Why Do Companies Keep Getting Hacked?

One reason is that security isn't always a priority for developers in a rush to bring a product to market. Another reason is that humans are stupid.

Two weeks ago, a respected crowdfunding site, Kickstarter, was hacked. Snapchat was hacked the week before that. Skype's social media accounts were targeted the week before that.

"These days, criminal hacking is a business," Patrick Thomas, a security consultant at Neohapsis, tells Fast Company. "Everything that is done has a chain linked to real dollars. And hackers are looking for the shortest chain."

Sometimes, that entails stealing credit card numbers directly. Other times, it's selling user emails and passwords en masse on the deep web. Whether it involves an SQL injection or, in the case of Snapchat, the exploitation of faulty script, these recent incidences again beg the question: Why do major Internet companies keep getting hacked? Shouldn't we have learned our lesson by now?

One reason: Human beings are still the weakest link in the aforementioned chain to real dollars. "Humans can't be upgraded," says security blogger Graham Cluley in a phone conversation. "You can't fix the bug in people's brain that makes them click a link, or choose a really dumb password."

Take the recent Target hack, which leaked the personal data of 110 million customers. The breach reportedly began as an email-based phishing scheme. Although the retailer's consumer-facing website is well defended, hackers were reportedly able to gain access into Target's corporate network by using stolen authentication credentials from a subcontractor that dealt primarily in air conditioning. Someone in that subcontractor's office clicked something bad.

You can hardly blame them, though. Social engineering attacks over email have been refined to a point that they're, at first glance, unremarkable. They're now built to "sail right through spam filters," explains Thomas. "It might look professional and well worded. It might use words from your business. It might even look expected."

While the human element is an inescapable part of our hacking vulnerability, the other, equally messy part of the equation is that security is rarely a priority for the companies actually building software. Developers would rather ship a product fast than spend time testing a product for potential risks—as Wednesday's Tinder mishap perfectly illustrates.

"The bigger problem is that security is just not top of mind for most developers," says Chris Eng, vice president of research at Veracode. "It's not something that has worked its way into a product's life cycle."

"What we have to do is build [security measures] earlier and earlier into the cycle so that developers are aware of it," Eng adds.

In addition, the expertise of in-house security teams is a luxury many developers simply don't care about, or can't afford. "There aren't enough good InfoSec people to go around, and the employment rate shows that," says Thomas.

Larger firms, on the other hand, often find themselves failing to have incorporated proper safeguards into their core, existing infrastructure. "Security really needs to come in from the beginning," Thomas says. "For larger companies with huge established portfolios of applications, many of these go back five, 15, 20 years to before many modern security practices existed. Overhauling them is a tremendous mountain to climb."

Unfortunately, these shortcomings put more onus on the consumer to be extra vigilant with their security—namely, their passwords, which are still frequently recycled and used across multiple accounts. Imagine: What if your eight-digit Kickstarter password was the same one used for your Amazon account? Or your Bank of America login?

To be clear, even if Internet companies start making security a top priority, breaches will still happen. And that isn't going to change anytime in the foreseeable future. "I fear that because we can't roll out a software patch for people's brains, this problem is one we're still going to have in 100 years," says Cluley. "Fundamentally, we've been talking about this problem for 20-plus years. And we haven't learned."

For now, it's up to more forward-thinking organizations like Kickstarter to set the example by responding to security breaches as best they can, with honesty and transparency. "The rapid response and ability to make what transpired clear really to its users says Kickstarter had its house in order before the breach," says Thomas.

Locks will be broken and messes will be made, which is why, going forward, maintaining user trust will be more important than ever.

[Image via SplitShire]

Add New Comment

4 Comments

  • Hey Chris, Nice post. It just seems that despite all of the reporting and warnings about security, it continues not to be a huge focus and that failure seems to be across the board. Anyway, I thought my readers would enjoy your article, and I wanted to let you know that I included your post in my roundup of February’s best web design/development, CMS, and security content. http://www.wiredtree.com/blog/februarys-best-web-designdevelopment-cms-security/ Thanks again for the nice post.

    Rachel

  • "The bigger problem is that security is just not top of mind for most developers," Sad but true. But not just developers, in most cases the corporate ethos to get new capability to market as soon as possible. The real challenge is that the added value of good security practice in software development is, in general, not recognised in the procurement process. The good news is initiatives like the defence cyber protection partnership are starting to recognise the added costs of doing things properly.

    I do have issue with the opening phrase in the article "People are stupid". Security is complex, and it takes a good deal of knowledge to behave securely - and until recently, people have simply not been taught good practice.

  • Adam Voyton

    The legal ramifications aren't enough. Companies should be fined more for implementing poor security protocols which could ruin the lives of many people.