Home' Trinidad and Tobago Guardian : December 3rd 2015 Contents BG16 TECHNOLOGY
BUSINESS GUARDIAN www.guardian.co.tt DECEMBER 3 • 2015
From small start-ups to large
businesses today are increas-
ingly going digital. The reasons
are quite compelling: better
time accessibility; improved insight; greater
business competitiveness; and, ultimately, a
stronger bottom line. But, as recent high-pro-
filed data breaches show, there are also huge
risks in keeping company records in online
But cyber attacks are not just a problem for
high-profiled corporations. If you think your
business is too small to attract the attention
of hackers, think again. In today s connected
world of business, the trend lines are clear.
Any organisation---big or small---that does not
have the necessary security measures in place
to defend against the inevitable cyber-attack,
is likely to be breached.
That s exactly what happened when the
servers of Hong Kong-based toy and gadget
maker, VTech, were compromised and the
personal information of almost five million
parents and more than 200,000 children was
exposed earlier last November.
VTech sells children s tablets, electronic
learning toys and baby monitors and maintains
an online store, called Learning Lodge, where
parents can download apps, ebooks, and games
for VTech products.
The company said the breached database
included names, email addresses, passwords,
secret questions and answers for password
retrieval, IP addresses, mailing addresses,
download histories and children s names, gen-
ders and birth dates.
The tech news Web site, Motherboard, said
it spoke to a hacker who claimed to be behind
The hacker, who requested anonymity, told
Motherboard that they gained access to the
company s database using a fairly well-doc-
umented method known as SQL injection, via
the company s Web site form.
The hacker was then able to break into
VTech s Web and database servers and gain
access to customer data.
An analysis of the breached VTech data was
done by security expert Troy Hunt at his Web
site, TroyHunte.com. Hunt found that infor-
mation that should have been obscured and
unrecoverable if the databases were breached---
such as passwords and secret answers---either
wasn t obscured at all or was done so using
very weak security measures.
Hunt analysed the data and found 4,833,678
unique email addresses with their correspon-
ding passwords. The passwords were protected
with an algorithm known as MD5, which is
considered trivial to break. Furthermore, secret
questions used for password or account recov-
ery were also stored in plaintext, giving attack-
ers an easy ammunition in attempts to access
to other online accounts belonging to users
in the breach---for example, Gmail, Amazon,
Facebook or even online banking accounts.
Big firms, small firms, same risks
The VTech hack highlights a major problem
with inadequate cyber security measures at
companies that handle electronic customer
data. As larger firms, with deep pockets, imple-
ment stronger security measures, smaller com-
panies are becoming more attractive targets
for cyber criminals.
A recent threat report from the Internet
security firm Symantec found that three out
of every five cyber-attacks in 2014 targeted
small and midsize companies.
"The VTech has show that the implications
of for smaller companies and their customers
can be just as serious," said Stephen Lee, a
security specialist and program coordinator
for the Caribbean Network Operators Group,
According to Lee the types of measures that
could have better protected customer data
were fairly basic security best practices that
don t require a lot of money.
"What we are observing is a trend where
companies are not investing sufficiently in
data security because they may not see any
immediate positive impact to their bottom
line. Employing dedicated cybersecurity expert-
ise can be seen as an easy place to cut costs
with minimal consequences; that is until some-
thing like this happens."
Protecting corporate data
It s important to note that theft is not the
only motivator for hackers. Some hack just to
prove that they can, others to cause mischief,
embarrass an organisation, or even to right a
Fortunately, even basic protection can be a
disincentive for hackers, forcing them to go
elsewhere in search of easier victims.
There are simple steps that can be taken to
prevent or mitigate against a cyber-attack.
These five guidelines can help you keep your
corporate data safe.
1. Have a clear security policy
Supply your employees with clearly defined
security best practices and policies such as:
using strong password protections; updating
software and hardware; securing networks
when working remotely; and using personal
devices, such as smartphones or laptops to
access company systems.
2. Don t store more than you need.
There s often no reason to keep credit card
numbers, birthdates, national ID info and other
sensitive customer information just to have it
on file. Make it a policy to purge sensitive cus-
tomer records from your system once that
data is no longer relevant or needed. Where
it must be kept, always keep it encrypted and
3. Educate employees
Many security breaches occur because
employees unintentionally and unknowingly
hand over sensitive business information to a
hacker. All the hardware and software security
investments in the world cannot prevent an
ignorant user from unwittingly compromising
your corporate systems.
The only way to combat this is by sensitising
employee to end-user security-best-practices
through regular, in-person training the empow-
ers them to look for---and avoid---security
4. Encrypt sensitive data
Never transmit or store sensitive data un-
encrypted. Encryption makes it extremely dif-
ficult for unauthorized users to access data.
Use an encrypted SSL protocol to transfer
information between the website and your
database. This will prevent the information
being read in transit and accesses without the
5. Guard the gates
All company devices should have updated
anti-virus, spyware and firewall protection.
System administrators should also tightly con-
trol access privileges to ensure no account
user has more access than they need to fulfil
Investment in additional, specialised intru-
sion prevention systems is recommended for
businesses that must store particularly sensitive
information, such as bank accounts and pass-
port and drivers-permit data. Good patch
management practice is also key to maintaining
secure computer systems. IT managers need
to monitor the security market closely, and
adopt new products as technology evolves.
The VTech breach shows just how important
it is for organisations to take data security
very, very seriously. All it takes is data breach
to seriously damage a company s reputation
or drive it out of business altogether.
By being constantly vigilant, making appro-
priate investment in security and in staff
awareness, and incorporating basic measures
to secure your organisation s technology plat-
forms, you can strengthen your digital security
and safeguard your valuable corporate data.
Bevil Wooding is an internet strategist at
Packet Clearing House, a US-based technology
research firm. He is also and chief knowledge
officer at Congress WBN (C-WBN) a faith-
based international non-profit organisation and
is responsible for C-WBN's technology education
and outreach initiatives. Twitter: @bevilwooding
Enemy at the cyber-gates
5 guidelines for protecting corporate data from attacks
Links Archive December 2nd 2015 December 4th 2015 Navigation Previous Page Next Page