Learning From Data Breaches
WIRED has a new analysis on the current state of data breaches, the long, chaotic path that brought us to this point, and where we might be headed. It’s a comprehensive read, the core message of which is that organizations have indeed made strides over the past few decades to take cybersecurity more seriously, there are still so, so many other shortcomings that continually go unaddressed. For some, this might stem from ignorance; for others, the daunting task of perpetual spending to maintain a strong security posture.
Either way, when an entity is breached, it’s usually the case that the vulnerability was something small and overlooked, or that an infiltrator didn’t have to use a lot of resources to carry out their mission. And sometimes, even after they’ve suffered a breach, an organization will compound it with another glaring error (think of Equifax retweeting a scam phishing link instead of their actual breach response page).
We discussed it back in October when Google announced they were shutting down their Google+ social networking platform. That development came after they discovered a breach that exposed the data of around 500,000 users. After years of trying to compete with the likes of Twitter and Facebook, a data breach of that magnitude proved to be more effort than it was worth.
Last week, that timetable moved up, to April 2019 instead of August. Why? Because a second bug had allowed app developers to request and receive permission to view users’ profile information, even those that had been made private. Compared to the previous number, this time around 52.5 million users were potentially affected, so I’d say Google’s decision to speed things along is understandable.
Google+ serves as an important lesson in cybersecurity: the vulnerability isn’t always going to be a huge, neon-flashing sign. In both instances here, it was a relatively minor bug that allowed the fatal blows to be delivered. As the WIRED article says, more organizations would do well to learn from lessons like these, and by “significantly raising the barrier to entry or the resources required to carry one off,” could help reduce the number of breaches overall. Cyber criminals certainly aren’t going to be deterred by anything less, so why in your efforts should you give anything less?