Secure Trading’s Mustafa Al- Bassam outlines smart security strategies for companies at the Telegraph DEN Live Conference
Reformed hacker and Secure Trading Security Advisor Mustafa Al-Bassam spoke at the Telegraph DEN Live this Monday, as part of the Smart Security seminar, about the risks that data breaches pose to users and companies, and how to set up security strategies.
Having an unique insight into cybersecurity issues, Mustafa offers invaluable advice for businesses in this ‘golden era’ for data breaches, as he calls it. Highlighting some of the biggest corporate breaches over the last few years, he explained that “Pretty much every major company has experienced a breach”, so we should not assume that only those companies we hear about in the news have been hacked.
The biggest corporate braches and how many users they compromised:
- Yahoo (2013): 3 billion user accounts.
- Adult Friend Finder (2016): 412 million accounts.
- eBay (2014): 145 million accounts.
- Equifax (2017): 143 million accounts.
- Heartland Payment Systems (2008): 134 million credit cards.
Stolen data is used for identity theft, allowing fraudsters access to someone’s entire digital life. Sensitive data is extremely valuable in the digital economy as many transactions are performed online. Fullz is the underground market jargon for financial information containing a victim’s complete details: full name, credit card number, billing address, expiration date, PIN number, social security number, mother’s maiden name, and date of birth.
Holding a fullz enables hackers to perform numerous instances of fraud which hurt the victim financially. For merchants, this is also an aggravated risk as identity theft is one of the most common causes of online fraud. Online retailers, for example, need to complete payment transactions without verifying customer ID, which can lead to card-not-present (CNP) fraud. The financial loss of a CNP fraud is borne by the merchant which accepted the payment.
The consequences for businesses are extensive and hard to measure. Consumer trust and reputation are severely damaged in breach cases. Users invariably wonder what happens to their stolen data. Mustafa answers: “It often gets sold on the dark web, and eventually gets leaked publicly.”
Some companies have faced financial loss by paying huge ransoms to hackers, such as HBO and most recently Uber. Others try to hide it from customers, media and regulators. Neither practice is an advisable solution, according to Mustafa. Previous cases show that dealing with a breach is a delicate matter, yet, “the best approach is to be transparent,” he advises.
It is crucial to emphasise the hefty fines incurred by companies which do not follow the regulatory framework- failure to declare breaches being one of the most important. The upcoming GDPR focuses on transparency and obliges companies to report breaches within 72 hours. Not doing so could cost a business 4 percent of its annual revenue or €20 million.
Small and medium sized business – although they may not make the headlines – are also targeted by hackers, so should pay equal attention to security issues. More importantly, non-compliance fines can seriously hurt businesses’ operations and finances. Businesses need to ensure that they are compliant with the law and have clear security measures in place.
Mustafa advises on the best security practices for companies to mitigate breach risks and ensure maximum customer data protection.
Best security practices for companies:
- Don’t prioritise convenience or uptime over security – apply security patches as soon as possible.
- Segregate your network, use access controls so that employees only have access to data that they need.
- Use a secure password hashing algorithm. (Up to 98% of people use the same 10,000 passwords.)
- Penetration test your web apps and educate your engineers about the OWASP Top 10 Most Critical Web Application Security Risks.
- Have a bug bounty program, which allows tech savvy individuals to get compensated for reporting bugs on companies’ systems.
Secure Trading is 100% compliant with industry regulations and has a team prepared to advise you on the best option for your business. For further advice or to discuss specific requirements for online payment processing and fraud protection, contact our team: Call +44 (0)808 159 7217 or email [email protected]