Ashley Who?

Law of Unintended Consequences

The Ashley Madison affair (no pun intended) certainly brought the issue of private data breach front and center.  By allegedly exposing the most personal of information and private thoughts of participants it took the issue of cyber security out of the realm of corporate boardrooms where bottom lines rule to the realm of bedrooms where bottoms rule.

For those of you who are unaware Ashley Madison is a website that  presents itself as “ the most famous name in infidelity and married dating,” where “ thousands of cheating wives and cheating husbands  signup everyday (sic) looking for an affair.”   They claim to be, “…the most famous website for discreet encounters between married individuals,”  and offer their services from 中国  (China) to ประเทศไทย ( Thailand) to Canada. (Actual wording on landing page, not mine.)

Wikipedia reported that in July 2015, a group calling itself “The Impact Team” stole the user data of Ashley Madison, and on 18 and 20 August, the group leaked more than 25 gigabytes of company data, including user details.  Kim Zetter of wired.com  provides some details of what actually happened and how the hackers did their dastardly deed.  Needless to say, the hacked data became a treasure trove of real or imagined events.   Journalists and their readers from  Sudbury, ON  to Boston, MA  had a field day spawning a short-lived industry focusing on modern day morality and modern day technology.

Not So Fast

It was widely expected that the data breach would effectively be the end of the controversial website, but parent company Avid Life claims that people are using the site more than ever.  Today the site claims 43.46 million members in comparison to the 39 million acolytes it claimed at the time of the breach.  Despite the surge in subscriptions, the website’s future is still uncertain as Avid Life faces several lawsuits from disgruntled customers, which will inevitably be costly.

A Picture is Worth a Thousand Words

Computer Dealer News recently joined the Ashley Madison controversy.  It made the observation that in the Ashley Madison hack it wasn’t the size that mattered but the quality of the data.  CDN listed the 10 largest data breaches as follows:

[visualizer id=”665″]

Have We Made No Progress ?

Ashley Madison pales in comparison to these hacks.  So the question that CDN’s Dave Yin asked is,”Why are these breaches still happening given the number of security tools and practicing MSSPs ( Managed Security Service Providers) ?”

Scott Montgomery, vice president and chief technical strategist at Intel Security and Mike Canavan, vice president of sales engineering at Kaspersky Labs suggest the answers lie in several areas.

Business Behaviour 1 : Minimize Expenses

Firstly, clients and customers value the data differently.  Whereas an individual might assume his personal data is being managed and treated with the same respect he treats it, companies tend to think of the cost of security.  Client data is stored with millions of other client data in a database.  Fences are not erected around each piece of information but rather around all the information.  Once the wall is breached all the information is accessible.

Business Behaviour  2: Maximize Revenue

Secondly, companies frequently do not use the full range of capabilities their devices and software provide.  This small percentage utilization may be a function of cost or lack of familiarity with the functionality of the tools.  Think of the 380-page handbook which came with your new car.  Did you read and understand every page?  Likely not.  You read the minimum necessary to get going. Companies frequently behave the same way.  Although their devices may support extra layers of security, they might lack the technical skills to configure their devices correctly to maximize security.

Business Behaviour 3: Think Bottom Line

Thirdly, many companies have assumed a posture that a data breach is inevitable and have assumed an attitude of breach containment rather than breach prevention.  The companies are more interested in keeping the damaged area as small as possible, rather than preventing the harm itself.   This type of thinking usually involves a risk assessment which attempts to value the cost of insuring against a breach ( security software) versus actual cost of a violation such as legal fees, loss of business, client mitigation expenses.

Get a Professional Opinion

Jolera believes the central concern of any security evaluation must be the impact the loss may have on clients.   What is the value the client ascribes to the data?, What is the impact of a loss to the end user?  What processes will the client follow to mitigate the breach? By placing the client at the focal point, the financial losses can be properly evaluated and different strategies appropriately weighted.  A valid assessment requires an intimate knowledge of hardware, software and business economics.  Call Jolera for a professional assessment of your security posture.  What you don’t know can really hurt you.

How much did you say?

Target reimburses $39 million to MasterCard Inc.

On Dec 2, 2015,  Target Corporation in the US announced it had agreed to reimburse MasterCard Inc. and other U.S. financial institutions a total of about $39 million to settle claims brought against the retailer in connection with its massive 2013 data breach.

This settlement comes on the heels of a $67 million agreement Target struck in August with Visa Inc. on behalf of banks and other firms that issue credit and debit cards.  Combined Visa and Master Card implications at Target are around $ 106 M.  While the final numbers will likely be buried somewhere in an annual report a year or two down the road,   total Target loss estimates vary widely. We can all agree however that you have to sell a lot of bread to recover this kind of bread.

Target’s data breach exposed 40 million credit and debit cards to fraud during the 2013 holiday season. The Minneapolis-based company’s breach ranks among the most high-profile data incidents to hit retailers in recent years.

Other costly breaches at other well-known merchants include Home Depot Inc.,   luxury retailer Neiman Marcus Group, and  P.F. Chang’s China Bistro chain.  Dollar figures from the web are not terribly accurate as civil suits continue to wend their way through the US courts.  Liability and class actions suits can take years to finalize.

Our earlier posts on Cybersecurity generated many positive responses and asked that we provide some sort of mechanism for our readers to measure what they are facing.  We all certainly are not Target Stores with annual sales of $ 72.6B USD. So how does the Small to Medium sized business get a handle on the cost of a data breach?  Jolera has found the Ponemon Institute’s Canadian Data Breach  Study May 2015  most informative.  This report was sponsored by IBM but produced independently by the Ponemon Institute.   Verizon’s  2015 Data Breach Report  contains much useful information as well.

We can distill much of the information and there are many inexpensive fixes you can do tomorrow to shore up your defenses.

40% of the Solution is Not Rocket Science 

Some of the suggestions are things your sensible mother would have mentioned had you asked the question.  Lock the machine when you leave your workstation, make sure no one is looking over your shoulder, use passwords whenever feasible to protect data.  The Ponemon Institute has categorized some security measures which are easily managed and can have a significant impact on your security posture.   Admittedly some of the solutions require a discipline and internal surveillance which may impose a “cost” however there are relatively inexpensive quick wins which will you get some distance down the road.

 

40% of the solutions fall into the quick fix category, they are no-brainers.

So now you are probably doing some mental gymnastics weighing the cost of implementing and monitoring some of these solutions at your place.  The IBM has a blunt tool to help you estimate the cost of a major data breach at your business.  The numbers can be scary and, of course, there is always the hurdle of getting the C-Suite on-side when dealing with intangibles.

Let me suggest a possibility.  Get the Jolera team to lend a hand.  We have over 100 high-tech minds,  and 10,000s of hours of practical hands-on experience to place at your disposition.  Together we can be formidable.  No matter how complex your IT questions we can help you take decisive action and achieve those “elusive” results.