Lessons From the Ashley Madison Hack: Cybersecurity Is Broken
May 2, 2016 | 4 minute read
Lessons From the Ashley Madison Hack: Cybersecurity Is Broken
Even the Cybercrime Industry Is Cashing in on Sex and Scandal
Few security breaches in 2015 have caught the media’s attention or caused as much public outcry as the recent Ashley Madison hack. The breach leaked personal information of 32 million members, and has been linked to at least two suicides. Cybersecurity experts have hailed this attack as a much needed wakeup call with many in the industry calling for tighter enterprise level security.
But perhaps more than a wakeup call, Ashley Madison is an indicator of just how broken cyber security is. After all, cyberattacks are becoming so commonplace that more often than not they’re forgotten only months after making the headlines. Who remembers the cyberattack on JPMorgan Chase, Home Depot, Target and Anthem? Many of them caused far more damage than the Ashley Madison hack, and yet they’ve long since been forgotten.
It seems that Ashley Madison may be the least of our worries. The reality, according to a recent Accenture survey, is that at least two-thirds of companies face a cyber threat on a daily or weekly basis. Another report conducted by the Ponemon Institute in 2014 found that 43% of U.S. based companies experienced a data breach in the past year. That wakeup call is long overdue. Now is the time for action.
Understanding the hype around Ashley Madison
Before trying to make sense of this cyberattack and looking at the lessons to be learned, it’s important to consider why there is so much hype around this particular cyberattack. What makes this website unique is that it’s highly controversial, acting as a dating site for married people looking to have an extramarital affair. The site is owned and run by Avid Life Media which is also responsible for Established Men, a site which aims to connect young beautiful women with wealthy elderly men.
The hackers, who refer to themselves as Impact Team, took exception to the questionable morals the sites were promoting. They also wanted to expose Ashley Madison’s fraudulent business practices which involved charging users a $19 fee to have their data removed only to retain this sensitive information on the company’s servers.
The data leaked was shocking because it showed just how much private information people share willingly online. This included everything from names, passwords, addresses and phone numbers to the last four digits of credit cards. Some eye-opening findings include the fact that 15,000 of the leaked email addresses are .mil or .gov. However, this doesn’t mean anything as there’s no way to verify the addresses with some reports suggesting that many members provided random information to sign up. Other sensitive information that was leaked includes explicit details about what members were seeking.
What impact will this hack have?
This isn’t the first time sensitive data was exposed in a hack. Last year, 100,000 photos and videos that were meant to be sent securely across the Snapchat network were leaked. Also in 2014, 4.6 million Snapchat usernames and phone numbers were leaked. Then in August 2014 there was the iCloud Hack which saw almost 500 celebrity photos, most containing nudity, being posted online. Neither of these leaks seemed to impact user behavior. In fact, one security expert says that a year later people are still using weak iCloud passwords.
And the same can be said about Ashley Madison. Not only are users still using the site after the data breach, but in the last week hundreds of thousands of people have signed up for the website. It’s interesting that the news of the security breach hasn’t acted as a deterrence.
But that isn’t the case for everyone. Ashley Madison CEO has resigned following the leak and the news that he too engaged in several extramarital affairs. There were also two users who have committed suicide on hearing that their details were exposed. It seems for some, this hack will have a lasting impact that goes beyond changing their online behavior.
What’s the real state of cybersecurity?
Most companies simply are not doing enough to protect themselves and their users from a cyberattack. This becomes clear when one considers that not only are cybercrimes on the rise, but they’re increasingly more damaging. A report by the Ponemon Institute found that cost of cybercrime more than doubled from 2013 to an estimated $8.6 million per company in 2014. It’s estimated that cyberattacks cost businesses anywhere between $400 - $500 billion yearly.
This becomes even more worrying when one considers how ill-prepared companies are to deal with this threat. The 2015 Travelers Business Risk Index found that 29% of companies aren’t ready to deal with a cyberattack while an additional 33% have no data breach plan in place. What’s particularly disconcerting is that at least 75% of attacks go undetected for weeks or even months, this according to research by MIT.
But it seems there’s still room for hope with more and more companies taking some action to prevent a data breach. Ashley Madison, for example, used bcrypt encryption which ensured user passwords were not compromised in the leak. While other companies may not be there yet, there’s definitely more awareness around the need for cybersecurity.
In fact, a report by Gartner shows that worldwide companies are investing more in enterprise security with spending expected to increase from $71 billion in 2014 to $77 billion this year. Furthermore, security is becoming a top priority for more companies with the 2015 Piper Jaffray CIO Survey indicating that 75% of the CIOs surveyed planned to increase security spending in 2015.
However, companies can not afford to invest in security blindly. It is essential that they carefully evaluate where their weaknesses lie. This will give them a good sense of where they need to invest, and is one of the only ways to ensure cyber readiness.
Are you doing enough to protect your business and customers?
The alarming reality, and main takeaway from the Ashley Madison hack, is that no matter how careful an organization is, there’s always the chance its data could be compromised. Perhaps instead of focusing exclusively on protection, organizations need a more proactive approach to security.
Rather than waiting for a data breach to be detected, companies should be relying on cyber intelligence software to alert them to any imminent threats in real time. In many cases it’s pointless trying to stop a cyberattack as more often than not a data breach happens months before the actual attack. Once a company realizes they’ve been cyber attacked, it’s already too late.
Companies need to rethink their security. This includes performing regular vulnerability checks, identifying and protecting the most sensitive data as well as securing passwords. An essential part of cybersecurity is getting employees on-board. Half the battle is getting them to understand the importance of a secure network and their role in preventing security breaches.
Cybersecurity in its current form is not enough to keep us safe. That’s why we need targeted solutions for targeted attacks which are capable of detecting data breaches before they happen. The reality is that there is no such thing as a one size fits all solution, and every company needs a cybersecurity solution tailored to suit its specific needs.