processors may have to be redesigned in order to fix the vulnerability.

When Meltdown and Spectre were originally discovered in 2017, researchers immediately reported them to major hardware and software companies so work on security fixes could begin without alerting hackers. As a result, services and applications offered by companies like Microsoft, Google, Apple and Amazon have already been updated to help defend against the flaws. However, you shouldn’t rely solely on a software patch to protect against these vulnerabilities. Here are some steps you can take to protect your computer systems and devices from Meltdown and Spectre:

  • Update all of your devices immediately, and check for new updates regularly. You should also encourage your friends, family members and co-workers to do the same.
  • Contact any cloud service providers and third-party vendors you use to ensure that they are protected against Meltdown and Spectre. Cloud services and computer servers are especially vulnerable to the exploits, as they often host multiple customers on a single device.
  • Install anti-virus and firewall systems to protect against regular malware. Researchers believe that hackers need to gain access to a device in order to exploit Meltdown or Spectre, so keeping your devices free of malware can help prevent data theft.

© Zywave, Inc. All rights reserved

Uber says over 800k Canadians affected by data breach

Uber says over 800k Canadians affected by data breachSource: Insurance Business Canada
In a statement issued this week, Uber Canada disclosed that the information of 815,000 Canadian riders and drivers may have been affected by a major data breach.The ridesharing company first announced news of the breach last November. Uber revealed that the breach occurred sometime in October 2016, and resulted in the theft of information from some 57 million Uber accounts globally.Uber Canada said the information taken by the cyber attackers includes names, email addresses, and mobile phone numbers. The company’s investigation has not identified, however, if the hackers managed to also steal users’ location histories, credit card numbers, bank account numbers, or dates of birth.

The company’s disclosure earlier this week came the same day that the federal privacy commissioner said it had opened a formal investigation into the breach, The Canadian Press reported.

Uber Canada spokesperson Jean-Christophe de le Rue said that the company will cooperate with the commissioner’s investigation.

“The privacy of riders and drivers is of paramount importance at Uber and we will continue to work with the privacy commissioner on this matter.”

In late November, a law firm representing Albertans whose information was compromised by the data breach filed a class-action lawsuit against Uber. On top of general damages, the lawsuit is seeking special damages for costs related to credit counselling, compensation for the plaintiffs’ lost time and income, as well as costs for credit monitoring and other similar services.

How to Respond to and Protect Your Business from Ransomware

The incidents of ransomware in Canada are rising at an alarming rate. In 2015, Canadians were affected by 1,600 ransomware attacks a day. By September 2016, the number of attacks nearly doubled, and those are only the known cases. Unfortunately, many incidents still go unreported. Businesses of all sizes have become targets of ransomware, as it can infect not only personal computers, but also entire networks and servers.

What is Ransomware?

Ransomware is malicious software that infects a computer and denies access to the system or data, and demands a sum of money to restore the information. Presently, the most common forms of ransomware will encrypt data.

Victims often receive an onscreen alert stating their files have been encrypted or a similar message, depending on the type of ransomware. The message on the lock screen may even claim to come from the federal government, accusing the user of violating a law and demanding a fine.

Organizations are then prompted to pay a ransom to unlock their computer systems or gain access to critical documents. Typically, the hackers behind the ransomware demand bitcoin—a type of digital currency that is difficult for police to trace.

How Ransomware Can Spread

There are different ways that ransomware can spread, including the following:

  • Visiting fake or unsafe websites
  • Opening emails or email attachments from unknown sources
  • Clicking on suspicious links in emails or on social media

How to Respond

Some operating systems provide instructions for responding to lock-screen ransomware, although results aren’t guaranteed. In contrast, encryption ransomware has no quick fix without an encryption key, which only the hackers typically have access to.

Regardless of the type of ransomware, experts recommend against paying the ransom. After all, there is no guarantee that you will regain access to your computer, network or files after you pay. Furthermore, by paying the ransom, you could be encouraging future cyber crimes.

If your business is affected by ransomware, take the following steps:

  • Do not do anything further on your computer systems. If possible, consult your IT department or an IT professional for assistance.
  • Immediately contact the Canadian Cyber Incident Response Centre (CCIRC) to report the incident. The CCIRC can assist your business to mitigate further damage.
  • Open a criminal investigation into the matter by reporting the incident to your local police force or jurisdiction, and inform the CCIRC that you have done so.
  • Report the incident to the Canadian Anti-fraud Centre.
  • Contact your insurance broker to discuss next steps from an insurance perspective.

