In the wake of the breaking news that potentially every TalkTalk customer has had their personal and bank details stolen by cyber criminals, we thought it might be a good time to tell you what happened and how you can prevent it, and what to do if your organisation becomes a victim of cyber crime.
We've enlisted the help of VolunteerKinetic's Implementation and Security teams to give us their expert analysis.
What Happened To TalkTalk?
TalkTalk suffered a significant and sustained attack on there system on 22nd October 2015 which has potentially led to the theft of over 4 million of there customers personal and financial data. An Islamist group in Russia has claimed responsibility for the theft and has produced a sample of the data as evidence, but this has yet to be confirmed by experts.
TalkTalk are under significant pressure as much of the data was not encrypted making the job much easier for the cyber criminals to view the data, the fact that it is also the third major attack on TalkTalk this year has led to an outcry from their customers and many raised eyebrows amongst security experts worldwide.
What Is The Impact
It is too early to measure the fallout impact of this data breach, but the fact that the share price has dropped by 5% and customers are already reporting money withdraws from their bank accounts would suggest that the impact is very significant and there is probably worse to come. TalkTalk are also facing legal actions from customers as well at this early stage.
How Can I Protect My Member's Data
We asked VolunteerKinetic, who provide volunteer management software to NGBs and many other organisations across the UK, for some practical tips and what can be done to help protect your data. Here are their top tips.
Encrypt wherever and whatever you can
If you transfer any sensitive data via websites you should always employ point to point encryption (PPE). Without realising we've all probably seen this in action when we visit google or our bank website, the little padlock by the web address tells us two things; firstly that the identity of the website has been checked and verified, and secondly that any traffic between your computer and that website is SSL encrypted and cannot be read at any point between your computer and that website.
If you were sitting in a coffee shop and decided to check your bank balance and your bank (heaven forbid) has not used SSL then your username and password is sent across the coffee shop's wireless network and on to their internet provider and beyond, perhaps through 10 or more servers and routers in plain text and is readable to anyone with access to any of the networks along that route.
At VolunteerKinetic we offer and encourage all our customers to utilise SSL at all times on their websites, its simple, quick and prevents these types of attacks.
When storing data that maybe sensitive its important to encrypt it, so that if the physical data is stolen it cannot be read. At VolunteerKinetic we extensively use an encryption method called 'Hashing' to protect passwords and sensitive data, this changes text into non-decryptable garbage making it hard for cyber criminals to read.
123456 is NOT a password!
No matter how complex and hardened your encryption procedure and policies are, they are useless if your server or your members accounts are protected by weak passwords. The recent data breach by Ashley Madison showed just how bad we are at choosing good passwords and how bad websites are at enforcing decent password policies. The most popular password by a country mile was 123456 (http://qz.com/501073/the-top-100-passwords-on-ashley-madison/)!
Enforce and Use complex passwords.
There are loads of great password strategies around for instance http://www.healthypasswords.com/content.Healthy_Passwords_the_four_password_strategy_options.html recommends using a cookbook type system where you link together fragments to form tough passwords that you can still remember.
Train your staff in how to spot potential cyber threats
Make sure your staff are well trained in spotting potential phishing attacks that arrive via email. Have a policy surrounding email attachments and enforce a website safelist (whitelist). And try to prevent your staff from allowing unchecked programs onto your network.
Update your software, operating systems and applications
Exploits are routinely found in software. The crackers actively seek out servers and software running out of date versions of software and attempt to exploit bugs. Keep everything up to date and never ignore update warnings.
Why are you storing sensitive data?
Finally, if you don't need to store data that is sensitive, don't! You should always review the information you are storing and whether it is necessary or useful to do so.
Unfortunately no data that has to be accessible can ever be 100% safe, you could take your server, unplug the network cable and lock it in the bank and it would probably never get cracked but it wouldn't be much use either! All you can do is ensure that the data is as small as possible and as protected as possible so if you do get cracked the damage is limited or mitigated.
Ask questions of your server and network team, ask them to demonstrate that they are taking security seriously and are regularly monitoring it, and dont be afraid to get involved!
Our thanks to Steven Hall, Head Of Implementation Team at VolunteerKinetic, for his time and thoughts on this matter.
