Why Data Breaches are all About Trust

Let’s start this article off with a tally. How many times today have you had to put trust in someone or something? From trusting that the toothpaste you bought from the corner store wasn’t poison, to trusting that the car at the pelican crossing wouldn’t run a red light. We are surrounded by situations that rely on us making decisions based on trust.

There is a great quote from Frank Sonnenberg, author of Follow Your Conscience, and it describes trust quite nicely. It states: "Trust is like blood pressure. It's silent, vital to good health, and if abused it can be deadly.”

When it comes to computer security, we require trust more than most. Your network engineer, your SOC analyst and your software developer all need to be in positions of privilege to do what they do. This, however, isn’t the only way that trust affects us in the industry. 

If you’re in internet circles for long enough you’ll probably have seen a meme that goes something along the lines of “If it’s on the internet then it must be true.” I’m risking being that guy that explains the joke, it’s funny because the truth couldn’t be further from it. From political leanings and celebrity crushes to upbringing and beliefs, we all have biases and different ways of looking at the world.

These biases all play into who and what we trust. Why is it that two media distributions can explain the same events in completely different ways, why is it that there has been a massive rise of ‘fake news’, and why is it that the internet is full ‘garbage’? Well, all in all, it comes down to just this. It comes down to the fact that we all have these biases and trust different things. 

Putting our security shades back on, how are we affected by trust? In March 2015, the web hosting provider 000webhost suffered a major data breach that exposed almost 15 million customer accounts. In October 2013, 153 million Adobe accounts were breached. In May 2014, the Avast anti-virus forum was hacked and 423 thousand accounts were exposed. We can see where this is going, these organizations have all suffered massive data breaches in one form or another. In turn their customers have lost, at least some, of their trust.

The quotes been reworded countlessly since its creation, however, the one form by Robert Mueller says it best:  “There are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”

This article isn’t about bashing companies that have been breached, because quite simply, at the end of the day most companies have.

The final question we're left with is two-fold, how might this form of trust be regained, after a data breach, and why should we bother? We can answer both of these questions by casting our minds back to October 2015. The TalkTalk breach of 2015 affected 156,959 customers - including 15,656 bank account numbers and sort codes.

Looking at the TalkTalk breach we can break the way that we respond to an attack down into three main areas: Pre-breach, immediate post-breach, and post-breach. Having a strong foundation in each of these areas is key to keeping a strong brand and not losing the trust of those that matter.

Using the TalkTalk breach we can see an example of failing in each of these categories. In the pre-breach phase we can see that TalkTalk failed to encrypt key parts of customer data, of which should have been a general best practice for the company.

Immediately after the breach, they failed to deliver a sufficient response and continuity between these responses. Finally, sometime after the breach they failed to treat their customers with empathy as they only allowed customers to leave their plans if they paid a termination fee.

All in all we can see that that each of these stages came down to a decision. This series of decisions then lead to TalkTalk, not four months after the breach, losing £60m and 101,000 customers.

It all comes down to trust, and the fact that the decisions we make affect the trust that others have in us. Finally as Warren Buffett said "It takes 20 years to build a reputation and five minutes to ruin it."

What’s Hot on Infosecurity Magazine?