Why security sucked in 2015, and how to improve in 2016


Even the most optimistic of observers would have to agree that, when it came to securing corporate networks and data, 2015 sucked elephants through a straw.

In fact, there were so many cybersecurity low points across the year, that when I was asked to write about the biggest fails I found myself drowning in examples. You may think that is not a good position to be in, but there are always positives coming out of these negatives and when it comes to security it has to be learning from those face-palm moments.

Irresponsible disclosure

Take, for example, the TalkTalk breach, which taught us that acting too quickly and making statements when not fully acquainted with the appropriate information is not a good move. Nick Pollard, general manager of the UK for Guidance Software, tellsIT Pro: "It was an example of a response to an incident that was ill-judged in the end, as the scale of the attack was less widespread that at first anticipated."

Indeed, had TalkTalk waited until all the facts were fully understood then much panic and reputational damage could have been avoided. There's a lesson to learn right there.

Risk intolerant

Another lesson is that all organisations can and will be targeted. This means, as David Kennerley, senior manager for threat research at Webroot, reminds us, "all organisations need to balance security resource against risk tolerance".

Everyone should take note of that after the massive security fail that was the breach of the US Office of Personnel Management (OPM), which was discovered in April 2015, but initiated over a year before.

Data lifecycle planning

Talking of taking too long to realise you've been breached, we really do have to raise a glass in the direction of JD Wetherspoon. It took the well-known pub chain six months to discover it had been hit, but the hacked database was apparently related to an old version of its website that had since been replaced.

But Pat Clawson, CEO of data erasure specialist Blancco Technology Group, tells IT Pro: "It indicates the company's internal teams didn't do their due diligence and had a lax approach to monitoring and managing risk levels of their external supply chain."

The lesson to learn, then, is to have a plan for the entire data lifecycle that includes secure disposal of deprecated assets.

Application of insecurity

Another long term data exposure was reported right at the start of the year when an API flaw allegedly left millions of Moonpig customers open to potential compromisefor 17 months after a developer claims he first warned the company about it.

This was a complete failure as far as secure API authentication design is concerned. So what lessons can we learn from this?

"Organisations should take note that when it comes to breaches, shareholders and the bottom line matter less than the people that have helped you build your business," says Jim Sneddon, technical director at security firm Aditinet.

He adds: "Stay close to customers, communicate transparently around the breach and threats and show real empathy as to how potentially disastrous they perceive the risk to be."

We cannot leave the world of Android without mentioning Stagefright, which impacted millions of users and could mean that a single malicious MMS could introduce malware to your smartphone.

Duo Security VP Henry Seddon advises: "Have the latest upgrades of software installed on [your] devices, restrict access to sensitive data when those upgrades are not in place."

Security industry not eating own dog food

For many people, the biggest security fail of the year was the failure of the IT industry itself. OK, maybe that's a little harsh, but a number of security industry giants fell victim to attack when they really shouldn't have.

Kaspersky and LastPass were both hacked in 2015, just to pick two examples. Ex-FBI man, and current chief security officer with Cryptzone, Leo Taddeo, tells IT Pro there's one simple takeaway from this: "No organisation is immune, and the stakes can be high."

High indeed, as controversial cybersecurity outfit Hacking Team discovered when an arsenal of state-funded malware and exploits were leaked post-breach. The lesson was not perhaps the obvious one, as cybersecurity firms of all companies should do better. Instead, as James Maude, senior security engineer at Avecto, explains, "it showed organisations across the globe that even with all the latest patches and anti virus protections, they are still vulnerable to determined or nation state attackers".

To achieve security in 2016 you have to fight attacks by getting the foundations of security right, learning the lessons of others then build on this layering on security using defence in depth.

On a security downer, man

If, having read all of that, you are now feeling just a wee bit depressed about the state of security across the year, you are not alone.

Professor Steven Furnell, a senior member of the Institute of Electrical and Electronic Engineers (IEEE) and Professor of IT Security at Plymouth University, suggests the sheer volume of well-publicised breaches in 2014 means there should have been fewer this time around.

"[Instead] these will have done nothing to raise confidence in the ability of online services to protect their systems and safeguard data," Furnell says.

But he concludes that companies can begin by mastering the basics, telling IT Pro: "There are still baseline things that many organisations are not doing well, such as complying with the safeguards required to meet Cyber Essentials. While these will not guard against more advanced forms of attack, they will at least prevent organisations from retaining common vulnerabilities and falling victim to avoidable exploits."

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.