This article was first published in SME Web and can be found online here.
Don't be outbid by hackers and learn from eBay Inc's mistakes.
The latest cyber attack oneBay Inc(NASDAQ:EBAY) has potentially affected 145 million customer records. However, the method by which the hackers obtained access to the customer database is not yet known, neither is whether the hackers cracked the encryption and consequently accessed the customer records. It has been reported that the data is available for sale on certain internet forums, although it is not unusual for other fraudsters to look for way to cash in on the breach.
Given that there are so many unknowns it is impossible to comment on how and if eBay could have prevented the attack. However, there is one clear lesson that all business can take away and that is that a comprehensible, responsive and considered plan which can be implemented quickly and effectively in the aftermath of a breach is essential.
The sole biggest criticism of eBay was its failings in handling the breach. eBay faced backlash on everything from its delay in notifying customers of the breach to the confusing instructions posted on its website. Even the method by which customers can change their passwords has been criticised for being overly complicated and not user friendly.
The Information Commissioner, Christopher Graham, said in light of the eBay attack: "...it's a wake up call to businesses. Cyber crime is real. Hacking is real. Responsible companies have got to act to keep their customer information safe, and if they don't, they'll find they're not just in trouble with the Information Commissioner, but they're in trouble with customers too."
It is essential that businesses have a considered and practical plan (ideally included as part of the general information security policy) to deal with any actual or possible attack. This plan should include how the business is going to update and inform customers of the steps they should take to mitigate the risks created by the security breach.
It is, of course, essential that all the basics are also covered. Firstly, appoint the right people to advise the business. Whether employees or external advisors the business needs to understand exactly what customer data is holds, where it is and who has access to it.
Secondly, have a clear understanding of the business' obligations in respect of that data. This may include requirements under the Data Protection Act, guidance issued by the Information Commissioner's Office or other regulatory bodies such as the Payment Card Industry Security Standards Council or the Financial Conduct Authority.
Additionally, this month the Government launched its new Cyber Essential scheme. The scheme enables businesses to gain one of two Cyber Essentials badges. Furthermore, from October 2014 the Government will require all suppliers bidding for contracts which include the provision of services relating to sensitive and personal information to be certified against the Cyber Essentials scheme.
The Cyber Essentials framework provides a statement of controls that all businesses should implement to mitigate the risk from cyber threats. The controls fall under the follow five categories: boundary firewalls and internet gateways; secure configuration; access controls; malware protection and patch management. The scheme is likely to be well received by the industry. BAE Systems, Barclays and Hewlett-Packard are amongst the first businesses applying.
Universities and Science Minister David Willetts said: "The recent GOZeuS and CryptoLocker attacks, as well as the Ebay hack, show how far cyber criminals will go to steal people's financial details, and we absolutely cannot afford to be complacent. We already spend more online than any other major country in the world, and this is in no small part because Britain is already a world leader in cybersecurity. Developing this new scheme will give consumers further confidence that business and government have defences in place to protect against the most common cyber threats."