When Big Brands Are Hacked and Identities Stolen, How Can We Ensure Security at Enterprise Level?
In recent years we’ve seen some of the globe’s biggest and most reputable companies thrust into the spotlight as victims of large-scale security breaches.
Cast your mind back a few years and the likes of trustworthy retail brands such as Walmart (2009), Target (2011), and even technology giants Apple and Ebay (2014) will stand out as some of the most surprising companies hit by damaging cyberattacks.
Last year UK telecoms firm TalkTalk lost 250,000 customers after suffering a security failure last year that revealed sensitive customer data, proving that all types of organisations have contributed to what we now publicly conceive as a major concern in privacy and data in the enterprise.
The biggest problem is many companies don’t understand the full extent of the technology involved in, or the laws surrounding taking care of customer data, and thus don’t implement the proper guidelines to ensure they remain safe from such breaches.
According to the Cybersecurity Breaches Survey conducted for the UK government, seven out of 10 attacks on British firms could have been easily prevented. This is perhaps because, while 53% of businesses in the country considered online services to be a core to their offering, only a fifth had a clear view of the dangers of sharing information with third parties. Surprisingly, fewer (34%) were found to have rules specifically catering to personal data encryption, which has been the chief cause of most high-profile cyber security breaches recently.
But in order to better understand security, companies must first know the difference between data privacy and data security, and understand that the terms aren’t quite as interchangeable as they might think.
Data privacy is defined as the appropriate use of data. For example, when companies and merchants use data or information that is provided or entrusted to them, it should be used according to the agreed purposes. In past cases some companies have sold, disclosed or rented volumes of sensitive consumer information to other parties without approval, which is gross misuse of the data.
As for data security, this refers to the confidentiality, availability and integrity of data; all of the practices and processes that are in place to ensure it isn't being used or accessed by unauthorised individuals or third parties.
The two can be linked via a company’s data security policy, a strategy that ensures both data security and data privacy of consumers' information. All businesses should have a data security plan in place as a priority, focusing on collecting only the required data information, keeping it safe and destroying any information that is no longer needed to ensure they are doing all they can to keep their customers safe from hackers.
Securing and ensuring privacy in consumer products
With the rise of the internet of things, protecting data privacy and security becomes increasingly difficult for organizations creating products. And thanks to the escalation in cybercrime threatening both the public and private sector alongside this burgeoning device and data generation, it can be a very difficult task to ensure all company data is private and being used properly.
Since IoT involves multiple layers of security, including technology that scans for vulnerabilities continually, formulating a successful data security policy must involve looking at all threats and to cover more than just the basics.
There are several ways in which a company can ensure privacy in consumer products. One of the most important is that a company needs to ensure that its IT staff, workforce and management are aware of the various types of data and how it is classified so that both workers and management understand the differences. By categorizing the data, employees can be aware of how to handle each type and which types they are allowed to distribute. For instance, splitting it up into: confidential data; internal company data; general data, and; data that is meant to be sent outside the company, for instance.
It is also important to find any vulnerabilities in a company's IT infrastructure before hackers do. Since hackers will scan for vulnerabilities the minute they are discovered, a company should have a routine in place for checking its own networks regularly.
Implementing code to eliminate vulnerabilities can also help to protect against threats, such as how and when patches are to be implemented in the system. But if a security breach does occur, it’s important to have appropriate measures for handling it already in place, including the reporting of the incident and how to solve the problems leading to it to prevent the issue from reoccurring.
However, data privacy and security is about much more than keeping hackers at bay. It is also about assuring consumers that the trust they place in a consumer product brand is warranted. Consumers have a keen sense of awareness of the risks surrounding data security and privacy, so it’s likely many consumer product executives are likely overestimating the extent to which they are meeting consumer expectations related to data privacy and security.
As society becomes more reliant on technology, the consequences of security failure escalate – especially as the IoT becomes embedded in everyday life – reaching through industrial control to personal devices and infrastructure such as transport and power.
Also known as the industrial internet (or Industry 4.0), the industrial internet of things (IIoT) incorporates machine learning and big data technology, harnessing the sensor data, machine-to-machine (M2M) communication and automation technologies that have existed in industrial settings for years.
The driving philosophy behind the IIoT is that smart machines are better than humans at accurately, consistently capturing and communicating data. This data can enable companies to pick up on inefficiencies and problems sooner, saving time and money and supporting business intelligence efforts. In manufacturing specifically, IIoT holds great potential for quality control, sustainable and green practices, supply chain traceability and overall supply chain efficiency.
