Story image

Exclusive: Why social media platforms are so vulnerable to cyber threats

Gemalto released the latest findings of the Breach Level Index, a global database of public data breaches, revealing 945 data breaches led to 4.5 billion data records being compromised worldwide in the first half of 2018. 

Compared to the same period in 2017, the number of lost, stolen or compromised records increased by a staggering 133%, though the total number of breaches slightly decreased over the same period, signalling an increase in the severity of each incident.

A total of six social media breaches, including the Cambridge Analytica-Facebook incident, accounted for over 56% of total records compromised. Of the 945 data breaches, 189 (20% of all breaches) had an unknown or unaccounted number of compromised data records. 

The Breach Level Index is a global database that tracks data breaches and measures their severity based on multiple dimensions, including the number of records compromised, the type of data, the source of the breach, how the data was used, and whether or not the data was encrypted. 

By assigning a severity score to each breach, the Breach Level Index provides a comparative list of breaches, distinguishing data breaches that are not serious versus those that are truly impactful. 

According to the Breach Level Index, almost 15 billion data records have been exposed since 2013, when the index began benchmarking publicly disclosed data breaches. IT Brief had the opportunity to discuss this with Graeme Pyper, Regional Director Australia & New Zealand, Gemalto. 

What are the major risks of Social media breaches, especially in light of the recent Facebook breach?

When we look at social media, we tend to immediately think of Facebook or Instagram, but there are literally hundreds of social media channels out there. In fact, there are even companies that will manage your social media accounts for you, sharing things on your behalf that they feel match your profile. The most important thing to remember is that whatever you post online may be permanently recorded and could be used in your favour or against you at any point in time. 

If you decide to leave a social media platform, there is no guarantee that your information is permanently deleted. More so, the pages that you have engaged with or responded to via an ad will have copies of your information. It is vital that every user is educated and informed of their privacy rights.

The very nature of social media is that we share information that is personal to us. A breach could result in embarrassing and potentially harmful consequences. The use of two-factor authentication on your social accounts should be the default for everyone. 

In doing this, if someone tries to access your account or reset your password, your trusted device will respond with an SMS message containing the passcode. If you receive a passcode and you have not been trying to reset your account, this is the first indication that your account could be under attack and that you need to take action.

The OAIC has recently shared guidelines around social media and following the recent Facebook breach, have launched an investigation into the sharing of information to Cambridge Analytica.

What do you think is behind the increased level of attacks?

Twelve months before the NDB came into effect here in Australia, I spoke publicly about the fact that without breach notification laws in place we were not being made aware of the true number of breaches happening here. Now that NDB and other regulations are in place we are actually starting to see the scale of the threats and more importantly the threat vectors that are most common.

ID theft remains the main reason behind the vast majority of breaches, however, companies are starting to address this by replacing default passwords and using strong authentication methods. Only last week I read about California enforcing manufacturers to remove default user accounts in their products. 

This is a different tactic and passes the responsibility back to the vendor supplying the solution. That said if the replacement accounts are considered weak when changed by the end user that would not stop a malicious person potentially gaining access.

When it comes to Cybersecurity, how do you think Australia fares? Both in terms of educating its populace on threats, and Laws/regulations that help protect data?

I like the way cybersecurity is gaining share of voice in the market, especially for end users. The National Cyber Security Strategy announced by the then Rt Hon Malcolm Turnbull is a great step in creating a framework, however, the skills needed here locally are scarce. 

Vendors can plug the gap to some extent, but nothing can be compared to skilled and experienced individuals. What we are seeing now is not different from the rest of the world, it’s just that companies are having to report on the fact they have been breached. 

Companies need to allocate more of their overall IT budget to security and cybersecurity. In a recent independent market pulse survey conducted by an industry colleague, it was found that Australian companies spend on average 6.75% of overall IT budget on security. 

To me, this is too small, and it demonstrates how companies value the information that they hold.  Equifax has spent $242m on post-breach costs which highlight the need to be proactive both in terms of being better prepared but also in understanding how to allocate funding.

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.