A quick summary of the cyber news today, and it is clear that the same key lessons are emerging as have already been noted this week. Indian restaurant guide, Zomato, is reporting the theft of data of some 17 million users. From the phrasing in their blog, it appears that they have just found the breach, but have not clarified when it occurred, and have stated that ‘So far, it looks like an internal (human) security breach – some employee’s development account got compromised.’ It is interesting to note that, although they state that ‘they take cyber security very seriously’, the actions they are taking now include a ‘layer of authorisation will be added for internal teams having access to this data to avoid the possibility of any human breach.’
Meanwhile DocuSign, who ‘move businesses forward securely and reliably’, have reported that a list of email addresses has been breached, and that customers have been sent phishing emails. Their website has been effectively used to report on the breach and the investigations, as well as posting a detailed FAQ. The fact that Docsign has certified to ISO 27001 has probably helped to ensure that they have effective incident management processes, but this highlights that even companies that have information security management systems in place can still be susceptible to attacks and breaches. Both the Docusign and Zomato incidents have had a swift incident response, with clear communications about the steps being taken available on the relevant websites.
In the US, bots are being used to spam a regulator’s website, thought to be some form of protest over a proposed reversal of net neutrality rules. In this instance, the website is being bombarded with comments, and there are suspicions that stolen data is being utilised in order to make the comments appear real, despite the similarity of the comments. Also in the US, an Apple software developer has had source code stolen , in a case that demonstrates that even developers can be fooled by the hackers.
All these cases, and more, highlight similar lessons but, in particular, organisations should ensure that information security training is an integral part of business culture, and starts with staff. Staff need to know what emails are safe to open, and which links should not be clicked. As stated in ISO 27002, access to information should have ‘rules based on the premise “Everything is generally forbidden unless expressly permitted” rather than the weaker rule “Everything is generally permitted unless expressly forbidden”;
On a personal level, the need for business continuity planning kicked in this morning. First a puncture; not normally a problem but I simply could not get the wheel off the car. Finally made it in to the office, and found that, after even more Microsoft updates, it took 2 hours to get onto the network with my new laptop, as well as finding that my existing screen does not fit as technology has moved on, and the new laptop does not take a VGA fitting. All sorts of lessons for business continuity, including fully understanding that things will take longer than expected (particularly when you need them to be quick!), and technology does move on, so those assumptions that you have made about your recovery strategy may not be quite as easy as you thought, so should be tested!
Contact Cambridge Risk Solutions to find how we can help you with information security and incident management planning, Call us on 0800 035 1231.