Around this time last year a large online auction website went public to announce they had been breached and millions of customer records were compromised. They were not alone, 2014 was marked by high-profile cyberattacks to high street and online retailers. Immediately after the attack, most companies asked their customers to change their passwords, either as a security fix or as a precaution, but is it enough?
Looking beyond passwords for security is a crucial step in preventing further cyberattacks. Weak passwords such as "123456" are still incredibly popular and it doesn't take very sophisticated resources to steal data by exploiting password vulnerability. Surprisingly some major websites which store credit card data and other sensitive information still accept weak passwords and one potential reason for this is that they need to find a balance between security and usability. As we all have experienced, overcomplicated passwords tend to be easily forgotten.
In order to balance usability and security and avoid unnecessary security steps, many companies are adopting two-factor authentication or context-based security, where multiple factors and behaviours are considered to determine a person's identity, other than relying solely on their password. When a user attempts to access their account, the company looks beyond their password at other available information such as geographical location, time and device used and compares it to their previous pattern. If one or more deviates from the usual behaviour, then extra security checks are prompted, such as sending a text with a pin code to a registered mobile phone. However, if both the password and the other patterns match, it is business as usual and the user is let into their account.
User access, however, is only part of the problem. Cybercriminals still use malware tools to guess common passwords and breach systems but in a lot of cases they are stealing passwords and data in bulk, by compromising access to that server or the database. So when we read in the news that millions of accounts got hacked in one go, it is unlikely that strong passwords for the users would have made a difference.
Companies are vastly aware of the multitude of entry points a cybercriminal can exploit and most are highly committed to network security, hoping to make it impenetrable. Not all companies, however, will accept the fact that a 100% secure network is nothing but a dream. Accepting that a breach may happen is by no means the same as throwing in the towel and giving up protecting valuable data; on the contrary, it means companies are aware of their own vulnerabilities and can then invest in real-time detection and post-attack security. For example, it is possible after a cyberattack to go back to the "scene of the crime" to analyse how the data theft happened, which allows the breached company to secure those weak points first.
Unfortunately, it is not only the companies that have this perception that networks can be made 100% secure. Cyberattacks have attracted a lot of bad press to the victims, unfairly placing the blame of the attack solely on the breached companies. The public doesn't seem to fully comprehend how resourceful and sophisticated cybercriminals have become, operating vast networks, sometimes as "professionally" as legally-established companies. The only way to change this perception is by openly discussing the topic and exposing the sophistication of cyber criminals and the huge gains they can make on the black market selling personal data.
In general after that initial appeal for customers to change their passwords, breached companies avoid talking about any security measures they may have implemented to prevent further breaches or even how the breach happened in the first place. One of the reasons behind this lack of communication is that companies are afraid that if they reveal too much they may "tip off" new attackers. On the other hand, revealing too little may leave customers feeling unsafe and they may choose to no longer use that company's services thus impacting its revenue and reputation. It also serves to further affirm the perception that the breach is their fault.
The abundancy of cyberattacks to companies of all sizes makes it clear that there are no silver bullets in cyber security and that any company can become a victim. It is how the situation is handled after the breach that will often determine the true impact of the attack.