At the moment, the IoT is more of a consumer-facing and consumer product-driven. However, courtesy of the object gateways and consolidators, IIoT is gradually gaining some ground despite many companies not setting plans for industrial IoT. This slow adoption is down to perception. According to Cisco, 92% of market leaders agree that security vulnerabilities are likely in IIoT, so it is going to take time to gain the trust from industries before they realise the true potential benefits.
When it is realized, however, it will initially exist on current infrastructure and protocols. As it develops, it will require a foundation of IPv6, a more secure protocol that offers almost limitless IP addresses and one that is currently being almost force-fed to web engineers. However, the adoption of IPv6 will take time. Although standardisation of IIoT is gradually taking shape, the opportunity for innovation, and standardisation, exists at different levels.
Securing in-car devices, ensuring privacy and monetisation
Once mobile devices are connected to car infotainment systems and cars are connected to the internet, vehicles will become a rich source of data for manufacturers, marketers, insurance providers and the government. But this will mean they'll be a lucrative target for hackers too.
Unlike mobile device makers that use the latest technology to secure their devices, the automotive industry is generally much further behind. The computer systems in automobiles can be built from years-old technology because of a general three-to-five-year vehicle development cycle. Therefore, just like computers, car owners need an opt-out capability when it comes to collection of in-vehicle data.
Carmakers already remotely collect data from their vehicles, unbeknownst to most drivers. Location data, which is routinely collected by GPS providers and makers of telematics systems, is among the most sensitive pieces of information that can be collected. For example, if a company knows where your car is at any point in time, it knows where you live, what restaurant you're in and where you go to church. And, also knows if you're interviewing for another job.
It could be argued that drivers should have to opt in before car companies can share data with any outside parties. General Motors (GM) being a good example as to why an opt-out model isn't good enough. In 2011, the firm's OnStar in-vehicle communications service began collecting data on users without permission, sharing data with third-party suppliers, and thus were forced to stop using the data.
Consequently, the auto industry is very mindful of GM's high-profile mistake, and so (if they haven’t already) automakers should scrub the data they receive from in-car systems in order to protect customer privacy and ensure consumer trust.
While potentially dangerous, data has been referred to as the most powerful currency in the automotive industry, and it is set to grow exponentially as a result. The connected car has been estimated to emit up to five terabytes of data in a single hour, but so far the challenge has lied in how to monetise it. One way is by utilising driving data for usage-based insurance (UBI) purposes; the idea that safer, more efficient drivers, which are assessed via data from in-car sensors, are rewarded with lower premiums.
How can medical device manufacturers ensure patient data security?
Medical devices – like other computer systems – can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device. But this vulnerability increases tenfold when the medical device in question is connected to the Internet, hospital networks, and to other medical devices.
All medical devices carry a certain amount of risk and so it is important they are put under scrutiny by those implementing them. In the US for example, the Food and Drug Administration (FDA) allows devices to be marketed when there is a reasonable assurance that the benefits to patients outweigh the risks. While the increased use of wireless technology and software in medical devices also increases the risks of potential cybersecurity threats, these same features also improve health care and increase the ability of health care providers to treat patients.
Addressing cybersecurity threats, and thus reducing information security risks, is especially challenging in the medical sphere. Because cybersecurity threats cannot be completely eliminated, manufacturers, hospitals and facilities must work to manage them. There is a need to balance protecting patient safety and promoting the development of innovative technologies and improved device performance.
The FDA has two recommendations for mitigating and managing cybersecurity threats, which are:
- Medical device manufacturers and healthcare facilities should take steps to ensure appropriate safeguards, being responsible for putting appropriate mitigations in place to address patient safety risks and ensure proper device performance.
- Hospitals and healthcare facilities should evaluate their network security and protect their hospital systems.
Privacy of wearables: who manages the data
Since wearables know a host of wearers’ secrets – such as heart rate history, how many steps they take to work, how long they sleep at night and where they like to run – they know almost everything there is to know about a consumer’s biology, habits and whereabouts.
But who owns all that data? Often, it’s not the consumer, but the device maker, which can collect and store it.
The myriad of ways the company can use personal data is where things get complicated and it varies on a case-by-case basis from device to device and from software to software. Some manufacturers sell data back to the users by charging a monthly fee. But they also collect and store the data to sell it to third parties. Some experts say this can pose a security risk, even when the data is anonymised for consumer protection.