What to Do if You’ve Already Paid the Ransom

Since business can come to a halt without access to essential data, business owners are often tempted to pay the ransom in order to quickly regain access. If you’ve paid the ransom, contact your bank and call the authorities as soon as possible. Credit card companies may be able to block the transaction and refund you if you contact them promptly.

How to Protect Your Business

Cyber extortion from ransomware is a legitimate threat to all businesses—no matter the size. The best method of prevention is to keep confidential information and important files securely backed up in a remote location that is not connected to your main network.

In addition to backing up your files, taking the following prevention measures can help keep your information secure and prevent you from becoming a victim of cyber attacks:

  • Teach your employees about ransomware and the importance of preventing it.
  • Instruct employees never to click on links or open attachments in emails sent by a party they do not know.
  • Show your employees how to detect suspicious emails and attachments. For example, tell them to watch for bad spelling or unusual symbols in email addresses.
  • Develop a protocol for reporting incidents of ransomware and other suspicious cyber activity.
  • Develop a schedule for regularly backing up sensitive business files.
  • Update your company software as soon as new updates are released. In doing so, you can patch the security vulnerabilities that cyber criminals rely on, and avoid becoming an easy target.
  • Purchase cyber liability insurance that not only helps you respond to threats, but can also help cover the cost of the ransom and any other losses incurred as a result of cyber extortion.

Don’t let ransomware—or any type of cyber exposure—threaten your business. Contact your insurance broker to ensure you have the proper coverage and the tools necessary to protect against losses from cyber attacks.

© Zywave, Inc. All rights reserved

KRACK Cyber Vulnerability Puts Wi-Fi Networks at Risk to Hackers

Recently, Mathy Vanhoef, a researcher from a Belgium university, discovered a security flaw in Wi-Fi Protected Access II (WPA2)—a protocol that secures almost all modern, protected Wi-Fi networks. Through this newfound vulnerability, hackers can potentially gain access to encrypted information using what is called a key reinstallation attack (KRACK).

Any organization or individual that utilizes Wi-Fi is at risk for an attack, and hackers can use the KRACK method to steal sensitive information like credit card numbers, passwords, chat messages, emails, photos and most data that is stored or transmitted online.

What’s particularly troubling about this cyber threat is that it’s not tied to a specific machine or software and is more so a flaw in how WPA2 was originally designed. Essentially, all a hacker needs to do to access your protected information is to be near your Wi-Fi access point and execute a script that tricks a system into bypassing the security. Not only does this allow cyber criminals to eavesdrop on network traffic, but they can also infect connected machines with malware.

While Vanhoef demoed the vulnerability using an Android operating system, it’s likely that KRACK can be used against a number of others, including Linux, Windows and macOS.

Thankfully, KRACK can be controlled with patches, and Vanhoef warned many companies of the security flaw long before publishing his findings, giving them time to develop a solution. It’s possible your network may already be fixed.

However, there are still a number of precautions businesses and individuals should take, including the following:

  • Update all laptops, smartphones, smartwatches and other devices that can be connected to Wi-Fi.
  • Be cautious about using any hardware that has not yet been patched, as any information stored or transmitted on that device could be compromised.
  • Contact your internet service provider to determine if you need to update your network.

To read the original findings on KRACK, click here.

© Zywave, Inc. All rights reserved

Federal Government Publishes Data Breach Reporting Requirements Draft

OVERVIEW

Last month the Canadian government published proposed regulations relating to the mandatory reporting of privacy breaches under Canada’s federal data protection law, the Personal Information Protection and Electronic Documents Act (PIPEDA).

While the regulations put forth by the government are simply proposed rules, they do provide an indication of what will likely be included in the final regulations. The regulations are expected to be finalized in the coming months.

This Compliance Bulletin examines the relevant PIPEDA provisions, the proposed data breach regulations and the potential implications for organizations subject to PIPEDA.

BACKGROUND

In June 2015, Canada passed into law the Digital Privacy Act (DPA), a law that made a number of important changes to PIPEDA. While most of the amendments contained in the DPA came into force in 2015, the provisions of the law relating to mandatory data breach reporting and record-keeping have not yet come into force.

