How the ICO’s £183m BA fine should focus businesses on sharpening cyber skills at speed
Between 21 August and 5 September last year, hackers stole customer data including names, addresses, email addresses and payment card details from UK-based airline British Airways (BA). The data was taken from roughly 380,000 unique transactions that occurred across both ba.com and the airline’s app. According to the Information Commissioner’s Office (ICO), the company’s ‘poor…
Between 21 August and 5 September last year, hackers stole customer data including names, addresses, email addresses and payment card details from UK-based airline British Airways (BA). The data was taken from roughly 380,000 unique transactions that occurred across both ba.com and the airline’s app. According to the Information Commissioner’s Office (ICO), the company’s ‘poor security arrangements’ were to blame for the incident. The ICO consequently fined BA a record-breaking £183m, which dwarfs the previous record fine of £500,000 (paid by Facebook in relation to the 2018 Cambridge Analytica scandal).
The BA hackers were able to breach the airline using online skimming, a type of attack – also known as Magecart – that has damaged companies including Ticketmaster, Newegg and Feedify. Magecart is a low-risk, high-reward technique that sees hackers implant malicious code into websites and apps, allowing them to steal credit card details at checkout. And while the technique isn’t exactly new (it first appeared in 2014), it has proved to be persistent. This is because it’s near impossible for users to detect, giving attackers a high chance of success.
Security leaders are struggling to secure their infrastructure against such attacks because knowledge of threats is needed to effectively prioritize action. This means that in many cases teams lack key skills in the crucial moment. And as you know, this isn’t a mere inconvenience; many companies would never recover from a fine as large as that handed to British Airways.
It’s clear that security leaders can’t afford to take their eye off the ball when it comes to protecting web servers. But to defend against Magecart and similar attacks, security teams need to be able to learn new skills quickly, and this means immediate access to relevant material. Classroom-based training is not the answer, as it lags behind the curve of the threat landscape. And while certificates and qualifications might be relevant the week that they’re earned, they won’t help security teams define an effective response to emerging threats.
If your security pros have access to content that’s derived from the threat intelligence relevant to your business, skills development will be more focussed. Instead of spending time and money learning security skills that are (unknown to them) irrelevant, your team will be preparing for the threats already harming similar businesses. It’s a case of placing square pegs in square holes, rather than covering several bases and hoping for the best.
And there’s no better way to prepare for emerging threats than by getting hands on with them. Deciphering blogs full of indicators to find the elements relevant to your business is incredibly time-intensive. Yet, without a resource that’s updated with interactive skills content the day a threat’s discovered, those blogs are your best option. The best way of upskilling your team is to let them examine real threats safely. Doing is learning, after all, and problem solving under pressure will boost their skills unlike anything else.
Ultimately, you should strive to boost your team with the skills that will actually contribute to protecting your organisation. Automated, on-demand solutions enable continued learning and, in turn, greater development than traditional methods. This is worth bearing in mind when considering over half of all cyber experts feel their employers don’t provide sufficient training. Better still, they enable security professionals to pick up the right skills at the right time, rather than having them move from point A to point B with no real sense of purpose, as so many outdated courses do.
Our Magecart lab shows users how to analyze malicious traffic as Magecart is deployed against an ecommerce site. It takes around an hour for any competent security pro to complete, but will provide them with the skills they need to mitigate this kind of attack. This proves the effectiveness of on-demand learning: an hour of one employee’s time could be worth millions of pounds to your business.
If you would like to learn how Immersive Labs can upskill your security team and drive down organisational risk, book a demo with one of our experts today.