Possibly the most embarrassing of the outbreak of computer hacks in late 2011 was the breaching of prominent geopolitical analysts Strategic Consulting, also known as Stratfor.
The Daily Dot dissects what went wrong for Stratfor based on a leaked report from Verizon Business, who carried out a “forensic investigation” of the hack which the company claims cost them $3.8 million in damages.
While the monetary damages were substantial for a relatively small company, Stratfor’s reputation was probably the greatest casualty as customers’ credit card details were exposed and the firm’s confidential files were distributed by WikiLeaks.
The tragic thing is that none of this would have happened had Stratfor followed basic IT security practices, something that every business should be following.
Don’t store credit card details
Probably Stratfor’s biggest mistake was storing customers’ credit card details – there is no reason for saving your clients’ payment details. Ever.
If you’re accepting credit cards, organise a payment service to handle that work for you as they know what they are doing and take most of the management hassles, security and fraud risks.
In most cases, these companies’ fees are no more than manual processing fees that Stratfor and most businesses manually processing payments get hit with anyway.
Another basic mistake was that passwords were shared and kept simple; there is no excuse for giving staff the same password to access confidential or critical files and systems.
Similarly, there wasn’t a ‘need to know’ policy; that is, that an analyst has no reason to have access to HR files and the receptionist no need to be looking at sales figures. Sensitive data should only be accessible to those who need it for their day-to-day work.
Remarkably, Stratfor didn’t have any properly configured firewalls and on many computers didn’t have up-to-date anti-virus protection. All of this made it easy for hackers to get into the network and access confidential information.
The online pains of growing a business
In some respects it’s possible to feel sorry for Stratfor’s management, the report is a classic example of a business that outgrew the IT structure for a one or two person operation founded by men who didn’t understand the risks of the internet.
Today there’s no excuse not to have systems locked down or to lack a company culture that recognises data security as being essential in the modern business world.
Stratfor’s hack was a spectacular example of what could go wrong, but it’s a warning for all businesses about the importance of security in a connected world.