Earlier this week, online greetings card company Moonpig took its API offline as a flaw was enabling orders to be placed on customer accounts by hackers. The flaw, identified by researcher Paul Price, allowed hackers to bypass authentication security and place orders, as well as see and add payment information, view addresses and so on. While Moonpig has said that all password and payment information is safe, it has been claimed that the flaw was left unfixed for 17 months, despite the company being made aware of it.
We’re used to hearing about security breaches and flaws on a very frequent basis these days, so the fact that another organization has fallen foul doesn’t come as too much of a surprise. We have, after all, reached a stage when it’s a case of when, not if, a security incident occurs for most businesses today. What is unbelievable is the fact that Moonpig was made aware of the fact there was an issue almost two years ago and, as far as can be seen, did nothing about it.
For any organization, and particularly for retail businesses, customers are really the only thing that keeps them going. Showing such flagrant disregard for the safety of their data is unforgiveable, and you can be sure many members of the public will see it in the same way. In fact, a recent survey conducted by LogRhythm found that 56 percent of people said they either don’t do business with an organization that has suffered a breach, or at least limit the amount of information they share with them – which indicates Moonpig could face a quick decline in customers following this news.
The financial repercussions of any breach can be severe, thanks to lost customers, income and fines that may be levied, and the longer flaws are left open, the worse that loss is likely to be. With the security landscape as it is today, there really is no excuse for organizations not to have the tools in place to identify risks and fix problems as soon as they are identified. Understanding normal network activity is crucial to ensuring its security, and can severely reduce the time, it takes to detect threats. No flaw should take 17 months to rectify, particularly when it’s already been identified, and leaving it for so long is asking for trouble – from multiple angles.
UK retailers are currently preparing themselves for the two busiest days of the online shopping year. Black Friday (28th November 2014) and Cyber Monday (1st December 2014) will see shoppers spend millions of pounds online as the US craze continues to gain popularity in the UK. Indeed, Amazon is predicting it will beat the four million orders it received during the same weekend last year, with total UK expenditure expected to reach £281 million.
Black Friday and Cyber Monday have become two of the biggest phenomenons in the shopping industry, and the dates that retailers – and consumers – from both sides of the pond now look forward to ahead of the holidays. However after a tough year, which has seen the likes of eBay, Target and OFFICE suffer data breaches at the hands of today’s cybercriminals, all eyes will be on retailers to ensure that consumers’ online shopping experiences are as straightforward and, most importantly, secure as they can be.
With so many credit cards being registered and used online, it’s no surprise that cybercriminals will be preying on as many shoppers as possible. As such, it’s now more imperative than ever for retailers to have the right procedures and defenses in place to fend off the hackers’ sophisticated threats. Indeed, it really is a case of when, not if, they will be targeted and retailers need to take more responsibility when it comes to protecting their customers’ confidential information – not just for their customers, but also for their own reputation. Recent breaches have already affected consumer spending patterns; with the public now much more wary of whom they trust with their details.
What retailers must not do is take shortcuts when it comes to protecting their customers’ data. If they aren’t continuously tracking and monitoring their networks for anomalous activity, then they aren’t doing a good enough job at proactively defending against cybercrime. Indeed, failing to do this and instead taking a reactive approach could seriously impact retailers’ holiday trading figures going forward – something none of them can afford to risk.
Last week a team of European law enforcement agencies arrested a number of individuals on suspicion of using Remote Access Trojans (RATs) to commit various types of cybercrime. The operation, led by French authorities, also involved teams from the UK, Estonia, Romania, Latvia, Italy, and Norway, and was supported by Europol’s European Cybercrime Centre (EC3). The joint operation saw the seven countries work together to identify the suspects and involved two operational coordination meetings, collating intelligence and providing analytical support.
The sophistication of today’s cyber criminals has meant that, for too long, they have been ahead of the game. This week’s news clearly shows that we’re now catching up with them. One of the challenges of investigating cybercrime is the fact that the criminals have no notion of country boarders and multiple targets from multiple countries can be attacked at the same time. Sharing intelligence across borders is absolutely key, and this operation clearly shows how effective that strategy is.
