The Ash­ley Madi­son hack is so two months ago, right? Unless you were per­son­al­ly affect­ed, you have like­ly for­got­ten about it. Though you may have not been neg­a­tive­ly affect­ed, for the peo­ple who have been this rev­e­la­tion of per­son­al data will con­tin­ue to dam­age for years to come. So what­ev­er your per­son­al opin­ion about the site or the peo­ple that chose to use it, there are real and valu­able lessons here for any com­pa­ny that col­lects deals with or col­lects per­son­al infor­ma­tion.

The dam­age from the Ash­ley Madi­son hack was extra­or­di­nary. There are two linked sui­cides. Gay men in some coun­tries fear for their lives. Exec­u­tives of cor­po­ra­tions have been out­ed as poten­tial phi­lan­der­ers. Black­mail has run ram­pant. The ghost (and law­suits) of Ash­ley Madi­son will haunt peo­ple for years. The dam­age will prop­a­gate even longer. Mar­riages will end. Employ­ees will be fired. Lives will be torn apart. Some of the accused will even be inno­cent, nev­er know­ing how their data got into the Ash­ley Madi­son data­base in the first place. Not to men­tion the sheer amount of data that is now out there to sit for­ev­er on the inter­webs. The Ash­ley Madi­son hack revealed more than just cus­tomer data, includ­ing their sex­u­al pro­cliv­i­ties and cred­it cards. Com­pa­ny data and inter­nal com­mu­ni­ca­tions have also been laid bare to the world. From how Ash­ley Madi­son struc­tured their intranets to how they nev­er delet­ed all those accounts clients thought they had paid to remove. The breach was utter­ly com­plete. But how does this affect brands? If you’re at the C‑level, the ques­tion is how could it not?

The Impact Team: A New Kind Of Hack

The Impact Team was not your ordi­nary hack:

“The hack­ers behind the breach, who call them­selves The Impact Team, first released snip­pets of the data back in July. After near­ly 30 days, they then dumped 10GB of cus­tomer infor­ma­tion, short­ly fol­lowed by anoth­er 20GB of inter­nal data. Min­utes ago, the hack­ers also post­ed a third data dump.”

Why did they hack Avid Life Media’s site? Ash­ley Madi­son was­n’t tar­get­ed because of the site’s con­cept, which encour­aged mem­bers to cheat on their spous­es. It was­n’t because if you had your name added with­out your knowl­edge you could pay to have it removed. The biggest moti­va­tor for hack­ers was the way Ash­ley Madi­son did busi­ness. The Impact Team knew there were no women on the site. They knew Ash­ley Madi­son was tak­ing mon­ey and defraud­ing peo­ple. The Impact Team tried to set right what they saw as a great wrong: Ash­ley Madis­on’s very exis­tence. The hack­ers even warned Avid Life Media that if they did­n’t change their ways, pain was com­ing. That pain would be in the form of hacked and stolen data to be shared with the world. To prove their intent, The Impact Team sent stolen infor­ma­tion to Avid to prove they had indeed com­pro­mised their sys­tem. Avid did noth­ing, for months. They seemed to take the tact that ignor­ing it made it not so. Then Impact released every­thing they had tak­en – all 30 or so giga­bytes. Is the Impact Team done? Not yet. Ash­ley Madi­son is said to be the first in a line of sites they will be tak­ing aim at in the near future. Some have applaud­ed this effort because of who Avid is as a com­pa­ny. But what if some­one loathes some­thing your com­pa­ny does? What if some­one despis­es your CEO or your busi­ness prac­tices and wants to wreck your rep­u­ta­tion with your loy­al cus­tomers? Hack­ing is becom­ing scar­i­ly easy. The tools that make it easy are now con­ve­nient­ly avail­able to just about any­one. Instruc­tion­al videos and sites that pro­vide step-by-step hack­ing instruc­tions can be found near­ly any­where online. It no longer takes some­one with a deep under­stand­ing of how sites work or the Inter­net func­tions to tar­get you. Are you pro­tect­ed? What is your com­pa­ny doing to pre­vent this hap­pen­ing to you?

Site & System Security

When is the last Time you had your Code Tree checked? When did you have your last secu­ri­ty audit? Do you know where your sys­tems are vul­ner­a­ble? If the answer to any of these ques­tions is no, then you might just be leav­ing your­self open to a sit­u­a­tion sim­i­lar to Ash­ley Madi­son. Sure you may not have people’s pro­cliv­i­ties tied to their name on your servers, but if you are col­lect­ing data or have inter­nal doc­u­ments and emails on a con­nect­ed sys­tem you too could be vul­ner­a­ble. So what do you do? Every­one has their own secu­ri­ty pro­to­cols and we could nev­er cov­er all options here, as they are as diverse as they are vari­able. How­ev­er there are steps you can take to make sure you don’t get that call that your data is now in the hands of those who wish you harm.

