It’s difficult to imagine getting much work done without the help of technology these days, but if you aren’t careful, technology can also hurt you.
The first way your technology can hurt you is through failures. The other way is through cyber-attacks. Let’s look at a few specific cases.
Many people are still learning how to use cloud services and that’s been a huge source of errors and omissions causing data breaches in the past few years.
Amazon Simple Storage Service (Amazon S3) is like a big data bucket in the cloud that you can use “to store and retrieve any amount of data at any time, from anywhere on the web.”
Amazon says S3 is “designed to provide 99.999999999% durability and 99.99% availability of objects over a given year.”
It’s easy to see why people like this!
But, as reported in AWS Insider, there has been a constant stream of misconfigured S3 buckets over the past several months that have resulted in public data breaches:
In the latest Dow Jones leak, the data was available to anyone with AWS “Authenticated User” status, a free registration which more than 1 million users have. The data included names, addresses, account information and more data on at least 2.2 million customers.
Similar data breaches have been associated with the Republican National Committee (RNC), Verizon and other top names.
In mid-2017, a contractor working at a British Airways data center accidentally turned off an important power supply that brought down many computer systems. For an unexplained reason, the backup systems also failed.
Over 75,000 people were stranded when the airline had to cancel all flights from London’s Heathrow and Gatwick airports on a busy summer Saturday.
That failure led to a short-term decrease of 1.8% of passenger traffic. The total cost to the airline was over $112 million. CEO Alex Cruz also received a great deal of bad press.
Crimes Against Your Organization
For selfish reasons, there are people both inside and outside your company who want to steal your money and digital assets (which they can then sell for money). They don’t care if they hurt you in the process.
And sometimes a current employee, or ex-employee, just wants to hurt you.
Australian Wastewater Hack
For over two months in 2001, an insider performed a series of 46 cyber-attacks against the sewage treatment facilities of Maroochy Water Services in Australia. The attacker did this after being rejected for a job with the utility.
At the time, he was employed by the company that had installed the control system, and thus had privileged access.
Over 800,000 liters of raw sewage was released into local parks, rivers, and the grounds of a Hyatt Regency hotel. Marine life died, water turned black, and the stench was unbearable for nearby residents.
The cost of the attack ended up being over $1 million.
Copyfish Chrome Extension Hijacked
Finally, let’s look at a recent cyber-attack by an outsider.
Copyfish is a Chrome web browser extension that lets you extract text from images, videos or PDFs.
During the summer of 2017, a Copyfish software developer fell for a phishing scam that exposed the company’s main Google password to the attackers.
Soon afterward, the Copyfish team lost all control over their product. And then the attackers modified the software and delivered an automatic update to all of Copyfish’s users, turning the extension into an ad-spewing monstrosity.
It took days of hard work by the developers to overcome this attack.
This same attack has since been used to compromise several other Chrome browser extensions, ultimately affecting millions of users.
What Do These Situations Have in Common?
With adequate training and security practices in place, most of these breaches could have been prevented. In fact, former NSA information assurance director, Richard Schaeffer, reported that “about 80 percent of commonly known cyber attacks could be prevented.”
Unfortunately, a lot of companies don’t think about cyber risk until it’s too late, and to compound the issue – many cybersecurity breaches aren’t discovered until several months later.
Cyber Risk Opportunities helps middle market companies avoid costly failures and cyber-crimes by prioritizing and reducing your top cyber risks, including the specific requirements of PCI, HIPAA, SOC2, ISO 27001, DFARS and more.