With a market value of $2.8 billion, VTech is a relatively small company when compared to other companies that have been hacked in the past. The breach opens up concerns about how secure smaller companies are keeping sensitive data as breaches increase due to the massive amounts of data being collected by companies large and small. As the larger companies beef up cyber security using the larger budgets at their disposal, smaller companies could begin to be targeted more often. While these companies provide less data, they also have less protection to get around. In this instance, hackers were able to get information that should have been obscured or unrecoverable, but were insufficiently encrypted.
“The information that has come out would lead any security practitioner to the conclusion that VTech faltered,” says Ensey. “They weren’t even really encrypting the data they were hashing the data, which is just a fancy way of obfuscating it, or making it look semi-encrypted.”
So what can companies do to protect themselves from similar data breaches? Chris Ensey has some good advice on where to start:
- Don’t ask your IT department if you’re secure. It’s not the right audience to ask that question. You need to have a specialist come in and evaluate the security of your overall organization and any assets that you have that tie in to sensitive information that you should be protecting.
- No organization should expect the app and system developer to have the responsibility of security. They’re completely different disciplines. The team that develops your website or application or whatever you have that accesses information are designing a system for your business practices, not for your security. Outside council that focuses on security has received a lot of training in the specifics of what you need.
Look for an outside vendor that can provide security monitoring and management on a 24 hour basis. Especially if you’re an organization that has lots of sensitive intellectual property or identifiable information about customers. You don’t want to have to hire personnel to monitor your security, so pay the experts to do it for you. It’s cheaper and a lot of times a better option.
- Every organization should be looking at a strategy for encrypting data properly. Regardless of the data, regardless of the company, encryption is the last line of defense against hackers. If they are able to get through security, gain access to information, and take that information with them, it’s still useless if they can’t break the encryption.
- Test the systems we put online.When you get into online use of data, where a website or app can go into the database and pull information out so the end user can interact with it, you need to start thinking about whether the application or website can meet security standards and can be verified to show that people can’t exploit weaknesses.
The most important point Chris Ensey wanted to make was that organizations need to point the target at themselves.
“Every organization looks at the news and says, ‘I’m glad we’re not as big as these guys. We’re not a target like them,'” says Ensey. “In every case you need to look within, point the target at yourself and start to treat your approach to enterprise risk management with this in mind: you are as big of a target as a VTech, as a Home Depot. When you start looking at it in that frame of mind you can start to create a plan that addresses issues.”
You might find that you don’t know enough to make a decision, in which case you can bring in an expert to evaluate and help you out. However you do it, get secure, because size doesn’t matter when it comes to stealing information.