Hacked: Carphone Warehouse joins the growing list of cyber-victims
The announcement last month of the data breach and consequent exposure of personal details of 2.4 million customers of the well-known mobile and technology company, Carphone Warehouse (CW), should serve as yet another warning to businesses of all sizes that systems remain vulnerable.
The details of attack are not yet known and the cyber security community awaits the details with eagerness to ensure that no new attack approach has been developed that they must react to.
In the meantime, customers will be taking the steps advised by CW to minimise the potential impact that personal details such as names, addresses, bank details and dates of birth. These details provide cyber criminals with the additional information that can enable sophisticated phishing emails and even phone calls to be made more confidently, in search of access details to more valuable data and accounts.
Customers have reacted angrily in response to the delay of 3 days before notifications of the breach were made public and affected customers contacted. CW have defended their approach and the need to have a plan in place to deal with the aftermath of any data loss is clearly highlighted in this case.
Who will be next?
CW will have been investing heavily in security measures – it is assumed – and yet a breach has occurred and this serves as an effective reminder that no business should assume they are not a target.
The latest PWC Information Security Breaches Survey (2015) commissioned by HM Government shows that security breaches continue to grow in number and impact across large and small businesses alike; 90% of large organisations and 81% of small organisations in the survey have suffered a security breach. Both measures were an increase over the previous year.
The impact of a data breach should not be underestimated with smaller organisations generally less able to withstand either the financial loss or the longer term reputational damage or even a combination of both. In addition the fines that are possible presently are due to be increased considerably when new EU wide rules become effective.
What should be done?
The Government has been encouraging all organisations to adopt, at the very least, the Cyber Essentials security standard launched last year. Cyber Essentials has two levels one requiring a self-certification questionnaire to be completed and independently assessed. The Plus level requires an independent test of the security system itself. The level adopted by the business will be their decision and will reflect the nature of the business.
Even if the business decides not to follow through to accreditation, adopting the five disciplines that comprise Cyber Essentials will protect the business from around 80-90% of the prevailing Cyber threats according GCHQ, the Government’s intelligence and security organisation.
The five disciplines cover the following areas: -
- Boundary firewalls and internet gateways - these are devices designed to prevent unauthorised access to or from private networks, but good setup of these devices either in hardware or software form is important for them to be fully effective.
- Secure configuration – ensuring that systems are configured in the most secure way for the needs of the organisation
- Access control – Ensuring only those who should have access to the systems have access and at the appropriate level.
- Malware protection – ensuring that virus and malware protection is installed and is up to date
- Patch management – ensuring the latest supported version of applications is used and all the necessary patches supplied by the vendor have been applied.
Cyber-attacks can affect any business if the appropriate security measures are not put in place and tested on a regular basis. Yellowspring actively encourage businesses to review their security and ensure that they have a future proof strategy in place to safeguard their business against all forms of basic cyber-crime.
Get in touch today to discuss what we can do to help protect your business against cyber-attacks. Tel: 01268 494160 or email firstname.lastname@example.org