(and hopefully made us all change our passwords)
I’m bringing in videogames again this week. See, next month marks the anniversary of Anonymous hacking Sony’s servers for the PlayStation Network (PSN). This attack was just the beginning of a summer of various attacks on both websites and services related to gaming plus attacks on government and corporate websites.
Indeed, 2011 was the year that hacking really came to the headlines and not just because of phone hacking accusations at numerous newspapers in the UK. According to data recently released by Verizon, 58% of the data stolen last year was done by so-called ‘hacktivists’ such as groups like Anonymous and LulzSec.
And the thing that worried those charged with stopping data breaches like the one that happened to PSN users? As Verizon explains: the fact that there didn’t seem to be any logic to the attacks.
People are part of the problem
The number of breaches reported to Verizon for their study was:
855 incidents, 174 million compromised records
That’s a lot of data. Apart from companies that failed to sufficiently encrypt the data of individuals and organisations, the people behind that data, the individuals, were also just a teeny, tiny bit to blame along with the hackers. For what 2011 proved was that not enough people were taking the necessary steps to keep their data secure, even with simple steps such as not using the same password for something like PSN as well as their email account.
Human error is one of the biggest causes of data breaches. Even in sensitive areas such as healthcare, people are often the lead cause of leaks. And that’s sometimes without anyone directly hacking systems. From passwords that are too easy to guess from a brute force attack, to pen drives being left on Tube trains, to privileged users abusing their systems access – people are the weakest link in any security offering. As Bryan Sartin remarked to the Guardian about the Verizon report:
“I’d love to tell you we see a lot of indications that companies are getting better and more secure. But if you look at where these companies are falling down, it’s still unfortunately in common sense.”
Too many companies are still failing to implement basic, yet effective, security measures that instil in employees the skills necessary to keep data secure and the understanding of why.
Physical security is not enough
If it’s people that cybercriminals mainly have to crack when hacking, then I can’t help frown at the slight folly of having a moat surrounding a huge datacentre – but there is one surrounding Visa’s Operations Centre East in the US. It might be enough to keep those Mission Impossible types out, but the past year has also shown how widespread cybercriminal activities have become against sovereign nations and corporations.
And much of this has not been instigated on the soil of those nations that have been affected. Regardless of whether it’s government institutions, utilities or enterprises being hacked – there are great concerns about the cyberwarfare capabilities of some countries, including China.
While 2011 perhaps showed the general public that having the same password for a multitude of services was probably a bad idea and made some organisations feel sheepish about their encryption policies – people need to remain vigilant. Because all the security software in the world doesn’t mean a thing if people don’t treat with respect it and the data it protects.
Header image adapted from “dir /s” by *n3wjack’s world in pixels under a Creative Commons Attribution-ShareAlike 2.0 Generic license.