When IT leaders and decision makers think and talk about security it is always centered around a company’s own infrastructure, protecting the walls of their organization. Yet every organization works alongside others, through partners, agencies and outsourcing.

You buy technology from other companies and have no idea how their developers developed it. Did they write the code in-house or copy it from a platform without checking it or knowing where it originated? The majority of companies use third parties to help them grow and scale as a business. Unknowingly or unwittingly every company is in an ecosystem of trust.

This ecosystem of trust also extends to your employees. Whether you’ve provided them with corporately owned devices, or you have a BYOD system in place, when you employees mix personal and corporate data on one device you need to be able to trust them.

The ecosystem system is ever expanding, therefore it’s important to know what to do when something goes wrong. With the introduction of GDPR which states mandatory disclosure of all data breaches, it’s never been more important to have a disaster plan in place.

For investigative journalist Geoff White, “when it goes wrong” is his bread and butter. At  Wandera’s annual mobile security conference, Level, he shared a few examples of why having a recovery strategy in place is so important.

 

TalkTalk

TalkTalk has all the lessons of cybersecurity embedded into it.Geoff White, Investigative Journalist

In October 2015, TalkTalk had an SQL breach on their website. Prior to this, however, TalkTalk customers were getting persistent calls from a group of pernicious individuals who had all their customer account details and were managed to be convinced that they were in fact, from TalkTalk. As you can guess, they were not. It led to customers giving away personal and private data and being conned out of £1000’s, in some cases people lost their life savings. So how did this happen?

A few years prior TalkTalk had outsourced it’s customer service operations to Wipro, an IT services corporation and it seems their Calcutta office wasn’t that secure. A number of corrupt employees took TalkTalk customer data and sold it to a criminal gang working in India. The gang were organized and targeted in their approach, conning innocent people out of thousands of pounds.

Who gets the blame?

Those who lost money were understandably furious their data was compromised and were then looking for compensation. But where does the blame lie and who ended up being sued? For those targeted, they only knew TalkTalk, their contract was with TalkTalk and they also had an emotional connection with them. TalkTalk, on the other hand, said it was not their responsibility, it wasn’t them who compromised the data and it wasn’t their fault that people fell for the con. They tried to cut the chain of responsibility. The problem is, whether or not they managed to get out of the legal ramifications, their reputation was in ruins. In fact, if you look at TalkTalk’s share price it drops dramatically after October 2015, and it never fully recovers.

Who gets the blame when it goes wrong? The biggest name gets the biggest blameGeoff White, Investigative Journalist

For TalkTalk and others alike, it didn’t matter who in the supply chain made the mess. If you are the big name brand the public know, that brand you worked on so hard to establish in the industry is going to come back and bite you in the ass.

The minimum age on tinder is..

Another example of the problem with the ecosystem to trust is when two companies think the other is doing something they are not. In this situation, there was no data breach as such, but public, and more importantly child protection was at risk.

Tinder used to have the minimum age of 13 years old. This shocked me, it shocked Geoff and it sure as hell shocked the people he interviewed on the street. When asked, Tinder said yes, the minimum age is 13 however if you are under 18 you get matched with different people to those over 18. This was not the best answer from Tinder, there are definitely issues with it, namely there are huge physical and emotional differences between a 13 year old and a 17 year old. Where is gets worse is how Tinder don’t monitor whether anyone over the age of 18 is allowed into the under 18’s site. But you sign into Tinder using Facebook’s single sign-on, and Facebook checks. Right? Wrong. Facebook don’t check ages and they were not aware that Tinder was relying on them to check ages. Suffice to say, once Geoff’s story broke, the minimum age was increased.

Mobile Malware

Mobile malware is like the dog that hasn’t barkedGeoff White, Investigative Journalist

While the number of strains of mobile malware has increased, it has not been the explosion a lot of experts were predicting. Data from AV test, an independent testing company in Germany showed in 2015 levels of malware on Android devices was hovering just over 3%, in 2016 we got to 5% and early 2017 the levels were just below 6%. So yes, mobile malware is increasing however, Wannacry, the biggest breach last year was over desktop not mobile. Now this is not to say mobile isn’t a threat, it’s just a different type of threat. For mobile, attackers are going after the users.

We may all have had our data breached

Do you think you’ve had your data breached? There is a way to find out. If you go onto a website called ‘have a been pwned’, type in your email address it will tell you if it has, and if so from what site. As of May 2018, the number of breaches was showing was topping 4.7 billion accounts.

Another website, Leak Source, allows you to put in someone’s email address and it will tell you their password for just a few dollars. If it’s encrypted it can tell you what encryption technology was used and you can try and break it. Leak Source have between 2.1 and 3.1 billion accounts listed on there. If we look at the number of internet users, in 2017 it was around 3.58 billion. So it seems nearly everyone’s data has been compromised. And for employers who routinely give corporate-owned devices to employees, who then routinely use these devices for both corporate and personal use, you are introducing a whole new level of threat to your company.

Hackers only need to be right once.Geoff White, Investigative Journalist

The time ITN posted a blog about Israel and nuclear weapons

ITN, where Geoff currently works has also been on the receiving end of an attack, a phishing attack to be more precise. An email came through that looked like a link to a BBC article, and when you clicked the link it came up with and identical match to the ITN log-in page. It looked like you had to log in with your work credentials to gain access to the article.

The email only needed one person to fall for it, and one person did. From there the hackers had access to this person’s email inbox, from which they did two things; firstly, they sent the same article link to everyone telling them they should read it. And as this time it came from an employee, lots more people then clicked the link and signed in. Secondly, they searched the word ‘password’ in this person’s inbox, found the password to their blog website where they then published a live blog directly to the site without anyone knowing about it.

So with this huge ecosystem of trust, how do you stay secure? It is always going to be important to have all the correct systems in place to try and stop a breach before it happens and be able to react quickly if it does. But more importantly, it all about communication, internally you need to communicate the importance of trust and security with your employees and externally you need to ask the right questions from your partners, suppliers and vendors.

If I can offer any advice to you, it would be about how you communicate internally about trust and security to your employees and having a plan in place so when something does go wrong, you have a strategy for talking to your customer and trying to regain that trust they had in youGeoff White, Investigative Journalist

Learn more about threat prevention

You might hear about the dangerous leaks and mobile attacks that make the news. But your organization might just be vulnerable to other threats right now.

FIND OUT MORE