Flashback to May 2006
American comedian John Hodgman is unwell. Sneezing. Sweating. Actor Justin Long looks on – unimpressed. This was Apple’s memorable 'I’m a Mac, I’m a PC' campaign from the mid-Noughties. The dull and stuffy PC and the hip, cool Mac, personified. Why was Hodgman sneezing? The ad claimed that PCs were vulnerable to 114,000 known viruses – while the Mac was virus free. How much truth there was in that belief was hard to tell at the time.
Apples did indeed seem to be immune from attacks, or at least they weren’t as frequent or as well known. In which case, perhaps Apple simply had better PR or employed the hackers before their attacks became common knowledge. Who can say.
That was the era before the iPhone – launched in 2007 – and Android smartphones, launched in 2008. Hi-tech portable devices meant Blackberry Quark or Palm Treo – remember them? 2006 also saw the advent of the first commercially available cloud services – particularly cloud storage with the launch of Amazon Web Services (AWS).
In other words, 2006 marked the end of a 'threat era' – the time before smartphones and wide-spread adoption of the cloud. Computing was still desk-bound and dominated by email. But all of that was about to change.
Skip forward a decade
Today’s threat landscape is in many ways very different from ten years ago. The growth of smartphones combined with pervasive internet, Bring Your Own Device (BYOD) and Application (BYOA) initiatives, introduced new threats to the workplace. Cloud servers made password security all the more important – with employees being able to store and access confidential company information on the move… even via free, public networks.
All empires fall and Apple has proven to be no exception. It may have taken a while, but their devices and their App Store have both been proved to be vulnerable. New forms of cybercrime have emerged. Ransomware is on the rise, where companies have their systems or data frozen by hackers until they make payment. Business email compromise (BEC) is growing too, where hackers hijack a senior executive’s email and send urgent instructions to other employees typically instructing them to make fraudulent payments.
Some things haven’t changed that much though. Malware infects thousands of computers every day, and Denial of Service (DOS) attacks remain ever-present. And then there are the avoidable human errors: accidental leaks, lost or stolen devices and weak passwords, all of which cost companies dearly.
Looking at the world’s biggest hacks and data breaches of the last ten years helps us see how things have changed over the decade: where and why data breaches are happening, and who is being hacked by whom.
Outside versus inside jobs
Employees may be seen as the weakest link in the security chain but most of the biggest hacks were by an outsider. That said, this may not be truly representative of the situation because companies may not be obliged or willing to disclose a breach, or to what extent employees were involved.
Businesses, academic institutions, and public organisations have all suffered
British Airways, Ebay, Home Depot, JP Morgan Chase, AshleyMadison, TalkTalk, AOL, Dropbox, University of Wisconsin, European Central Bank, Washington State Court System, Adobe, Sony, Betfair, AT & T, RBS Worldpay, Monster.com, and TK Maxx to name but a few. Not all hackers are after money, some simply want to disrupt or enjoy the challenge of breaking through defence systems.
The biggest hacks are more recent
The vast majority of the biggest hacks seem to have happened in the last four or five years, which indicates the problem is either getting worse or the reporting of hacks is getting better, or both.
Device theft was once in vogue
Breaches as a result of lost or stolen devices or media are a running feature across the decade but they seemed to have tailed off (relatively speaking) over the last few years. Given the small chance of being caught using anonymous and remote hacking tactics, stealing a device to gain access to a system may soon become a crime of the past.
Instances of breaches due to poor security
In spite of the hype around people still using ridiculously simple passwords, this type of breach doesn’t seem to be that prevalent. Perhaps it gets more attention in the press because, like lost or mislaid devices, it’s an obvious and avoidable own goal. Businesses have taken action and deployed strong password policies, reducing the risk and prevalence.
Accidental data breaches
Accidental data breaches don’t appear to be too common either. As bad as they may have been, only(!) about 18 big breaches seem to have been by accident.
Big business hacks are only half the story
Those were the biggest hacks against big businesses or organisations, but don’t be fooled. Small business should be under no illusion they are not a target for hackers. Even a small hairdressing business can be hacked and have their business data held to ransom.
The latest UK Government Security Breaches survey found that nearly three-quarters (74 per cent) of small organisations reported a security breach in 2015; up a whopping 60 per cent from 2014. SMEs are now quite clearly and deliberately in the hackers’ sights. The survey also reveals the potential financial impact a hack could have, 'For small and medium sized businesses, the most severe breaches cost can now reach as high as £310,800, up from £115,000 in 2014.'
Reflection is a timely reminder for businesses large and small
Tony Anscombe, Senior Security Evangelist at AVG Business, shares his insight:
'Looking back, it’s hard to imagine life without smartphones. They’ve become an everyday essential – a lifestyle and business ‘remote’ always within reach. They help us live more convenient lives but they’ve also introduced new risks. Data can be captured and shared from almost any location in a multitude of ways, many of which simply weren’t possible before smartphones became so powerful or popular. Companies need to stay aware of how these devices can be used in business, and are currently being used, so that any threat to confidential data or systems can be identified and mitigated.'
Lee Carnihan, Digital Outreach Manager at Further