Shirbit Cyber Security Hack Raises Queries of Corporate Security Protocols
Following the December 2020 cyber-security hack against the Israeli financial sector, Shirbit’s response raises the question of whether corporate security procedures are doing enough to mitigate risk and address data security breaches.
Early last December, one of Israel’s largest insurance companies, Shirbit, revealed to the public they had been subjected to a data security breach that resulted in the cyber-criminals who go by the name of Black Shadow obtaining medical records of Shirbit clients. The hackers provided the insurance company with an original one million dollar ransom that was to be paid within 24 hours, with the ransom amount increasing thereafter every 24 hours. During this time, rather than seeking assistance from professional cyber-security experts, the management team at Shirbit sought to handle the situation internally, which evidently accumulated into a disastrous result.
One of the main recommendations cyber-security organizations stress is that victims of data breaches refrain from directly communicating with perpetrators. Nevertheless, the Shirbit management not only disregarded these standard practices and attempted to negotiate directly with the hackers, but they also sent an SMS notification to their clients stating that a data security breach had occurred, yet there was nothing to worry about. Seemingly, they were incredibly wrong.
Why This Specific Breach Matters
As briefly touched upon earlier, the hacking group stole the medical records of 300 clients; however, no credit card information had been obtained. That being said, the company blatantly failed to acknowledge the medical records’ severity, as they belonged to almost all government employees, potentially including intelligence officers, which could pose a massive national security threat.
A crucial takeaway of this data security breach is the deliberate disregard the company revealed for their client’s privacy protection as leaked text conversations between the hackers and the management team show the company attempting to save their reputation rather than mitigate the consequences. Additionally, the company revealed that it was refusing to pay further ransom demands from the group.
Lessons Learned For Other Companies
If there is anything to learn from this textbook example of what high-profile businesses should not do during a data breach, companies need to be thinking proactively rather than reactively. You may be questioning how companies can begin doing so either than implementing information security compliance protocols, and the answer is quite simple. While the data stolen from Shirbit may have just been medical records to the management team, companies need not only think about the information they have in their possession but rather what the value of that information would be in someone else’s hands.
For a company with such a high reputation in the financial sector to fail to bring to light the situation they had at hand to the authorities in a reasonable time frame, they were unable to see the value of the data that had been breached, to begin with. And thus, this poor judgment on behalf of the company not only reflects poorly on their ability to operate a business but also comes at the expense of their high-profile clients.
The Need for Tightened Compliancy
If there is one key take away from the events that transpired at Shirbit, it is that there is an imperative need for regulations that hold executives accountable for their actions of not complying with Information security protocol –especially when there is an evident disregard for recommended protocols that have been suggested from compliance agencies. Additionally, there is also an apparent requirement for executives or a member on the board of directors for all companies to have knowledge of information security in the future so that companies can have a direct point of contact with security threats and have protocols that are explicitly implemented from someone who is qualified within their company.
While Shirbit clearly failed in many ways to properly secure their systems, this incident stresses the need for more stringent Information security protocols, regardless of if businesses are a regulated entity or not. These days, cyber-criminals such as the Black Shadow are becoming more and more sophisticated in their craft. If companies do not implement the proper compliance protocols within their business operations, it puts them at a heightened risk of being the next victims of an attack.
This includes ensuring all systems are firewalls are continuously monitored and updated and educating employees on what they need to do if a cyber breach occurs. Even more so now, during the height of the COVID-19 pandemic, with more and more employees working remotely from their homes, businesses should actively draw lessons from the current global crisis, as well as what occurred at Shirbit to develop and implement a new operating model that integrates more remote working resilience. It is also imperative for businesses to understand how their overall risks of cybercrime have changed and must reconstruct their strategies to address threats and minimize ongoing risks during these unprecedented times.
The next logical step for compliance regarding corporations such as Shirbit, who are storing sensitive information, is to follow the example of the SOX Act that was implemented in 2002 after numerous accounting scandals that resulted in billion-dollar losses due to a lack of accountability from higher-up executives. Bypassing compliance laws that directly hold executives accountable for their lack of regard for ethics, businesses are obligated under the law with legal consequences should they fail to ignore their duty to protect client data.
Shirbit’s disastrous attempt to mitigate their losses should be more than a wake-up call for all businesses regardless of the sector they operated in. To ignore the evidence that cyber-criminals remain naïve in their ability to override any company that carries sensitive data will lead to severe consequences in the future.
The most knowledgeable course of action businesses must take in the future is to realize that while the type of data they hold may not be significant to them, in the hands of someone with ill intentions, it can lead to massive fallouts and potentially dangerous outcomes for their clients.