Why a cyber security audit is vital: A lesson from Twitter’s data breach nightmare

green data signs on black background

The cyber-attack directed at Twitter on the 15th July is a stark reminder that data and systems security audits are a vital and regulatory must for all businesses. Dozens of verified Twitter accounts belonging to high-profile individuals, including former US President Barack Obama, and entrepreneurs like Elon Musk and Bill Gates, were affected by a major hack involving a bitcoin scam. The wide-scale assault seemed to be designed to launch a cryptocurrency scam that may have accrued over $100,000 in minutes. This is a further lesson that no-one is exempt from a potential cyber-criminal attack, including a tech giant such as Twitter.

As a result of the COVID-19 pandemic and further lockdowns in place, remote working is becoming more popular. The scale of which business require their staff to work from home has meant that there are potential weaknesses in software and internet connections that cyber criminals are taking advantages of. The risks posed by these attacks should be taken very seriously. While on the surface the hack appears to form part of a cryptocurrency scam, the operation could potentially have more serious motives. A hacker who can tweet from a verified account may also have the access to read the user’s confidential direct messages.

This may not be feasible for the vast majority of firms to match anywhere near the type of security available to larger corporations such as Twitter, it should still be used as a wake-up-call for compliance officers or partners wanting to re-examine their own security systems, to ensure they have evaluated risk, remain compliant and ensure that all staff are aware of the potential cyber-security dangers and then plan ahead for improving defence.

The Data Protection Act 2018 and The General Data Protection Regulation 2016/679 (GDPR) affects all businesses. Having policies and procedures in place to protect the data of those you hold information on is not just essential it is a legal requirement. Failure to adhere to the legislative requirements can render businesses liable for sanctions by their regulator or significant fines.

A cyber-security audit is one of the most valuable exercises a business can take, and understanding the threats your businesses data faces, not just due to cyber-criminal attacks, is vital. Below are some of the risks that should be considered when completing an audit: –

  • Malware, and hacking attacks – being aware of external threats is vital to data security. Business Technology is constantly evolving, and attackers are resorting to sophisticated techniques to compromise business data security.
  • Ransomware – Businesses can hold some highly sensitive information and for this reason this type of malware garnered popularity in latest years.
  • Denial of service attacks – the rise of IoT devices saw a dramatic rise in botnets. Denial of service attacks is now more widespread and more dangerous than ever. If your business depends on uninterrupted network service, you should assess risks associated with loss of service.
  • Malicious insider threat – one of the biggest threats to a business’s data is its own employees or third-party vendors. Data can be easily leaked or misused and unless you have specific monitoring tools in place, it would be hard to detect.
  • Non-Malicious insiders – another risk group is the careless or uniformed employee, as not all insider attacks are done out of malicious intent. Data can be leaked unintentionally or errors such as forgetting to lock devices which contain sensitive information, downloading attachments or clicking links from suspicious email addresses or visiting unauthorised / malicious websites from the firm’s network. – this includes remote workers.
  • Remote-working – the COVID-19 crisis and the obligated lockdown, forced businesses into a remote-working culture that many were not used to. Whist there are some proven advantages, one of the biggest disadvantages is that remoteness can easily become carelessness regarding cyber-security. To address this, employees need to be made aware of just how easily information can be obtained and how they can protect themselves and their business. Most employees will be social media users, so the reality of the recent Twitter hacking should hold relevance when explaining the dangers.
  • Natural disasters and physical breaches – whilst this is would be a rare occurrence, the consequences of suffering such a threat can be devastating, therefore it should be included in a plan to cover the loss should it happen.

The main takeaway from this most recent incident with Twitter is that attackers were able to defeat the intrusion detection systems and gain access to production. There is absolutely no justification in the modern world for keeping backdoor access to customer data. Because if there is a way to do it, malicious actors will exploit it.

Despite a worldwide pandemic, hackers are continuing to unleash cyber-attacks on businesses. At AML & Compliance work with existing businesses to review their current approach to data protection. We aim to enhance this where necessary and assist start-up businesses or those which have not fully considered the impact of data protection. Our focus is to ensure that all businesses we work with understand and comply with the requirements of the legislation and therefore protect the data they hold. We ensure the businesses we work with have proportionate and sensible policies to actively demonstrate the efforts taken to control and protect data.

To enquire about our Data protection and GDPR services and how AML & Compliance can work with your business you can call us on 0203 985 8553, email us info@amlandcompliance.co.uk or complete an enquiry form.