Some of the biggest companies in the world were hit by some of the biggest cyber security breaches in 2018. Of the 24 largest breaches of all time on the USA Today list, three of the top 10 occurred last year – Marriott, Under Armour and Quora.
But it’s not just the digital novices who are vulnerable. Cyber breaches were also a problem for tech-giants, like Google, Facebook and Twitter last year. If Google isn’t safe, what chance do small and medium-size business have of keeping their digital infrastructure secure?
A snapshot of the digital security landscape, afforded by a peek at some of the biggest breaches of last year, can at least give us an idea of what private business owners could be up against. That broad look should also provide the ammunition to assess what solutions need to be applied.
- Marriott: 500 million customers
- What was stolen: names, addresses, email addresses, phone numbers, dates of birth, passport numbers, credit card and additional personal information
- What happened: Reports of the breach alleged the company was hacked by foreign intelligence operatives. The vulnerability came via Marriott’s Starwood booking system, which the company purchased in 2016. Investigation revealed that the Starwood system was compromised since 2014.
- Under Armour (MyFitnessPal): 150 million customers
- What was stolen: names, email addresses, encrypted passwords
- What happened: The company discovered unauthorized third-party access to some of its customer data, but reported that its security measures kept the intruders from more sensitive information, such as GPS location, eating habits, credit card and Social Security numbers.
- Google Plus: 52.5 million customers
- What was stolen: names, email addresses, dates of birth, personal Google + session information
- What happened: A security audit discovered that outside app developers could have had access to personal information of Google Plus users b/w 2015 and 2018. The company announced a breach affecting 500 thousand users in October (the breach occurred several months earlier). In December, Google revealed a second, bigger breach of 52.5 million users. Google is ending the Google Plus platform, and the breaches have helped to expedite its demise.
- Panera Bread: 37 million customers
- What was stolen: names, addresses, email addresses, dates of birth and last four digits of customer credit cards
- What happened: Panera was tipped to a database leak in August of 2017, but ignored warnings of security experts. The company failed to take action for eight months.
What Does This Tell Us?
It’s not every day that you’ll find yourself the target of government-sponsored hackers. Or is it? Reports have circulated for years about foreign hacking of corporate, government and infrastructure targets in the US.
Putting aside the fact that Marriott was potentially the target of international espionage, the company acknowledged a sub-optimal investment in cyber security. While internal security protocols did signal an unauthorized access to the system, they were not sufficient enough to detect the vulnerability during the acquisition of the system two years earlier. Marriott has since hired a new chief information security officer and began reporting on cyber risks to the company board.
Marriott, like Under Armour, was at least partially positioned to withstand cyber attacks. Both companies responded by studying their vulnerabilities and applying fixes in short order. Notably, they went to outside experts who could provide an honest, objective assessment of threats and recommend the right fix.
Google decided to keep the initial breach in-house – because they’re Google – and was burned by another, much bigger breach less than 10 months later.
Panera, on the other hand, mishandled everything – from the initial vulnerability, to the flagging of the issue by an outside security researcher. Eight months passed between when Panera was notified to when a fix was applied. And in the process, the company ignored a credible tip and efforts of an informed individual trying to help.
Hubris and presumptive arrogance on one end… insufficient deployment of security resources on the other. Despite the size of these companies, when it comes to cyber security, the execs of international corporations face the same type of problems and decision-making concerns as small business owners.
So, What Can Business Owners Do?
Well, the first thing to do is to acknowledge that cyber security is not your area of expertise. Guard against that hubris and arrogance by staying humble in your attempts to address this need. It’s ok to acknowledge that you’ll need the help of a trusted cyber security expert.
That said, the scale of the threats you’ll face is probably different than that of Marriott and Google. It’s unlikely you’ll face government-sponsored espionage. Small and medium-sized business are more likely to fall victim to ransomware attacks. As such, you’ll need backup and firewall services tailored to exploits favored by ransomware attackers.
At Beacon, we lean on the SonicWall Capture Advanced Threat Protection service to keep our clients free from ransonware and subsequent critical failures. The SonicWall platform is designed to discover and defeat zero-day (brand new) threats, and is set up to provide automated remediation – meaning you don’t have to lift a finger.
Beacon Knows IT Security
If you’re ready to take your IT security to the level it needs to be, give BITS a call. We’ll be happy to talk through the needs of your business.