A new era of hacking: 2017 will be the Year of the data integrity breach

2016 was certainly a notable year, with unexpected goings on in the cultural and political spheres. The same can be said of the security industry, which saw the largest data breach ever recorded being disclosed by Yahoo, and hacks conducted by 16 year olds, such as TalkTalk, making it apparent that age and experience are no longer barriers to hackers. In the first half of 2016, at least 550 million records were stolen, that we know of, almost 65 per cent higher than the same period in 2015. It may seem a surprising figure, given the advances the industry is making in developing data protection tools, but as technology advances, so too does the sophistication of hackers. 

More devices, more data, more vulnerabilities

We create 2.5 quintillion bytes of data every day according to IBM, and with Gartner predicting that there will be 20 billion connected devices on the market by 2020, it’s clear that the amount of data that we create is only going to continue to rise. But with more devices creating data, comes more risk. 

To understand the scale of opportunity for hackers that the Internet of Things (IoT) has provided, you only need to look as far as a simple wearable fitness device, and consider the number of different personas that touch it – the user, the manufacturer, the cloud provider hosting the IT infrastructure, the third parties accessing it via an API, etc. This was most evident in 2016, when hackers, utilising the Mirai botnet, managed to disrupt internet services in North America by using millions of hacked IoT devices to launch a DDoS attack against Dyn, an internet provider. It is important to remember that cyber security is only as strong as the weakest link in its chain, and if only one of these personas lacked adequate security controls and suffered a data breach, the data they’re trying to protect between them would now be vulnerable.

From data theft to data manipulation

Whilst 2016 saw businesses begin to understand that it’s not a case of if you get breached, it’s when you get breached, there is still a lot of work to do. And, now there’s another element that needs to be considered: data integrity. Data is the new oil, a crucially valuable resource which dictates everything from business operations to government policy. As such, the risks data theft poses are well understood. However, the dangers of hackers changing their approach and instead choosing to manipulate data are only just becoming clear.

For organisations and consumers, data integrity is a promise or assurance that information can be accessed or modified only by authorised users. A data integrity attack compromises that promise, with the aim of gaining unauthorised access to modify data for a number of ulterior motives, such as financial or reputational. This has been seen in practice, when in 2016 the World Anti-Doping Agency (WADA) discovered it had suffered an integrity breach. Hackers stole and released the personal data of famous athletes to damage their reputations, but upon reviewing their archived data, WADA revealed that the data that had been leaked was manipulated.  

It’s clear to see how this can create a risk that the security industry has not seen before. Especially when you consider the number of devices that are connected to critical and national infrastructures, you can start to see the scope of the threat and potential impact posed by data integrity breaches.

Data integrity attacks have the power to bring down an entire company and beyond. Entire stock markets could be poisoned and collapsed by faulty data, for example through manipulating sales figures to inflate the value of a company’s stock. If a hacker owned stock in that particular business they could profit immensely. Even the power grid and other IoT systems from traffic lights to the water supply could be severely disrupted if the data they run on were to be altered. Perhaps the greatest danger is that many of these could go undetected for years before the true damage reveals itself, as no data is stolen or leaked. 

So what can we do to avoid becoming an easy victim of a data breach? Below are six tips for businesses:

  • Understand your data
    In order for a business to protect itself, it should first conduct a data sweep to understand what data it has collected or produced and where the most sensitive parts of that data sit. It’s crucial for businesses to understand what they are trying to protect before they can even think about how to protect it.
  • Go beyond compliance & regulation
    There are many policies and regulations which dictate the cyber security requirements of European organisations, ranging from GDPR to e-Privacy legislation. However, being compliant with these regulations is the minimum requirement for data protection, and does not guarantee that a business is ‘un-hackable’. The cyber-security landscape is constantly evolving, and businesses require a continuous effort to protect their and their customers’ data.
  • Implement a two-factor authentication strategy
    An organisation’s next step should be to focus on the adoption of strong two-factor authentication, which provides that extra layer of security should user IDs or passwords become compromised. This security measure involves having something they know and something they have, rather than just something they know i.e. a password.
  • Encryption is the key
    While two-factor authentication is there to help to stop information being taken in the first place, encryption provides the layer to stop customers’ sensitive data being used if it is accessed. Once a business understands where it’s most sensitive data sits, it must utilise encryption to protect this data wherever it is found. Whether this be on-premise, virtual, public cloud, or hybrid environments. More importantly, the traditional data security mind-set has to evolve, with companies needing to approach it with a presumption that perimeters will be breached and, as such, prepare the correct encryption necessary, to protect the most vital aspect, the data.
  • Ensure your keys are stored safely
    Once a proper encryption strategy is in place, attention must switch to strong management of the encryption keys. Encryption keys are created when data is encrypted, and are necessary for unlocking the encrypted data. Encryption is only as good as the key management strategy employed, and companies must ensure they are kept safe through steps like storing them in hardware modules to prevent them being hacked. After all, it’s no good having the best locks on your house and then leaving the house keys under the mat for any passing opportunist burglar to pick up!
  • Education will go a long way
    In order to build trust, companies need to educate their workforce and their consumers on the steps they have taken to protect their data. And it doesn’t just end there. Businesses need to employ a two-pronged approach, educating both their employees and consumers on the steps they should also be taking to remain safe and protect their personal data themselves. This helps to build their understanding of how to protect the company’s data.

Protecting against these attacks is vital to ensure customer trust and loyalty for an organisation. With recent research revealing that almost seven in ten consumers will take their business elsewhere in the event of a data breach, the importance of an adequate cyber security strategy cannot be overstated. With GDPR coming into effect in under 18 months, it will soon be mandatory for any business handling EU specific data, or doing business within the EU, to report any and all data breaches. 

While it may seem like a long time away, for some organisations the process of improving security measures must start now. We are entering the era of integrity attacks. It is no longer a question of if, but when, a business will suffer a data breach, regardless of whether the data is stolen or manipulated. If a business that suffers a breach doesn’t have adequate security protocols in place to protect the data, they face significant fines, a loss of reputation and customers to competitors that do.  

Jason Hart, CTO Data Protection, Gemalto
Image source: Shutterstock/Carlos Amarillo