October marks the start of National Cyber Security Awareness Month. This year’s theme is “Do Your Part. #BeCyberSmart”. The 2020 event will be the the 17th annual Cyber Awareness Month since the initiative was launched by the National Cyber Security Alliance and the Department of Homeland Security in 2004 as a part of a broad effort to help Americans stay safe and secure online.
This month’s theme underscores that goal, with four themed weeks focusing on the vulnerabilities in connected devices and in critical industries. The first week focuses on connected devices best practices, while the second week focuses on connected devices at home and work. Weeks three and four depart from the more general discussions on connected devices; week three focuses on healthcare devices specifically, before week four closes out the month with discussions on the future of connected devices.
At N2K, we too are doing our part to keep everyone cyber smart and will be looking at simple and often overlooked things businesses can be doing to bolster their cyber security.
Earlier this year, 235 million YouTube, TikTok and Instagram profiles were exposed due to an unsecured database managed by defunct third party social media data website, Deep Social. The hack, which exposed accounts’ full names, screen names, likes, follower details and other information which may help improve the targeting of phishing attacks, highlights two simple but important cybersecurity best practices: database securing, and data tracking.
Calling the incident a hack is somewhat of an overstatement; in reality, getting the data took zero technical expertise. Social Data, who acquired the data from Deep Social, had simply never secured the database, meaning that anyone who knew about the database could simply take the information. Though password protecting databases seems like an obvious part of cybersecurity, unsecured databases have proven to be a large issue in recent years. 2019 saw the demographic data of 80-million US households was leaked due via an undisclosed unsecured database. UK telecom provider Virgin Mobile has come under fire this year for similar reasons after reporting that an unsecured marketing database had been accessed without permission on at least one occasion.
Many of these databases were demographic, suggesting that firms may not have felt the information was sensitive enough to warrant protection. While it is true that individual demographic data is easy to obtain, this much demographic data makes the lives of hackers looking to target specific cohorts of people easier. As businesses face increased litigation due to data mismanagement, not at least password protecting this sort of data is financially negligent.
Businesses should also take note of the source of the leak: the third party app Depp Social. In many ways, Instagram’s parent company Facebook took the appropriate first step in preventing this leak when it blacklisted Deep Social for scraping data from users. Although this was a good first step in protecting user data, the step comes off as more performative than protective, as Facebook failed to follow up on what was done with the scraped data, allowing it to be acquired by the Hong Kong based social media firm Social Data. If the data was obtained in violation of the platform’s terms then Facebook has a responsibility to see to that the data is deleted, or at the very least keep track of it.
Regardless, firms of all types need to be careful about vulnerabilities originating in third parties. A July ransomware attack on Freddie Mac Vendor Opus Capital Market LLC saw Freddie Mac having to do damage control, eventually cutting ties with the vendor and offering free identity theft protection to all those affected. Unfortunately, though the breach was not Freddie Mac’s fault directly, news reporting on the breach simply refers to a Freddie Mac vendor, placing casual blame on the company, hurting their image, as was the case in the social media leak. Though difficult, firms need to communicate their cybersecurity expectations to any third parties that have access to their data, as data breaches will reflect poorly on both companies.
To Freddie Mac and Facebook’s credit, they did take the steps to distance themselves from negligent parties, but that will not stop the fallout from reaching them. Third party vendors should be aware themselves, as firms may increase their cyber expectations. Being ahead of the curve with proper security and training may help set various vendors apart.
This brings us to our final discussion point of Cyber Awareness Month: accountability. This summer has seen many firms paying for mistakes of the past. Uber, Facebook, Marriott and more were each litigated against for data mismanagement, breach concealment, or anti-consumer practices. Global law firm Norton Rose Fullbright, referred to cyber litigation as “the new frontier” for the legal field. It is no wonder such a claim was made, as companies are facing damages that approach billions of dollars, and executives are being charged criminally for mismanagement and concealment.
Part of being cyber smart is accepting that breaches are a fact of life as of now, and knowing how to respond after a successful breach is nearly as critical as stopping breaches in the first place. Courts operate on precedent, so firms and decision makers should follow current judgments and rulings in order to ensure breaches are handled in ways deemed acceptable by the courts. Though possibly inconvenient, firms should regularly conduct cost benefit analyses on cyber risk and the various controls that may be considered.