Written by Steve Ross
How do businesses become the victims of a cyber-attack? We explore high profile examples of what happens when businesses fail to prepare for an attack…
Over the past few years, we’ve seen high-profile cyber-attacks cause chaos in some of the world’s largest companies. With so many incidents to sort through, it’s easy to skim the details – but if big businesses, with all their IT resources, can become victims, it stands to reason SMEs need to be especially vigilant.
Fortunately, high profile incidents aren’t just ‘car-crash’ media stories – they act as learning tools which help us understand the threats we face. We’ve taken a look at 5 recent examples of companies which overlooked, ignored or failed to prepare for a cyber-attack: what went wrong… and how could the damage have been avoided?
What? Last year, TalkTalk suffered a Distributed Denial of Service attack which crippled network servers and allowed hackers to hijack the company’s SQL database during the confusion. Around 157,000 customers had data stolen, at a cost of around £35 million.
How? TalkTalk should have understood that DDOS attacks are normally smokescreens for a more malicious attack – in this case, the database breach. They might have improved their intrusion detection software or configured routers to block or deflect traffic. Damage might also have been mitigated by encrypting data within the database.
What? In late 2014, Sony suffered a highly-publicised cyber-security breach which saw the theft of 100TB of data. The initial penetration occurred in one vulnerable server – which gave the hackers access to Sony’s wider network. The damage was estimated to have cost the company $35 million.
How? Experts traced the breach back to a phishing attack specifically targeting Sony execs by using fake Apple ID verification. Phishing attacks can be highly sophisticated but also exploit naivety – the attack demonstrates employees of every status are vulnerable: Sony’s highest-ranked employees should have had better training at spotting and avoiding this type of threat.
What? The fallout from the Ashley Madison website hack in 2015 might be measured in embarrassment as much as financial loss, but the fact remains the site’s entire user database (32 million accounts) was compromised by a carefully planned cyber-attack. The release of that sensitive information and the salacious nature of the website itself ensured the hack stayed in the headlines for weeks.
How? CEO Noel Biderman suggested the breach may have been perpetrated by an internal employee which, if true, underlines the importance of security strategies looking both outwards and inwards: disgruntled employees, contracted staff, or someone simply lacking appropriate training may create a serious weak link in any cyber-security strategy.
What? In mid-2014, eBay suffered a huge security breach, with the records of over 145 million users (usernames, phone numbers, home addresses) stolen by hackers. The unprecedented attack, perpetrated by a group known as the Syrian Electronic army, prompted eBay to advise all its customers to change their passwords.
How? Hackers accessed eBay’s user database by targeting a handful of corporate accounts – eBay could have prepared better by making employees aware of current phishing and malware threats. More importantly, eBay might also have protected their reputation by informing users more effectively during and after the attack: months passed between the breach and its discovery, giving the hackers a time to utilise customer data.
What? In a database breach four times the size of the TalkTalk incident, hackers stole the personal details of over 650,000 customers of pub chain JD Wetherspoon. The data included personal details like names, addresses and phone numbers – but also highly sensitive bank details.
How? Rather than going after Wetherspoon’s current (and presumably better-protected) website, hackers targeted an older site hosted on third party servers. Security on the old servers had grown lax, to the point that the hackers were able to exploit weaknesses and steal the data. Not only should Wetherspoon have been aware of the vulnerability on their old server, but should have moved to inform customers of the breach more swiftly.
These incidents represent highly sophisticated and carefully planned attacks… but demonstrate how corporate behemoths can be undone by relatively simple gambits… even when a little extra awareness and training could have prevented disaster. Cyber-threats aren’t something only enterprise need to worry about: as attacks on small businesses continue to rise at an alarming rate, preparation continues to be our best defence.
Are you prepared for threats to your business? Do you need advice on building a cyber-security strategy? Talk to us today…