TalkTalk's Cybersecurity Lesson

Last October broadband provider TalkTalk was hacked for the third time in the space of just a year. The company, which has around four million customers in the UK, was initially unable to confirm whether the stolen customer data was encrypted or not, fuelling public outrage and landing them with a total bill of £35 million as a result.

This attack is not an isolated incident. It followed a long line of similar attacks that have recently affected companies as varied as Target, Sony, Carphone Warehouse and Ashley Madison. So what can financial services companies learn from these attacks? Where should companies invest in stronger security and what should they be doing to protect their customers' data?

There is no doubt the tactics of cyber-criminals are becoming increasingly intelligent and complex. A vast range of bespoke criminal software, specifically designed to help hackers exploit weaknesses in cyber-security, is available for purchase by bitcoins on the dark web in an untraceable marketplace. This black market for exploitative software has become a billion dollar industry. According to the Federal Reserve Bank of San Francisco, unique strains of malware such as that sold on the dark web reached 100 million variants in 2012, and this number is growing at an accelerated pace.

When or if they ever get to the bottom of the TalkTalk attack, it would not be surprising to find that the malware code they used was procured from this dark web.

Aside from the threat of hackers obtaining malware on the dark web, there are still gaps and vulnerabilities in companies' software systems that must be closed. At present, the easiest way to break into someone's bank account – for example – is to get their valid user ID and password. Social engineering bypasses the traditional cyber-security of user IDs and passwords – the hacker just steals valid credentials and they're in. The consumer needs to be educated in the various scams criminals use to obtain these credentials. The confidence scams are clever and effective and make traditional cyber-security mechanisms useless.

Perhaps nowhere else is data security more paramount than in the financial services industry, and FS providers need to up their game to address threats in real-time. Currently, the FS industry has invested heavily in securing the ‘perimeter fence' of security. There is very little attention paid to securing the business applications themselves.
 
It should be obvious by now that relying on perimeter security to prevent data breaches is a seriously flawed strategy. Organisations now need to look past the point of entry for hacking threats, criminals will always find a way in. Just as with building security where systems include alarm systems and sensors both at the point of entry as well as within the building, banks also need to focus on cyber-security within the banking application itself.

Companies need to monitor user behaviour for inconsistencies, deploying software sensors at critical points in the applications to detect valid users who are not using the system as expected.  Such a system learns patterns of behaviour that are normal for users, and can detect hackers who must probe the system to find weaknesses thus exposing their presence because the hacker's behaviour is not what a normal user would do.  By knowing what the cyber-criminal does when they break in, companies can monitor for this type of activity and sound an alarm when it happens.
 
Tackling the threat posed by cyber-criminals is also on the government's agenda. It was recently announced that the UK government will be increasing it’s spend on cyber-security to £1.9 billion to protect the country from potentially devastating hacks on a national scale by terrorists – and increased governmental spend on cyber-security is likely to impact positively on the threat posed to UK consumers. In addition, the new EU Data Protection Regulations will have a two-year transition period for all systems in the EU to become compliant before enforcement starts.  
 
The new compliance requirements will include the stipulation that data security becomes an overriding priority, with safeguards having to be built-in to products and services from the earliest stages of development. The pan-European regulations will enforce, among other things, that if the regulations are broken, fines of four percent of global revenue or €100 million can be levied.
 
The next few years will see a major increase in cyber-defence spending across both public and private sectors, and companies must invest wisely to successfully protect their customers and their reputations.

SC Magazine:

 

 

« Self-Driving Car Poses High Hacking Risk
EU Protects Online Data Quite Differently From The US »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

Marsh

Marsh

Marsh is a global leader in insurance broking and risk management and has been a leader in combatting cyber threats since their emergence.

Indium Software

Indium Software

Indium Software is an Independent Software Testing Company offering software testing services (including security testing) and offshore Quality Assurance solutions.

Menlo Security

Menlo Security

Menlo Security protects organizations from cyberattacks by eliminating the threat of malware from the web, documents, and email.

National Cyber Security Directorate (DNSC) - Romania

National Cyber Security Directorate (DNSC) - Romania

DNSC (formerly CERT-RO) is the Romanian national cyber security and incident response team.

ERMProtect

ERMProtect

ERMProtect is a leading Information Security & Training Company that helps businesses improve their cybersecurity posture and comply with regulations.

Truepic

Truepic

Truepic provides technologies that prevent fraud, identity theft, misinformation, and disinformation caused by generative, manipulated, or deepfake digital content.

CMMI Institute

CMMI Institute

CMMI Institute enables organizations to elevate and benchmark performance across a range of critical business capabilities, including product development, data management and cybersecurity.

Cytelligence

Cytelligence

Cytelligence is a cyber security consulting company with deep expertise in Cyber Breach Response, Cyber Breach Investigations, and Digital Forensics.

DarkLight

DarkLight

DarkLight is a cybersecurity platform that mimics human thinking at scale to build resiliency to Advanced Persistent Threats.

SWAT Systems

SWAT Systems

SWAT Systems is an IT support and cyber security managed service provider.

Private Client Cyber Security (PCCS)

Private Client Cyber Security (PCCS)

PCCS provides enterprise-grade cybersecurity consulting and services to professional practices, executives, athletes, and high net worth families.

RiskOptics

RiskOptics

RiskOptics (formerly Reciprocity) equips organizations with one of the most intuitive and powerful information security and cyber risk management solutions in the market.

Gatefy

Gatefy

Getfy is a cybersecurity company specialized in artificial intelligence and machine learning. We work to solve challenging issues, especially those involving email security.

Epoch Concepts

Epoch Concepts

Offering a full line of IT services, solutions, and integration capabilities, Epoch Concepts is the trusted partner of the US military, federal agencies, private enterprises, and systems integrators.

Cybit

Cybit

Cybit is the one-stop-shop for digital transformation that scales in line with your growth.

Chorology

Chorology

Chorology is a leading provider of intelligently automated, data compliance and posture enforcement solutions.