Aleks Koha explores the world of hacking, its impact on organisations and how they can protect themselves against attacks and the resulting reputational damage.
When you think about your everyday life, you don’t tend to notice how many things are controlled by electronics.
Computers have secretly infiltrated every aspect of our lives with one goal – to make things more comfortable. This has, of course, affected business because not only is the business environment growing more connected, but there is no longer one corporate stronghold (the perimeter) in which you can quarantine your employees.
With staff bringing in their own devices and home working policies, the borders of the work environment are blurred with a worker’s personal life. So where am I going with this? Everything that has a computer in it can be hacked, including your smart toaster or light bulb. To be fair, a hacker doesn’t even need to hack any of your machines, they just need to manipulate the psychology of their target to gain the access they need. Cyber threats lurk around every corner and that’s why I believe it is one of the top global challenges of modern times.
‘Cyber threats lurk around every corner and that’s why I believe it is one of the top global challenges of modern times’
To understand what’s going through the mind of a cyber criminal, we first have to know who they are. There are several major threat actor categories, for example: hacktivists, cyber criminals, insiders, advanced persistent threats and script kiddies. Specific motivations vary and may include personal financial gain, a desire to cause reputational damage or just to look cool to their friends. Hacktivists might be fighting for a cause they believe in and attacking corporations or organisations that oppose their views. Cyber criminals usually hack systems for financial gain and, because if they know what they’re doing, detecting, tracking down and prosecuting them is extremely difficult.
With the rapid development of different attack automation tools, script kiddies (who use existing computer scripts or codes to hack into computers, lacking the expertise to write their own) also become more dangerous; less and less technical knowledge is required to conduct an effective attack and this should put companies and organisations on alert. State-sponsored attackers may want to uncover government-level secrets, cause physical infrastructure damage or something else entirely.
But I think the main thing that goes through any hacker’s head is that, today, it’s the most effective type of projection of force to get what you want. You can remain completely anonymous and potentially undetected if you know what you’re doing, the financial gains or intended damage can be huge and you can do all this from the comfort of your sofa (unless physical access is required). Another type of hacker is the person who does it out of curiosity; not all hackers intend to do damage, they just want to see if they can get in a system or they spot an obvious security flaw that they want to highlight to the company/organisation.
‘It’s essential to test your systems continuously to find new security holes and patch them’
Can hacking an organisation ever be ethical?
Hacking can be ethical if you have permission to do it; it’s what’s referred to as penetration testing in the cyber security community. Without permission it is, of course, not ethical, because it becomes a real cyber attack.
It’s essential to test your systems continuously to find new security holes and patch them. Another useful thing to test is business continuity – disaster is going to strike sooner or later, so the speed at which you get back up and running with minimum impact is important, because that’s what is going to determine the extent of your financial damage. Without ethical testing, it would be hard to estimate what would happen if these events unravelled, which is why it can be a good idea to hire ethical hackers to try and break your system. If you make it look like the real thing, you’ll also know how well your employees are prepared. Remember, spending on cyber security is not a cost, it’s an investment. If you want to know the return of investment, simply assess what the potential losses would be and how likely such events are to happen.
What makes an organisation an ‘easy target’ for hackers?
Organisations make themselves vulnerable to cyber attack if they fail at basic security hygiene. Software should always be updated; factory settings should be never be used in company hardware, and employees should use password managers and never reuse passwords for multiple accounts. In addition, two-factor authentication should be used everywhere possible, interaction points such as input forms on web applications should be tested and protected from code injections, encryption should be used in communication and data at rest, and plaintext passwords should never be kept in databases. Employees should be trained in the threats of social engineering and phishing when inducted into the company.
‘Employees should be trained in the threats of social engineering and phishing when inducted into the company’
If everyone did the simple things highlighted above, 99% of attacks would never happen. Don’t go overboard, though: rotating complex passwords every three months and other more extreme measures cause security fatigue, and may lead to your workers make more mistakes in the long run. I don’t recommend punishing employees who are the cause of a hack. Doing this creates a culture where people will hide breaches or irregularities from management. The usual detection time for breaches can be more than six months, so if someone notices something strange, you really want them to report it.
Examples of the biggest hacks of the 21st century
There have been many high-profile hacks, but I’d like to highlight the Yahoo and Equifax data breaches. With the Equifax case, nearly half of the US population had credit data and personal information leaked – and in a country such as the US, events like this are not going to pass without a large class action case.
Meanwhile, the Yahoo breach leaked information from more than a billion user accounts. Yahoo is actually fortunate this happened before the EU implemented General Data Protection Regulation (GDPR), because it only received a $35m fine from the Securities and Exchange Commission; the GDPR fine could have been around $200m.
Of course, another notable hack is the Stuxnet worm (a malicious computer worm uncovered in 2010), which targeted the Iranian nuclear programme and was the first every cyber attack to cause physical damage.
How far can a hack damage the reputation of a business?
Reputational damage is what hacktivists usually try to achieve and it can be a side effect of other hacks as well. The question is the extent of the damage that comes down to how you handle the situation when it unravels.
You will inevitably lose trust if you leak your customers’ data and if that data is really sensitive and you handle it badly, it can be the end of your business. If you handle the situation well, you will likely recover from the reputational damage caused. Organisations that are targeted often should definitely have a crisis management plan in place because when the bad guys keep knocking, eventually they’ll get in and then things will happen fast. It’s hard to respond quickly and effectively if you are not prepared.
So how should organisations respond following a hack?
As each situation is different it’s hard to give a ‘silver-bullet response’ to how organisations should respond to a cyber attack. You definitely need to notify the authorities (within 72 hours if you deal with EU citizens’ data under GDPR) and the affected parties. Never pay ransoms, as it will just motivate the hackers to target you again and you can expect attacks to escalate.
When it comes to PR, it depends on the size of the breach and the situation and each event should be assessed individually. There are companies out there that specialise in post-breach response and the fallout that comes with it. If you don’t have that specialty in-house, I would recommend seeking out these organisations out when things get bad.
The most innovative ways of protecting a business are usually reserved for organisations with a large security budget. Deal with basic security hygiene first; once you have covered 99% of issues, you can focus on the 1%. Some of the most interesting technologies I would like to bring out are deception technologies, artificial intelligence (AI)-based log analysis and attack pattern detection, threat intelligence solutions, AI-based endpoint protection solutions, and privileged account management.
My personal favourite is deception technology, which essentially turns the technical landscape through which a hacker needs to navigate into a minefield. I believe deception technology is also going to be seen more on the social engineering level soon, creating decoys and alerts for psychologically manipulative attacks. In general, there is a lot of innovation going on in the cyber world and I would suggest checking out the cyber security top 500 companies.
However, as stated earlier, basic hygiene is the key to mitigating 99% of cyber attacks. Have continuity and crisis plans in place, assess your risks and, if you need to take it to the next level, look towards the advanced innovations that are being developed daily. Also get tested regularly and don’t forget to test your employees as well. Of course, you can never be 100% secure; remember – the attackers are always one step ahead of you, so stay humble and keep the basics in check.
‘Basic hygiene is the key to mitigating 99% of cyber attacks’