25.1 C
New Delhi
Friday, November 22, 2024
HomeTechDangers from hacks stretch beyond broken computer systems

Dangers from hacks stretch beyond broken computer systems


Karim Toubba joined password manager LastPass as chief executive in April 2022, as the company was separating from cloud security company GoTo, formerly known as LogMeIn Inc., and had planned several tech projects, including improvements to cybersecurity.


In August, LastPass disclosed a cyberattack that started in late July in which hackers stole source code and other business information.

In October, hackers struck again, using knowledge gathered from the first attack to get into LastPass’s third-party cloud storage service, Mr. Toubba said. In late November, LastPass disclosed the second incident, in which some customer information—not passwords—was exposed. Another update in December left customers confused as to whether their sensitive information was at risk.

Looking back, the company didn’t share enough details quickly, Mr. Toubba said. “I don’t think in hindsight we got that 100% right,” he said.

Part of the delay, he said, was in getting details from the cloud company, which he declined to name. “We had to do a fair bit of work with our cloud provider to get, file by file, what was accessed,” he said.

Deciding what information to disclose and when is a difficult task, executives say. It is also one that carries growing risks for companies that get it wrong, as regulators more closely scrutinize public statements and filings for missteps.

The U.S. Securities and Exchange Commission last week settled with software maker Blackbaud Inc. over charges related to a May 2020 ransomware attack. Blackbaud, the SEC said, had failed to disclose that hackers had accessed sensitive information during the episode, affecting hundreds of charities, medical facilities and educational institutions in several countries. The breach included donor bank account information and Social Security numbers. Blackbaud agreed to pay $3 million to settle the charges.

“Blackbaud continues to strengthen its cybersecurity program to protect customers and consumers, and to minimize the risk of cyberattacks in an ever-changing threat landscape,” said Tony Boor, Blackbaud’s chief financial officer, in a statement.

The SEC charged a number of financial firms in 2021 over problems with data-breach notifications, along with U.K.-based publisher Pearson PLC. The company, which the SEC said mischaracterized a breach as a hypothetical issue when it knew one had occurred, settled with the agency for $1 million. A spokesman said Pearson was pleased to resolve the matter.

Cybersecurity companies should be held to a higher standard than others in relaying information about hacks quickly and thoroughly, Mr. Toubba said. “You better be very communicative and understanding of how the market will perceive you,” he said.

Even experienced companies sometimes get it wrong. Identity protection firm Okta Inc. came under criticism for how it handled a data breach, via the hack of a supplier, in March 2022. Okta at some points conveyed wrong information during the early stages of its incident response.

Okta has since changed processes for discussing a cyberattack in public and with customers, Chief Executive Todd McKinnon said during a WSJ Pro Cybersecurity conference in December. That includes setting up private communication channels with clients to update them directly.

The lessons learned from cyberattacks can be just as important as how a company responds to a breach, security chiefs say. After hackers targeted a software tool developed by Miami-based technology services provider Kaseya Ltd. in July 2021, the company began strengthening its cybersecurity team and its practices, said Jason Manar, chief information security officer.

Mr. Manar, who investigated the Kaseya breach as a cyber agent for the Federal Bureau of Investigation before he joined the company in 2022, said Kaseya now uses industry best practices, including those from the Commerce Department’s National Institute of Standards and Technology and the American Institute of Certified Public Accountants.

LastPass has also rolled out several security tools in its infrastructure, data center and cloud systems, Mr. Toubba said. One improvement, he said, is requiring multifactor authentication to access the company’s cloud-based development environment, to guard against source-code hacks. LastPass also hired a cryptography expert to expand the use of encryption, in some cases to the level of individual fields in databases, he said.

At Kaseya, security staff are now embedded with other teams, Mr. Manar said. The move aims to decrease the likelihood of human error leading to a successful attack, he said, by providing immediate points of contact for staff on security issues.

“What I tell people, ever since I got here, is that it’s about process. We’re going to be better today than we were yesterday, and we’re going to be better tomorrow than we were today,” he said.

 



Source link

- Advertisment -

YOU MAY ALSO LIKE..

Our Archieves