Once in force, the data breach provisions of PIPEDA and corresponding regulations will require organizations to report to the Office of the Privacy Commissioner of Canada (Commissioner) any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a “real risk of significant harm” to an individual. Organizations will also be required to notify any affected individuals and any other organization or government institution that may be able to mitigate the harm to affected individuals. The report and notification must occur as soon as feasible after the organization determines that a breach has occurred.

Under that law, “significant harm” includes bodily harm; humiliation; damage to reputation or relationships; loss of employment, business or professional opportunities; financial loss; identity theft; negative effects on the credit record; and damage to or loss of property. Factors organizations must consider when assessing whether a breach creates a real risk of significant harm to an individual include the sensitivity of the personal information involved and the probability that the personal information has been, is being or will be misused.

Draft Regulations

Reports to the Commissioner: Content, Form and Manner

According to the draft regulation, a report to the Commissioner must be made in writing and contain the following information:

  • A description of the circumstances of the breach and, if known, the cause;
  • The day on which, or the period during which, the breach occurred;
  • A description of the personal information that is the subject of the breach;
  • An estimate of the number of individuals in respect of whom the breach creates a real risk of significant harm;
  • A description of the steps that the organization has taken to reduce the risk of harm to each affected individual resulting from the breach or to mitigate that harm;
  • A description of the steps that the organization has taken or intends to take to notify each affected individual of the breach; and
  • The name and contact information of a person who can answer, on behalf of the organization, the Commissioner’s questions about the breach.

Under the proposed regulations, data breach reports can be submitted with the best information available to the organization at the time. This allows organizations to report breaches quickly and take the appropriate actions, even when key information regarding the incident is not yet available.

Requirements for Notifying Affected Individuals of a Data Breach

Under PIPEDA, notification to an affected individual must contain sufficient information to allow the individual to understand the significance of the breach and to take steps, if possible, to reduce or mitigate the risk of harm that could result. According to the draft regulations, a notification to an affected individual, at a minimum, must contain:

  • A description of the circumstances of the breach;
  • The day or time frame the breach occurred;
  • Descriptions of the type of personal information that was compromised during the breach;
  • A description of the steps that the organization has taken to reduce the risk of harm to the affected individual resulting from the breach or to mitigate that harm;
  • A description of the steps that the affected individual could take to reduce the risk of harm resulting from the breach or to mitigate that harm;
  • A toll-free number or email address impacted individuals can use to obtain further information regarding the breach; and
  • Information about the organization’s internal complaint process and about the affected individual’s right, under the PIPEDA, to file a complaint with the Commissioner.

Notifications must be given directly to impacted individuals through an email, letter (delivered to the last known home address of the affected individual), telephone call, in-person conversation or other secure form of communication if the affected individual consented to receiving information from the organization in that manner.

Indirect Notification

Under limited circumstances, organizations will be allowed to provide affected individuals with indirect notification of a data breach. According to the draft regulations, organizations will be able to provide indirect notification only if:

  • A direct notification would cause further harm to the affected individual;
  • The cost of giving a direct notification is prohibitive for the organization; or
  • The organization does not have contact information for the affected individual or the information that it has is out of date.

The draft regulations indicate that indirect notification may be given only by either a conspicuous message, posted on the organization’s website for at least 90 days, or by means of an advertisement that is likely to reach the affected individuals.

Record-keeping Requirements

Once in force, the data breach provisions of PIPEDA and the regulations will require organizations to maintain a record of every breach of security safeguards. The draft regulations state that organizations must maintain these records for a minimum of 24 months after the day on which the organization determines that the breach has occurred, and provide them to the Commissioner upon request. The record must contain sufficient information to enable the Commissioner to verify compliance with the data breach reporting and notification requirements above.

NEXT STEPS

While the regulations are not finalized and an enforcement date has not yet been announced, organizations should take the proper steps to ensure they are PIPEDA compliant. While the new reporting and record-keeping requirements appear to place an administrate burden on organizations, companies that already have cyber security protocols in place will likely experience minimal impact.

To learn more about the regulations, you can read a detailed impact analysis statement and the regulation’s text through the Canada Gazette.

