Toyota has suffered three major security breaches in the last five weeks.
On February 21st its Australian subsidiary’s email and other online systems had been breached and partially disabled. Then on 29th March the company announced that both its Japanese HQ and Vietnamese subsidiary had been hacked.
All told, some 3 million customer records may have been exposed to outsiders.
The breaches look to be the work of a Vietnamese hacker group called APT 32 or Ocean Lotus, which has links to the Vietnamese government.
Security pundits have piled in, with some blaming a generalised negligence in some larger organisations about cyber risk, and the fact that Toyota (still) seems unclear on exactly what customer data has been exfiltrated. With other recent reputational issues weighing on it, perhaps some finger pointing at the company’s technical acumen was to be expected.
But let’s also take a reality check. Given the level of governance, media scrutiny, regulatory and investor oversight the company faces in multiple jurisdictions, does it really make sense that it hasn’t been working day and night – with a huge IT team and associated budgets – to make the business secure?
In cybersecurity the size of an organisation matters.
A multinational like Toyota will have invested millions in the latest security software, hardware, services and brainpower.
But spending power isn’t enough.
Smaller companies have to contend with smaller IT budgets, but a company Toyota’s size has to meet the challenges of networking together a huge, geographically distributed physical and digital presence.
Toyota has numerous manufacturing facilities, an extensive supply chain, dealer networks, country web sites, apps, connected automobiles, technology and distribution partners, investors, and consultants around the globe. With current technology is it even possible to make an organisation like that cyber bulletproof? The growing consensus in InfoSec circles is ‘of course not’.
Small or large, it’s not a matter of when a breach will happen, but when.
Preparation, mitigation, and damage limitation
Zero breach targets and impenetrable networks will always be an objective of cybersecurity programmes. That’s probably a good thing – even if perfection isn’t technically possible, you have to aim for it in order to even get close.
But alongside those targets have to be equally important objectives around risk mitigation: creating an IT environment where the extent of breaches can be limited, their damage minimised, and where fast detection is the norm.
We don’t know yet exactly when the Toyota breaches actually occurred — only when they were reported. A global study last year found that, on average, it takes six and a half months for a security breach to be discovered. That’s means a hacker could have up to 197 days to enter and explore a company’s network, moving laterally from servers to end points trying to steal information or install more malware.
When it minimise the cost of a breach, the same study shows that time to detection makes a huge difference. Companies that could contain a breach in under 30 days saved more than $1 million UD compared to companies needing more than 30 days.
How to make breaches less damaging
Cyber-criminals also come in different shapes and sizes.
There are hacktivists, hobbyists, criminal gangs ranging in size and sophistication, and then state-sponsored actors of the kind being blamed for Toyota’s string of breaches.
With the types of attack they devise changing, and the costs they incur growing, along with investments in security architecture and monitoring, there has to be a parallel strategy of training staff and empowering them to see the signs of a breach. We may yet discover that the Toyota hack began with an employee inadvertently clicking on a phishing email link and compromising company servers.
Large or small, organisations can significantly reduce the risk of a cyber-attack and its related costs if they can be detected more quickly. You can improve that dramatically by investing in a programme of security awareness training for employees. They work at the front line of most breaches, and could become your strongest line of defence.
Want to learn more about empowering your employees’ security defences? Why not sign up for a free demo and find out how we’re already helping organisations just like yours.