However, operations like this will only be as successful as the information they have. Organizations can’t rest on their laurels and expect someone else to protect them – they also have a role to play. All businesses, whether in the public or private sector, must ensure that they are monitoring every single piece of activity that happens on a network in real-time. With the level of insight that can be gained, anomalous activity can be identified immediately and the information gathered can be shared with those with the authority to catch the criminals.
We can now clearly see just how effective cross-border collaboration is and, as more investigations like this are enacted, we’re likely to see a fundamental shift in the way cybercrime is investigated around the world. With the necessary parties providing the necessary information, and a centralized intelligence unit to collate and investigate it, we may just have a chance of winning. It may be a long fight, but as we all know, slow and steady wins the race.
As a LogRhytm Sales Engineer I meet many customers who love our technology but struggle to convince their hierarchy of the true ROI of a full SIEM solution.
The good news is that the Ponemon Institute has just released their annual survey results based on a sample of:
- 257 companies over 1,000 seats
- 2,081 separate interviews
- in 7 countries (USA, UK, Germany, France, Japan, Australia and Russia)
- in 17 industry sectors
Among all their results they found that:
- Cyber crime cost has increased by 10.4% [MR1] from last year
- Cyber crime costs by enterprise seat [MR2] varies from $1,600 for small companies to $437 for larger ones
- Productivity loss accounts for 30% of the total cost companies incur as a result of a breach
- The most costly cyber crimes are those caused by malicious insiders
- Security Intelligence technologies (including SIEM) has the biggest ROI in all security technology categories
The graph below shows the average annualized cost of cyber crime attacks in $US million. According to the Ponemon report, companies that had security intelligence technologies deploys experienced an average cost savings of their breach of $2.6M when compared to companies breached that did not have a SIEM deployed.
Image: Ponemon Institute
This survey provides over 30 figures which can help our customers put together a detailed business case with many statistics including those of their country and for their industry sector.
The full report is available free of charge here: 2014 Global Report on the Cost of Cyber Crime
Last week the UK government announced that it has partnered with 12 insurance companies to develop the cyber-insurance market and highlight the threat of cyber attacks to businesses. As part of this, new working groups will be put in place and will be tasked with reporting back to the Cabinet Office on what the key issues in the market are. Cabinet Office Minister, Francis Maude, said that, while cyber insurance adds an extra layer of protection for organizations, it must be used in good conjunction with good cyber-security practices.
We’ve seen a slew of very high-profile security breaches take place this year, with organizations, such as eBay, finding themselves in the firing line. What’s slightly concerning is the fact that cyber crime is now so commonplace that these incidents go by with barely an eyebrow raised when they are reported. While businesses themselves clearly have to deal with the consequences of these attacks, they also cost the UK as a whole a vast sum of money. Joining forces with insurers makes sense for the government as it will enable it not only to raise awareness of the issue, but also ensure damage is limited.
While cyber insurance has been around for a while, the market has been relatively slow to take off. However, as cyber criminals become more sophisticated and we realise the inevitability of attack, it makes sense that businesses would want to have the greatest level of protection as the aftermath of a serious breach could be akin to a large-scale burglary. For insurers it’s not surprising they would want to capitalize on this modern risk facing UK businesses, and working with the government only provides a greater opportunity to get the word out there. However, Francis Maude is right and businesses must see insurance as a safety net, and not as a security tool. Just as you wouldn’t forgo your fire alarm when you purchase contents insurance for your house, organizations must not do the same with their defensive security measures.
It is imperative that the right checks and balances are maintained to keep corporate networks watertight, as the protection of private information should be paramount – rather than simply covering the costs of a breach. Protective monitoring and security intelligence should be the go-to strategy throughout organizations, as it provides the most granular view into all network activity. This ensures that anything untoward can be immediately identified and stopped in its tracks before any lasting damage is done – or big insurance payouts are required. So, while there is no harm in having insurance, and it will likely prove advantageous to both businesses and the UK economy, it must not be seen as the be all and end all, otherwise we’re going to be seeing a lot more breaches, a lot sooner.