1. Security Assessments & Risk Management

When is the last time you had your site and your net­works checked for vul­ner­a­bil­i­ties? Did you know you could set up a com­mand and con­trol cen­ter inside your four walls with a print­er firmware update? Did you know that it’s pos­si­ble to cre­ate a work­ing com­pa­ny badge with a search on eBay and about $50? Are you vul­ner­a­ble to sim­ple pass­word fails, like some­one on your team using “12345” for any acces­si­ble inter­faces? As we move into the Inter­net of Things, this is just going to open more oppor­tu­ni­ties for hack­ers. What have you done to assess your risk? Take­away If you can’t remem­ber when your com­pa­ny did a com­pa­ny wide secu­ri­ty audit, now is the time. These should be done on an ongo­ing basis – not just for your web­site, but any­thing con­nect­ed to the Inter­net. Even air-gapped com­put­ers aren’t immune from attack. Hire a com­pa­ny to review not on your online secu­ri­ty, but the weak links in your offline struc­tures, espe­cial­ly your peo­ple. Pre­ven­ta­tive mea­sures aren’t always cheap, but they are much less expen­sive than the alter­na­tive.

2. Social Engineering & PIS

Have you trained your staff to under­stand how they can be used in an attack on your com­pa­ny? “PIS” or Per­son In Seat is the most vul­ner­a­ble access point in any cor­po­ra­tion. What has your com­pa­ny done to pre­vent access through your own staff? What have you done to make sure your staff is moti­vat­ed to pre­vent some­one from attack­ing you? Take­away Teach and train your staff about how they can be weak­est link in a secured sys­tem. Do they know about “phish­ing”? Do they know why they can’t use sim­ple pass­words? Do they have pro­to­cols in place for those times when some­one tries to retrieve access to the net­work out­side the sys­tem? Do they know them? They should. The recent attack on the head of the CIA’s AOL account was almost sole­ly done uti­liz­ing social engi­neer­ing. Pro­tect your com­pa­ny and teach your peo­ple how not get used to help some­one gain net­work or site access.

3. Network Monitoring Software

While your net­work is like­ly designed to pro­tect against attempts to enter through the front door, this is use­less if they can find a way through a locked door you don’t know about. So what do you do? Take­away The attacks against Sony, Ash­ley Madi­son, and even the actions of Edward Snow­den could have been stopped (or at least the harm reduced) with the addi­tion of net­work mon­i­tor­ing. Net­work mon­i­tor­ing will warn you about any unusu­al activ­i­ty, such as large amounts of data leav­ing through an “open door” you just found out about. It gives you time to react and shut it down. Maybe some­one will leave with a beer you left in the refrig­er­a­tor, but the kitchen will remain intact.

4. Response Readiness

In today’s cyber envi­ron­ment, you will like­ly suf­fer breach­es. Most of them will prob­a­bly be small, and maybe even some insignif­i­cant. But what do you do when all pre­ven­ta­tive mea­sures have failed and you have lost con­trol? Are you ready to respond? Do you have pro­to­cols in place? Does every­one respon­si­ble know what to do? Take­away Hav­ing your net­work com­pro­mised is inevitable. Even the most high­ly secured loca­tions can be and have been at the receiv­ing end of hacker’s intent. When the inevitable attack hap­pens, what do you have in place to stop it? What pro­to­cols have you giv­en your team? Have you giv­en them the author­i­ty to act? With the help of cyber­se­cu­ri­ty experts you can stop an attack in its tracks and min­i­mize the dam­age. How­ev­er, if your team can’t act with the nec­es­sary author­i­ty, pro­ce­dures aren’t in place to deal with the intru­sions, or there isn’t a plan on the table for how to shut your sys­tems down or iso­late the intrud­er, then you may make extreme­ly expen­sive mis­takes. Com­pa­nies like Man­di­ant (Fire­Eye) Secu­ri­ty have put togeth­er a quick fact sheet cov­er­ing what you need to know when thrust into this fright­en­ing posi­tion.

5. Next Steps?

OK, you did every­thing you were sup­posed to do. You secured your net­works, trained your peo­ple, added the right secu­ri­ty soft­ware, even had a secu­ri­ty firm run an in-depth audit over your entire process. But you still got hacked. Data was stolen. People’s iden­ti­ties are at stake. Maybe they got trade secrets or, like in the case of Ash­ley Madi­son, they are set on embar­rass­ing you and your cus­tomers. What do you do now? When a breach occurs, there are many con­sid­er­a­tions. What are the legal impli­ca­tions? How can you pro­tect trust with your users? How do you min­i­mize the dam­age? While there are no easy answers, what is most impor­tant is that you know exact­ly what your com­pa­ny has to do in the event this hap­pens. Time wast­ed between the attack and the reac­tion is time that can land you in more dan­ger­ous waters. Whether it is dam­age to your rep­u­ta­tion, your users, your team, or all of the above you have to know what the plan is when (not if) this hap­pens.

Protect Your Brand’s Assets Now!

While we all hope the worst doesn’t hap­pen to us, the like­li­hood of nev­er get­ting com­pro­mised is unre­al­is­tic. Don’t be the low­est hang­ing fruit. Tak­ing these steps should pro­vide enough pro­tec­tion from those who want to harm your brand.