Your company has just had a beautiful new custom app developed. You’ve got salted and one way hashed passwords. Your data is encrypted and secured in transit, and at rest. You’re safe from a data breach, right?
Not quite.
While poorly written code is one avenue to a data breach, there are a lot of other backdoors into your organization, and data, besides your custom software. We want to shed a light on these.
As an example, let’s take a look at a published report of a recent hack of the Ireland Health Services Executive organization (HSE). The HSE is Ireland’s publicly funded healthcare system and provides health care services to everyone living in Ireland.
Summary of the Ireland Health Services Data Breach
In March, 2021, an employee opened a phishing email, downloaded the excel sheet attached and opened it, launching malware into that one computer.
Over the next 6 weeks, the hackers, who now had a beachhead into one computer, moved laterally throughout the organization to infect computers throughout the network and bring down servers running core infrastructure including:
- patient appointments
- contact details
- lab work results
- imaging results, and more.
Some systems intended to catch this unauthorized access caused an alert, but the appropriate action was not taken to clean out the intruders.
The HSE took 3 months to restore all these services, resulting in numerous canceled appointments and delays for patients. Staff often had to fall back to recording with pen and paper and employees then had to manually reconcile these back into the official records months later.
How Your Company Can Avoid a Data Breach
1. Have a cybersecurity owner at the executive level
Cybersecurity has become a major cornerstone of business and should be treated as such. The executive team should have a designated leader of cybersecurity throughout the organization.
You do not want five different people in the organization in charge of various pieces of security and no one making sure everyone is rowing in the same direction. This should be something the executive team is monitoring and discussing regularly like all other critical business elements.
You do not want five different people in the organization in charge of various pieces of security and no one making sure everyone is rowing in the same direction.
In the HSE hack, suspect traffic was noticed between two hospitals. The two hospitals discussed and declared the issues arose from hospital A – but it turns out hospital B was the one infected. Both should have been under deeper scrutiny. Additionally, a majority of computers were out of support and antivirus systems were out of date.
This cannot be the culture that is allowed to form in an organization that wants to remain secure.
2. Have a cybersecurity incident response and recovery plan. Test the plan.
The Ireland HSE did not have a documented cyber incident plan. Employees had to come up with how to respond on the fly, and no one was in charge (see above for lack of an executive leader).
Time is not on your side in such an attack and you do not want to lose that valuable time figuring out what to do. There are numerous templates available online to get you started, or organizations who can consult to help develop a plan for your organization.
Don’t forget to test the plan. At least a dry walkthrough to make sure the people assigned know what they’re supposed to do will go a long way toward preparedness in the event of a real incident, just like those fire drills we ran at school as kids.
3. Update your business continuity plan to cover cyber attacks
As part of the hack, all email servers and phone servers were shut down. Employees could not use their desk phone or send an email. How well would your organization fare if phones and email suddenly stopped working?
Business continuity plans typically consider things like hurricanes or other weather disruptions, but you should include cyber attacks in your thinking as well.
4. Conduct a risk assessment and follow up on it regularly
A risk assessment is something every organization should be doing. It’s a requirement of numerous certifications like SOC 2 and PCI-DSS. However, just doing the risk assessment is not enough.
The HSE had performed a risk assessment, and it stated that a cyber security risk was recorded as “High” and considered “likely”, yet the protections were still woefully inadequate. The report states, “The actions completed prior to the Incident did not materially impact the risk faced in this area.”
This is a common refrain after an incident occurs. Organizations know there is an issue, document how they might mitigate the risks, then only implement some of those, and typically ones that do not actually solve the problem. Make sure you are keeping focus on reducing the risk with the highest valued tasks first.
5. Setup network segmentation to reduce your risk of a security breach
Does a customer support rep’s computer need access to your development team’s computers? To the CEO’s computer? To internal servers?
When designing your internal network, think about who needs to access what and limit appropriately.
When designing your internal network, think about who needs to access what and limit appropriately.
Malware has a much more difficult time transitioning from one network to another when they are properly segmented. It’s more work to set up and manage, but much lower risk to an actual incident. Anywhere that an email client is run (the primary vector for phishing attacks) should have a hard time moving to core network or application servers.
6. Limit direct employee access to data
In many companies, especially small to medium sized businesses, employees wear a lot of hats. This can often mean that one person’s account has a lot of access throughout the organization, especially in the development team.
If one of your developers had opened that phishing email, where could the attacker move? Into your build servers? What about production servers and data? All the correctly implemented secure software practices in the world will not save you if a malicious actor gets the credentials of a developer who has a backdoor into everything.
All the correctly implemented secure software practices in the world will not save you if a malicious actor gets the credentials of a developer who has a backdoor into everything.
Regularly review who has access to what sensitive data and implement safeguards. For example, you may require that the developers need to request access to production and automatically revoke this access after a short period of time.
7. Provide security awareness training to your employees
The HSE data breach is an example of an employee inadvertently opening the back door to an intruder. But this is not uncommon, in fact – according to cyber security company Trend Micro, 91% of successful data breaches started with a spear phishing attack. It doesn’t matter how secure your software is if employees do not recognize malicious emails.
91% of successful data breaches started with a spear phishing attack
KnowBe4 addresses the issue of human error with their security awareness training for your employees. We use them here at Big Fish and can recommend them without hesitation.
8. Keep track of and have process around your exported data
Let’s look at another common way a data breach occurs. You are looking at forming a partnership with another organization and as part of your diligence, a report of all your customers, contact information, and annual revenue is produced.
Is this document being securely monitored and held? Or is it just emailed around? Did someone accidentally leave it sitting on a company wide file share? Or even worse, one public to the world?
A large number of data breaches come from exports of data that were intentionally pulled, then are lost.
A large number of data breaches come from reports and exports of data that were intentionally pulled for marketing or other purposes, then are lost. Here’s a scary example where an exported data set was left sitting on a public file server.
Final Thoughts on Preventing a Data Breach
When data breaches or other cyber attacks occur, there is often a postmortem provided about what went wrong and how the organization intends to prevent it from happening again. These are hugely valuable resources for your organization to learn from others and avoid having the same problem yourself.
The strongest lock on the front door will not help if the back door is left wide open.
Application and data security is a huge and important topic of its own that we frequently cover at Big Fish as part of being a software development company, but be aware that the strongest lock on the front door will not help if the back door is left wide open.