Anonymising data removes identifying features and uses simple encryption. However, some manufacturers charge users a monthly fee for access to their own raw data, which is regularly sold to third-party agencies in the form of “anonymized” data such as location, age, sex, email, height and weight.
However, companies should be aware that anonymizing data in this way via a simple distortion or removal of identifying features does not provide adequate levels of anonymity and is not sufficient to prevent identity fraud.
By cross-referencing wearable data with other digital traces of user behavior, hackers are able figure out a person’s identity by using seemingly innocuous information combined with digital traces like the time or location of a user’s activity or social media updates, to gather increasingly sensitive information, such as a password.
How can data be monetised and its effects on the insurance industry?
However, the concept of wearable data could prove to be rather lucrative, especially in the insurance industry. According to a study conducted by Boston-based research advisory firm Strategy Meets Action (SMA), about 3% of insurers are already using wearable devices and another 3% are experimenting with the new technology, while 22% are in the process of developing a strategy for using them.
There are various areas of potential use for wearable devices including marketing, underwriting, risk management, new product development, workers’ compensation and personal auto injury claims management. Since wearables capture data near the wearer, providing a record of what the wearer is seeing and hearing, they have application in claims assessments, such as motion detection of a fall that wasn’t the wearer’s fault, for instance.
As a result, wearable technology a game changer for the insurance industry, especially with the benefits of using such devices in the areas of risk management and return-to-work.
What can we learn from hacks of retail companies such as Target? How can retailers secure customer data?
Back in 2014, US retailer Target was hit by a large scale security breach after one of the firm’s contractors fell victim to a phishing attack, which resulted in hackers gaining access to the retailer’s internal systems and installing malicious software. The malware in question was Citadel, a variant of the infamous Zeus banking trojan.
Once installed on a system, Citadel captures keystrokes, takes screen grabs, and steals login credentials. While many anti-malware solutions usually identify Zeus and Citadel as they as well known by security vendors, in this case, the contractor had deployed Malwarebytes free edition, which doesn’t offer real-time protection.
As a result of the intrusion, which was traced back to network credentials that were stolen from a third party vendor- in this case the contractor – the Target hackers exposed 40 million customer debit and credit card accounts.
The good news here however is that businesses can learn from the misfortunes of Target’s simple yet devastating attack.
Target had little control over the entire contractor and partner ecosystem. But if it had required endpoint protection by contract, and conducted regular audits, Target could have paid for licenses of fraud and malware protection software for any endpoints to be allowed access to their portals, or at least mandated two-factor authentication for more than just contractors who have internal access to sensitive information.
There are many other measures companies like Target can implement to ensure customer data remains safe with the benefit of hindsight, such as:
- Train employees in security principles: Establish basic security practices and policies for employees, such as requiring strong passwords, and establish appropriate internet use guidelines that detail penalties for violating company cybersecurity policies.
- Create a mobile device action plan: Require users to password protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks.
- Control physical access to computers: Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended.
- Limit employee access to data and information: Limit authority to install software, do not provide any one employee with access to all data systems. Employees should only be given access to the specific data systems that they need for their jobs, and should not be able to install any software without permission. Also, if employees work from home, ensure that their home system(s) are protected by a firewall.
What should retailers be allowed to do with loyalty card data? How can they monetize it?
Customer data is very valuable, but what organizations do with it is a different story. Most companies use customer insights as way to achieve a successful customer relationship management or customer experience program. Data is used to enhance customer experiences, improve service quality, target marketing efforts, capture customer sentiment, increase upsell opportunities and trigger product and service innovation.
According to Olive Huang, research director at Gartner, direct monetisation of customer data, such as organizations exchanging information for goods and services, works in the same way as the old grocery store loyalty card. Due to the increasing magnitude of customer data, organisations have new opportunities for monetization thanks to the growing wealth of information from digital channels, from social media, location and context-sensitive data collected from mobile, creating a 360-degree customer profile.
Customer data can be used in two ways to generate monetary value: directly: sold or traded, and indirectly: by creating new information products or services that leverage the data, although the data itself may not be sold. Gartner predicts that 30% of businesses will have begun directly or indirectly monetizing information assets via bartering or selling them outright by the end of 2016. They might do this by treating information as a corporate asset that generates tangible future benefits.
While customers value their privacy, and bad press from privacy breaches could impact a company’s ability to monetize data, many users will happily give away their personal information in return for free access to a service or for financial benefit, such as a store and airline memberships. Ultimately, companies should follow privacy regulation development and determine their tolerance of risks in relation to how they want to monetise customer data and implement it into their customer loyalty strategy.