The data breaches are inevitable fallacy

At NZ Business, Kordia regional cyber security business manager Peter Bailey delivers a few home truths about data breaches:

When we hand over our credentials and ID to businesses, we are trusting them. We need to have the assurance that they have measures in place to keep our data safe.

Latitude Finance, the parent company of Gem and Genoapay, recently suffered a major cyber breach which saw 14 million customers impacted across both sides of the Tasman. Personal data was stolen, including drivers’ licences, dates of birth, passport numbers, photos and more. Latitude has confirmed it will not be paying a ransom to retrieve the data – it is yet to be seen whether the cybercriminals responsible will start selling it on the dark web.

… this wasn’t an overly sophisticated attack. The threat actor simply leveraged an employee’s credentials and logged into not one, but two of the company’s service providers. So how did this happen?

The clue is in “Leveraged an employee’s credentials”.

It’s an increasingly common story. Online criminals get hold of passwords or other ways of getting into systems and, once inside, plunder vast amounts of private data.

Or they hold the data to ransom. Ransomware remains the number one threat for most New Zealand businesses.

"People who should know better buy into fallacy"

Bailey, rightly points out that “It’s a fallacy to believe that data breaches like this one are inevitable.” Yet many people who should know better buy into that fallacy, many information professionals accept these things will happen.

The story goes on to talk about the security best practices that are what company’s hire Bailey’s Kordia team to implement. It is, after all, a sales pitch. But the points he outlines are solid enough but best left to professionals. It’s a good sales pitch.

Bailey doesn’t say so here, but companies in general, and New Zealand businesses in particular, still don’t take data breaches seriously enough. They are often comfortable spending money on perimeter defences and buying services focused on protecting the perimeter.

They should spend more money building defences inside the perimeter, criminals find it far too easy to jump from one place to another once they are inside. And more money on detecting unusual behaviour in areas they, unwisely, consider to be safe.

Moreover companies need to spend more time and money making sure everyone in the business is cyber-security aware. There’s no point building a moat and walls if your gatekeepers are going to give the keys away to marauders.