© Zywave, Inc. All rights reserved

Equifax Hit by New Cyber Scare

Source: Insurance Business Canada

Equifax Inc. is reporting that a third-party vendor the credit rating agency uses to collect performance data on its US Equifax website was serving malicious content.

“Since we learned of the issue, the vendor’s code was removed from the webpage and we have taken the webpage offline to conduct further analysis,” an Equifax spokesperson said in an emailed statement Thursday.

“Equifax can confirm that its systems were not compromised and that the reported issue did not affect our customer dispute portal.”

Search and compare product listings for insurance against a Data Breach from specialty market providers here

Earlier Thursday, Equifax Canada said its US parent company was temporarily taking down one of its customer services pages amid reports that hackers had allegedly altered Equifax’s credit report assistance page so that it would send users malicious software disguised as Adobe Flash.

“We are aware of the situation identified on the equifax.com website in the credit report assistance link,” Equifax Canada spokesman Tom Carroll said in an emailed statement.

“Our IT and security teams are looking into this matter, and out of an abundance of caution have temporarily taken this page offline.”

Carroll did not respond to direct questions about any potential breach to Equifax Canada’s website.
The news comes as Equifax Inc. continues to deal with the aftermath of a cyber breach earlier this year which allowed the personal information of 145.5 million Americans, and 8,000 Canadians, to be accessed or stolen.

Since news of Equifax’s massive data breach broke last month, the company is facing investigations in Canada and the US, as well as at least two proposed class actions filed in Canada.

The massive data breach has also led to a number of high-profile departures at the Atlanta-based consumer credit reporting agency, including its chief executive, chief information officer and chief security officer.

In early October, Equifax revised the number of consumers potentially impacted in the breach _ bumping up the total in the US to 145.5 million and reducing the number in Canada from an estimated 100,000 to 8,000.

For these Canadian consumers, Equifax says the information that may have been accessed includes name, address, social insurance number and, in “limited cases” credit card numbers.
On its website, Equifax’s Canadian division says it has not yet mailed out any notices and made clear it would not be making any unsolicited calls or emails about the issue.

In September, Equifax reported that its investigation had shown that hackers had unauthorized access to its files from May 13 to July 30. Equifax Canada said at the time it was working closely with its parent company Equifax Inc. and an unnamed, independent cybersecurity firm conducting the ongoing investigation.

The cyberattack occurred through a vulnerability in an open-source application framework it uses called Apache Struts. The United States Computer Readiness team detected and disclosed the vulnerability in March, and Equifax “took efforts to identify and to patch any vulnerable systems in the company’s IT infrastructure.”

Canadian Press

3 Business Lessons from the HBO Hack

HBO, an American premium cable and satellite television network, was the victim of a data breach. On July 31, 2017, HBO revealed that a group of hackers had stolen 1.5 terabytes of data from the network. Following the breach, the cyber criminals were systematically leaking spoilers and unaired episodes of “Game of Thrones,” one of HBO’s flagship shows.

This hack demonstrates that intellectual property can be just as valuable to cyber criminals as personal identifiable information. To avoid falling victim to a similar cyber attack, organizations should keep in mind the following business lessons learned from the HBO hack:

  1. Having a communications plan in place is critical.Following the breach, HBO was quick to ease the concerns of stakeholders, assuring the public that no internal emails had been stolen. However, this turned out not to be the case, and HBO publicized misinformation. This can be damaging to a brand, as balancing transparency and authenticity following a cyber event is crucial. Having a formal communications strategy can help organizations map out what information is shared to the public and at what time.
  2. Cyber attacks can be damaging to an organization’s reputation. Even if the financial impact of the HBO breach ends up being minimal, the reputational damage has been done. The breach jeopardizes HBO’s image and undermines customer loyalty and trust that took years to build up.
  3. To protect your business from a cyber attack, you need to understand your vulnerabilities. It’s been reported that the HBO hackers used multiple points of entry to get into the company’s system and steal data. Organizations should understand their vulnerabilities to protect against attacks. Entry points can differ depending on the business, but often include employees connecting to networks, online printers and employees using a virtual private network while working remotely.

While you can never predict when a data breach will occur, keeping in mind the lessons above will ensure that your organization is adequately prepared.

© Zywave, Inc. All rights reserved