By Richard Whomes, Senior Director, Rocket Software
2018 was a big year for data breaches, with organisations from Cathay Pacific to the Tory party suffering from attacks. But no organisation has hit the headlines quite as much as British Airways. The airline’s first breach occurred in September 2018, when an attack affected 380,000 transactions which had been made over a two-week period. Then came the announcement by BA’s owner, International Airlines Group (IAG), that an additional 185,000 passengers may have had their details stolen. While the airline undoubtedly suffered a deliberate and tailored attack on its infrastructure on this occasion, we’ve seen too many incidents, such asBA’s 2017 IT meltdown or the NHS Wannacry ransomware attack, which were entirely avoidable. This raises broader questions about whether big companies are taking the security of customer data seriously enough.
For any size of organisation, there are a few necessary steps – using the right tools – to keep customers’ data secure.
Processes and procedures
When faced with a security challenge, it’s tempting for anyone in the IT industry to jump straight to the newest and most sophisticated technology. This is important, yes, but pointless if you have humans who are compromising your system at the same time. Wannacry could have been prevented if the NHS had been regularly updating its operating system, and phishing attacks, where unsuspecting staff are tricked into inadvertently handing over sensitive data or enabling access to a system, are still responsible for a high number of breaches.
Full encryption – from when data enters a company’s system to when it is stored – is vital. Encryption isn’t a perfect solution – any code can eventually be broken – but it will deter the less focused hackers and make it harder for any who succeed. Where possible, tokenise data and assemble full customer records only for specific transactions.
Protect against malware
According to Risk IQ, the perpetrators of the British Airways hack were from Magecart, a hacker group which specialises in skimming credit card details from unsecured payment forms. A number of tools now exist which can detect and eliminate specific malware such as skimmers from systems.
Securing your development process
Most large organisations will be developing new applications, or updating existing ones, most of the time. While this is crucial to make sure systems are up-do-date, organisations must make sure that when these updates are deployed, there are no ‘holes’ in the newly developed applications, as this could make them an easy target for hackers.