What does the Ashley Madison hack mean for CIOs?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.techrepublic.com/article/what-does-the-ashley-madison-hack-mean-for-cios/

The scary nature of the Ashley Madison breach has some important lessons
for CIOs everywhere.

It used to be that hacking was all about credit card data and identify
theft. What Ashley Madison and Sony before it have shown is that breaches
are now evolving - and focused on embarrassment.

All it takes is one disgruntled customer that has skills to breach your
security for skeletons to come out of the closet. For public companies this
could lead to hackers disclosing or using information to impact the
company's stock price. A single email about performance or strategy made
public could significantly shift a stock price and become a legal nightmare
in terms of corporate disclosure compliance.

Beyond this there are the embarrassing emails, potential merger and
acquisition discussions, personnel files and disciplinary procedures.

We can all laugh at those that decided to sign up to Ashley Madison but to
dismiss the risk of a breach as something that wouldn't impact us is naïve.
I am certain that if someone had enough data on my company it would lead to
some form of embarrassment that could lead to our brand being diluted.

This threat, coupled with a driving directive to make information and
services more accessible and mobile friendly to customers, we are creating
a world where our data can be used against us and our customers at an ever
alarming rate. Blackmail, embarrassment, corporate espionage and
unauthorized disclosures - this is the new Wild West for hackers and I
expect it will become the new norm.

It is unfortunate because I suspect that CIOs have been caught looking the
other way and spending money on protecting credit card data and leaving
company information and communications exposed to potential breaches.
Furthermore, the ability to control, protect and secure the huge amount of
data we have, not to mention understanding what could be used to exploit
and manipulate a company is in my view unmanageable.

After Sony and Ashley Madison other businesses will be sure to follow and
the next wave of sophisticated attacks will be targeted not against
company's customers but rather against companies themselves.

We have neither the tools nor the strategy to manage this type of breach
and behavior. If asked by my CEO today if we can suffer similar
embarrassment and exposure I would have to say yes and would be misleading
if I said no. I cannot even evaluate what the risk is let alone secure it.
With credit cards and personally identifiable information it was simple, I
knew where the information was and could put in defenses to secure it.

With this new threat I lack visibility over what to secure and what to
track to ensure that I can prevent information leaking from my organization
which could then expose the company to embarrassment. What Ashley Madison
means to CIOs is fear and unfortunately I have no answers to mitigate it:
do you?

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!