57 million people affected worldwide, by a breach that was covered up for over a year. 143 million American consumers affected by a single database hack – again with delays in making this news public, and with as yet undetermined impact at a global level.
The recent data breach incidents at the smartphone app-based ridesharing company Uber, and the massive international credit reporting agency Equifax represent the antithesis of the principles of enterprise cyber resilience – both in their scale and in the haphazard and frankly inadequate nature of the response which they met from the targeted organizations.
With public and media outcry, several ongoing lawsuits, and the financial and reputational damage suffered by both Equifax and Uber, the lessons of cyber resilience – the capacity for an enterprise to return to a stable and operational state and recover from the adverse effects of risks, cyber-security threats, and permutations in its environment – are being learned by these two entities, the hard way.
And from their (poor) example, it’s possible for everyone to get a better idea of how enterprise cyber resilience should be preserved and fostered, in practice.
Uber, and How NOT to Do It
With its globally popular smartphone app and the addition of the term “Ubering” into the English vocabulary, the ridesharing giant Uber’s high profile may have set it up as a target for cyber-assault. Whatever the reason, in late 2016 two hackers succeeded in accessing the company’s user data which was stored on a third-party cloud-based service. But the breach didn’t become public knowledge until over a year later.
From the New York Times 2017 report of the incident:
“Uber disclosed Tuesday that hackers had stolen 57 million driver and rider accounts and that the company had kept the data breach secret for more than a year after paying a $100,000 ransom. …
The two hackers stole data about the company’s riders and drivers — including phone numbers, email addresses, and names — from a third-party server and then approached Uber and demanded $100,000 to delete their copy of the data, the employees said.
Uber acquiesced to the demands, and then went further. The company tracked down the hackers and pushed them to sign nondisclosure agreements, according to the people familiar with the matter. To further conceal the damage, Uber executives also made it appear as if the payout had been part of a ‘bug bounty’ — a common practice among technology companies in which they pay hackers to attack their software to test for soft spots. …”
All of this occurred in the middle of Uber’s negotiations with the Federal Trade Commission (FTC) after the company had failed to disclose an unrelated data breach dating from 2014.
Equifax, and How NOT to Do It
Last year, the American offices of the international credit reporting body Equifax reported that hackers had managed to gain unauthorized access to company data, potentially compromising the personal information of 143 million American consumers. This effectively meant that personally identifying information on around 60% of all American adults had been exposed, including their social security numbers and drivers license numbers.
Though the breach occurred in the U.S.A., Equifax may have transferred personal information between its American office and those of its wholly owned subsidiaries across the globe, potentially complicating matters further with breaches of data privacy and security laws in Australia and other countries.
The scale of the breach is staggering enough, in itself. Perhaps more disturbing was the admission that the incident could have been averted through the timely application of a simple security patch – a lapse and admission which cost the sitting CISO, CIO, and CEO of Equifax their jobs.
To compound matters, media and public perception were turned firmly against the company when it came to light that the breach was reported a significant time after the event. The incident occurred in June, identification of the breach was established in July, but an official report to the market wasn’t made until September 2017.
As with Uber, public opinion and the press are still questioning the trustworthiness and reputation of Equifax, along with its capacity to handle customer information and matters of cyber-security.
Enterprise Cyber Resilience: How It Should Be Done
Enterprise cyber resilience isn’t a one-off or short-term deal. To ensure that they remain both resistant to attack and capable of responding effectively to any incidents that do occur, organizations are advised to establish clear procedures and protocols for cyber-security response – and to regularly test these plans.
As the incidents at Uber and Equifax clearly demonstrate, playing hide-and-seek with the truth is never a winning strategy. Transparency and disclosure should be an organization’s watchwords whenever a security breach is detected.
Though care should be taken to protect the integrity and assets of the enterprise during the sensitive phase of an incident where disclosure might do more harm than good, organizations should nonetheless fulfill their social responsibilities to the customers they serve, and their legal obligations to any authorities or compliance regimes to which they’re subject. In light of the coming General Data Protection Regulation (GDPR), matters of disclosure and corporate responsibility will become even more relevant.
Since public and customer perception have the capacity to make or break a business, enterprises must ensure that both their conduct and message in matters of data privacy and cyber-security are ethical and consistent. Periodic programs of training for employees and management of an organization should take this into account, by including sections on proper modes of conduct, communication, and incident management.
With cloud-based resources and hosted services now an integral part of corporate culture, cyber-security planning, and risk management policies need to take off-site data storage, application hosting, and delivery into account. This approach must also extend to contracts and conditions with third-party service providers and supply chain partners.
Funding and the acquisition of skills for cyber-security and risk management need to be established as an enterprise priority, with oversight and active involvement from senior executives. This involvement requires not only access to more and better information resources but also training to increase the level of technological competence in directors and senior executive leaders.
Finally, organizations must display and act upon their capacity to learn from their mistakes. At the public perception level, this necessitates measures such as clear and genuine apologies, and the laying out of strategies for how the enterprise will go about correcting the errors which led to a security incident and put measures in place to ensure that such incidents won’t happen again.
In terms of enterprise cyber resilience, this ability to learn from past errors and take action to prevent future occurrences is instrumental in rebuilding organizational resistance to cyber-attack and increasing the capabilities of the enterprise in prevention, detection, and incident response.
Learn more about CybeRisk cyber resilience services now.
'A cyber breach can, and is likely to, happen at any time. Determining whether your organization is prepared can happen in one of two ways: either during the cyber breach itself or by employing CybeRisk to carry out a thorough assessment of your Cyber Resilience.' - Eyal Harari, CEO CybeRiskContact CybeRisk Now to Schedule a FREE CONSULTATION.
Share this Post