The dating website for cheaters - Ashley Madison - has been hacked, releasing the personal details of potentially millions of users around the world. The website boasts approximately 37 million users worldwide, whose records, names and addresses are at risk of being brought into the spotlight.
Needless to say, a crucial aspect of Ashley Madison's offering was a promise to its members that their personal information would remain secure, private and confidential. The confidentiality and security of personal information is an attribute that customers increasingly seek out as more and more companies become targets of hacks and data breaches. In the last two years, prominent companies such as eBay, Target and Sony among many others have fallen prey to cyber-attacks. Closer to home, cyber attacks on Australian businesses and government increased by 20 per cent last year.
The Ashley Madison hack is a reminder of the rise in cyber-attacks, the loss and damage that they cause, the cost to your business to take corrective action and the need to implement strategies to reduce the probability of your business and its customers becoming victims of a cyber-attack.
In light of the prevalence of the threats of hacking, the Australian Department of Defence has made cyber security a "top national security priority for Australia".
HOW VALUABLE IS YOUR HACKED DATA?
Thomas Holt and Olga Smirnova, in their publication Examining the Structure, Organisation and Processes of the International Market for Stolen Data (2014) elucidated just how much your hacked data may be worth. For instance, your 3-digit CVV security code is worth approximately USD 2, bank account details go for around USD 5, and your PayPal or eBay account details bring in around USD 27.
STRATEGIES - WHAT CAN YOU DO?
IT: According to the Australian Signals Directorate, at least 85% of targeted cyber intrusions could be prevented by implementing the following 4 strategies:
- using application whitelisting to prevent malicious software and unapproved programs from running;
- using patch applications such as Java, PDF viewers, Flash, web browsers and Microsoft Office;
- patching operating system vulnerabilities; and
- restricting administrative privileges to operating systems and applications based on user duties.
Insurance: Whilst it doesn't replace the need for data protection, you should consider taking out cyber insurance as part of your overall risk management strategy. Unlike traditional insurance, cyber insurance is designed to meet the needs of your business in the digital age. However, as with all types of coverage, cyber insurance has its limitations. Therefore, you should thoroughly research your options before deciding to invest in cyber insurance or other means of data breach prevention.
Privacy Act: If your business has an annual turnover of $3 million or more, you must comply with the Privacy Act, which regulates the handling of personal information about individuals. Among other things, the Act requires businesses that hold personal information of individuals to take such steps are as reasonable in the circumstances to protect the information from misuse, interference and loss and from unauthorised access, modification or disclosure - this includes steps to prevent the hacking of your systems.
Contract: You can impose contractual obligations on your service providers that handle personal information or other sensitive data of your business connected with your business. Such obligations may include obligations to maintain confidentiality and to comply with the requirements of the Privacy Act regardless of whether or not your service providers have an annual turnover of $3 million or more.
Ultimately, the degree to which these strategies are implemented will depend on the sensitivity of the subject matter a business or individual deals with. However, given the increasing pervasiveness of cyber risks, and the ease and willingness with which hackers infiltrate even the most complex security systems, one cannot underestimate the need to implement strategies to strengthen their cyber security.