Companies need not repeat the mistakes of the EU’s central bank.
On Thursday we learnt that the European Central Bank (ECB) suffered a data breach. Though no market sensitive information was said to have been taken, contact information for those attending events with the bank was.
German police have been called in to investigate, and those whose details have been snatched have been informed. But what lessons can companies draw from this attack on one of the most powerful institutions in the EU?
1. Every organisation is at risk
This year has been a bumper year for cyber attacks, with Target, eBay and News UK having all suffered at the hands of hackers.
Keith Bird, managing director at security firm Check Point, said: "This attack highlights how even high profile organisations with robust defences can fall victim to enterprising cyber criminals. The European Central Bank was clearly unaware it had been infiltrated as it first found out when the attackers issued a ransom for the data they had obtained."
Of 150 financial groups the company audited last year 88% had been involved in a data loss incident, an increase of a quarter on 2012.
2. All customer data should be encrypted
Only some of the data taken by crooks from the ECB was encrypted, a startling oversight given its potential uses.
Jason Hart, vice president of cloud security at SafeNet, said: "Any data stored in a plain-text state is easily readable and can be easily accessed by cyber criminals. So companies need to think about encrypting all customer data, both in storage and transit."
Strong encryption can ensure that when a breach occurs the information obtained is useless to criminals, both discouraging them to hack in the first place and minimising the damage if it does happen.
3. A little data can lead to identity fraud
The ECB unsurprisingly downplayed the significance of the hack, pointing out that sensitive financial and market information had been stored separately. But this doesn’t mean the data is harmless.
Charles Sweeney, chief executive at security firm Bloxx, said: "A professional hacker doesn’t need much more than a name, address and date of birth in order to defraud a person and assume their identity.
"This data might not rank as highly in terms of sensitivity to the wider market place and the ECB itself, but to the individuals that could be potentially be impacted it is most definitely of concern and underlines the need for all, not just some, data to be robustly protected."
4. A minor breach can dent a company’s reputation
Customers will be upset that their data has gone walkabout, but companies also have to worry about the effect on its reputation, especially when they are charged with holding other people’s money.
Will Semple, vice president of research and intelligence for security firm Alert Logic, said: "It will be interesting to monitor the markets to see if this incident introduces confidence concerns in the ECB over the next few days."
5. Organisations should challenge ethical hackers to attack them
Many security experts have a history of hacking, and not always as one of the good guys. Firms should make use of this.
Toyin Adelakun, vice president of products for security firm Sestus, said: "It is always beneficial to have frequent, regular and irregular penetration-testing (pen-testing) performed by so-called ethical hackers, to make sure that as many as possible of your blind spots are uncovered.
"Even better, have multiple or different pen-testers address your Web sites and networks, so that you have a comprehensive view of the threats — and thus a comprehensive view of the necessary security countermeasures.
6. Security must increasingly seek to protect data
Keeping bad guys out of the perimeter used to be the focus for security companies, but this is all changing now the market for data is so profitable.
Gary Newe, senior systems engineering manager at application firm F5 Networks, said: "This attack is the latest to deliver a clear message to businesses across Europe – the assets we protect are no longer the infrastructure or the networks, it is the information contained in the applications that we need to address.
"We need to use tools like web application firewall (WAF), proxy functionality, and contextual awareness to understand and separate legitimate users from those with more suspicious motives, and better protect our data using these insights in real time."
7. It is still a bad idea to pay ransoms
Ransoms create a dilemma for the victim. In the short term it is tempting to buy off the hacker, but in the long term this may just encourage subsequent attacks.
Bob Tarzey, analyst and director at research firm Quocirca, said: "There is less reason to pay for this than even human ransom. Thieves may or may not have a copy, and they may or may not misuse what they have regardless of whether a ransom is paid. How do you know they will destroy what they have?
"As for crypto ransom (your data is encrypted and we will only give you the keys for payment), this would be bad news for a bank regardless of how important the data was. It would expose poor practice, not just in weak security, but in weak backup processes."