UK-based IP Telephony service VoIPtalk warned customers of a potential data breach over the weekend. The firm has implemented tighter security controls and advised customers to change their passwords in response to the suspected hacker incident, which is still under investigation. IT security experts commented below.
David Gibson, VP of Strategy and Market Development at Varonis:
“The VoIPtalk attack illustrates that data breaches should be considered a real and inevitable possibility. Businesses – just like individuals – are still struggling to get the basics right when it comes to securing their data. There are so many basic vulnerabilities that organisations need to address – external and internal. The number of reported breaches will no doubt continue to increase. More companies are keeping more information from consumers and business partners, which increases the value of a potential breach. In order to be productive, company networks can’t be 100% isolated, and no matter how much time and money you spend on security tools, nothing is fool-proof, especially when the weakest links in the chain are the people who need access to data in order to do their jobs.
When you work under the assumption that your outer defences will be breached, it frames the data security challenge somewhat differently. Instead of pouring all of your energy into building a very high, very strong fence, spend more time securing what you truly need to protect: data. Make sure that once someone is inside, their activities will be observed and controlled. Just because you have a great lock on your front door doesn’t mean that cameras and motion sensors aren’t also a good idea. Similarly, monitoring user access and analysing it properly will help organisations identify attackers on their network and hopefully mitigate any damage.
Burying your head in the sand and hoping nothing bad will ever happen isn’t an option these days, so companies should absolutely have a plan for what happens after they discover a breach. Just like it would be silly to choose not to have a plan for a fire in the building, it doesn’t make sense not to have a response plan for a data breach. At a minimum, it’s critical for companies to identify what may have been stolen or deleted and what their obligations are to customers, partners, shareholders, etc. Different types of information have different disclosure requirements, therefore it’s important for companies to understand what kind of data they’re storing and what those obligations are so they can plan accordingly.”
Cynthia Leonard, Program Manager at HPE Security – Data Security:
“Hackers will steal anything of value and this story is no exception. We have a saying in security; it’s not a matter of if a breach will happen, but when. Beyond the threat to sensitive data, companies need to be concerned with the impact a data breach can have on their reputation and, ultimately, on their bottom line. A data-centric approach to security is the industry-accepted cornerstone needed to allow companies to mitigate the risk and impact of cyber attacks and other attempts to get this sensitive information.
Enterprises need to follow best practices of encrypting all sensitive personal data as it enters a system. Encryption stays with the data whether at rest, in motion or in use, so if an attacker accesses the data, they get nothing of value. The ability to neutralise a breach by rendering data useless if lost or stolen, through data-centric encryption, is an essential benefit to ensure data remains secure. Credentials that never need to be recovered in clear form should be strongly protected with state-of-the art methods, for example, strong standards-based keyed hashing.
Users should heed the advice to change their password immediately – for VoIPtalk as well as any other website where they use the same password. It has been widely reported that a high percentage of users admitting to reusing the same passwords over and over again. Attackers will always choose the path of least resistance, and that can mean using a password obtained for one website to access that same user’s account on another site that contains a bigger reward for the cyberthief. Even if the final website has impenetrable security, password reuse can allow an attacker to login without raising any alarm bells whatsoever.
While avoiding password reuse is the users’ responsibility, the onus for storing the passwords (as well as all other personal information) safely and securely falls squarely on the companies who collect it.”