Lessons in Preemption From the Biggest Company Breaches of the 21st Century

Now that more companies are relying on digital platforms, cybersecurity teams are not just an asset—they’re a necessity. PRIME’s Cybersecurity Supervisor Ed Penn emphasizes that these teams are essential in risk management, now that numerous cyber attackers are striking left and right. Without proper cybersecurity professionals and systems in place, attackers can launch multiple threats and infiltrate organizations. Even the biggest companies in the world are vulnerable to these attacks, as illustrated by the following two incidents:

US, UK, Australia Cryptojacking

In early 2018, various government websites from the US, Australia, and the UK were subject to an attack involving cryptojacking malware. Security researcher Scott Helme blew the whistle on the attack, and discovered that it was executed through a third-party plugin called Browsealoud. The plugin was designed to help those visually impaired browse websites. But due to the incident, all the websites that used the plugin were immediately compromised. Helme pointed out that cyber attackers often target websites that others rely on. In order to avoid this the government should have done greater testing to ensure their plug-in was completely secure. In order to make technology more accessible to users, governments and companies must be careful they don’t make it more accessible to hackers.

Google Plus Forced Shutdown

Google – being the tech giant that it is – has been the subject of various significant attacks in recent years. In May 2017, an email phishing scheme nearly exposed sensitive data from millions of users. A year later, Google’s own self-regulating mechanisms allowed them to spot a bug in the developer API of Google Plus, which could potentially expose sensitive data belonging to its more than 50 million users. TechCrunch's report on the incident reveals that there is currently no evidence that a third party has taken advantage of the data exposure. However, Google has responded to these incidents by expediting the shutdown of their Google Plus APIs rather than potentially exposing users to any risk. This pre-emptive measure may cause Google time and money, but it’s necessary to protect their users.

The Future of the Industry

Given the inadmissible growth of cybercrime in recent years, one very fine silver lining is that this directly translates to a higher demand for cybersecurity experts who specialize in pre-emptive measures. To fill in the gaps, plenty of institutions are establishing cybersecurity programs that provide aspiring cybersecurity professionals with an effective digital training ground. In particular, post-secondary institutions have been doubling down on cybersecurity degrees. The University of Hawaii unveiled new cybersecurity internships, while Benedict College and LaGuardia Community College extended their current cybersecurity programs to include postgraduate options. Meanwhile, Maryville University’s online master's in cybersecurity is not only taught 100% remotely, it teaches post-grad students how to build defensive and preventive strategies. Aspiring cybersecurity professionals are also trained in a Virtual Lab giving them vital real world experience in a safe environment. Together these universities are ensuring that more companies and governments are better able to protect themselves.

Since top cybersecurity specialists can be difficult to find, the Wall Street Journal points out that the median salary of corporate cybersecurity chiefs has risen to $509,000 this year. Omar Khawaja, a CISO himself, stated that numerous high-profile ransomware attacks have pushed big companies to invest more in their cybersecurity teams.

As cyber attacks sweep over hospitals, governments, and big companies, competent cybersecurity experts with the necessary experience are more important than ever. Organizations and cybersecurity experts have to work closely to take on pre-emptive measures based not just on estimates, but also on the massive amount of breach-related data available to companies today.

*The views and opinions expressed in the Public Risk Management Association (PRIMA) blogs are those of each respective author. The views and opinions do not necessarily reflect the official policy or position of PRIMA.*