You only have to do a quick search to see the host of well-known companies that have experienced a data breach over the past decade or so. British Airways, Marriott Hotels, Uber, Yahoo, Facebook, TalkTalk, Equifax, the list goes on.
When a well-known company experiences a substantial breach, you can be certain that it will hit the headlines, with the media often focusing their attention on the potentially big numbers involved. This attention usually comes in two phases:
1. News of the breach – the focus will be on the number of people affected/the amount that has been accessed.
“Marriott hack hits 500 million Starwood guests” – BBC News, November 2018
2. The aftermath – the focus will often be on the size, or the potential size of any regulatory fine. Whilst this has always happened, this phase has started to gain more attention due to the increased fines under GDPR.
“BA faces £183m fine over passenger data breach” – The Guardian, 2019
As you can see, the figures will always grab the headlines, it’s what sells the story. But do the headlines tell the story from a security improvement standpoint?
Go beyond the figures to improve your security
Whilst figures are great at grabbing attention, and potentially raising awareness of the importance of overall data security, it doesn’t give the insight or knowledge you, or your company need to act.
To find this information you need to go beyond the headline figures, usually to paragraph 3 or 4 of the article, to the information about how the attackers potentially got in. This is far more valuable information for those wishing to improve their security posture following news of a breach and can often highlight areas that may not have been considered from a security point of view.
For example, a successful breach involving a third-party payment application may encourage you to ask question of your own third-party applications. What apps are we using? Have we undertaken security due diligence on these apps? What data does the app have access to and how is that data being protected? What security measures do suppliers have in place? Are developers undertaking web application security testing to ensure their product remains protection? Have we tested the security of the app independently?
It’s these types of questions that will help your company become more protected following a widely publicised breach, not the figures. So, next time you see a data breach hit the headlines look beyond the headline, find out how the attackers got in and ask yourself, could something similar happen to us?