So we saw a few significant cyber security incidents last week. One was Avis Car Rental. News suggests this occurred using a business application across 3 – 6 August, when the company blocked the attacker from systems.
Attacker stole personal information (names, but other sensitive data is undisclosed) and warning people to remain vigilant. Also, Avis is offering free credit monitoring for 1-year memberships via Equifax, to affected customers. Avis says it has worked with outside experts to strengthen is application, and additional safeguards across its systems.
Although statements from companies are carefully worded to maintain its PR and minimise damage, it makes me think how much more Avis needed to strengthen its business application that contained personal data. Surely, it has an ongoing vulnerability management programme in place, and should be aware of its weaknesses.
I have developer friends, and we have also assessed many companies and their developers. They usually have immense deadlines to hit, and sufficient testing may be sacrificed.
It also shows you do not know, what you do not know. Many developers I speak to are very good at what they do connecting things together to work. However, understanding of secure development is often lacking. Certainly, in most businesses I go to, the IT teams are very good at connecting things together, but they are not security professionals. This results in a significant risk their systems are not configured securely.
As general advice and key takeaways:
- From automotive to education, no industry is immune. While breaches may target specific industries, such as healthcare and financial services, companies of all types need to recognise their exposure to cybersecurity threats.
- Know how to configure your systems securely based on industry practices.
- Know how to develop secure applications.
- Proactive defence is crucial. Ensure your business has expert security knowledge internally, or bring in expert advise to benchmark your data security.
If you are not sure on the state of your data security across people/process/technology, get yourself a security healthcheck.
Be Secure
#MinervaSecure
#ThePROTECTProtocol
#computersecurity #cybersecurity #informationsecurity #infosec #cybersec #dataprivacy #privacy #itleaders #itleadership