For 37 million adulterers, this was a very bad week. Ashley Madison, a website catering to those seeking extramarital affairs, had its database of users hacked.
Putting aside the ethical and moral issues surrounding Ashley Madison, this event gives us an opportunity to analyze the current state of cybersecurity. What makes this case noteworthy are the following:
- The attack was ideological in nature, as opposed to most other hacks which are directed to either cause mischief and disruption, or to obtain credit card and other sensitive data.
- Customers were misled into believing their data was not only secure, but destroyed on demand. Ashley Madison offers a $19 “permanent account deletion” service.
- This is effectively a ransom case. The hackers, “Impact Team”, threatened to leak customer data to the public if the Toronto-based ALM (Ashley Madison’s parent company) didn’t shut down the site.
No system is unhackable. So, as an executive of a business managing customer data, how can you mitigate the risk of devastating compromises such as this? Here are a few thoughts:
- Hire an information security consultant to train you up to competence.
- Get your staff trained on security best practices. This includes social engineering threats and basic user awareness.
- Work with a Red Team to perform penetration testing and risk analysis.
- Create honeypots in your infrastructure to gather data that can help you model your attack surface.
- Firewalls and intrusion detection systems are insufficient; application code is highly vulnerable. Have your codebase regularly reviewed by a professional for vulnerabilities.
You Can’t Overinvest in Security
Seriously consider your return on security investment (ROSI), especially if you accept credit card payments, or retain any Personally Identifiable Information (PII). A meaningful investment in your cybersecurity strategy will net you the following results:
- Dramatically improved ability to prevent malicious activity
- Minimized window of incident detection to remediation
- Improved security data leading to better decision making
- Increased compliance efficiency, especially when dealing with auditors
- Fewer compromised assets
- Increased brand repute and customer loyalty
I often work with clients to develop these cybersecurity strategies, assist with regulatory compliance, and perform security audits.
How are you exposed?