As more information is provided to the public on the recent Ashley Madison data breach, the repercussions expand. The site is used by married people to seek extramarital liaisons. The criminal hackers released email addresses, credit card information, company memos and more through several data dumps made public. Former users report that even though they paid a fee to have their data removed permanently, it was included in the data dumps.
Small businesses should be mindful of the possible repercussions to their network and their employees. An event such as this hack creates opportunities for other malicious behavior that can affect a business. Some impacts can include:
• Spear phishing from criminals that are using the emails and details dumped
• Ransomware sent to the emails listed
• Blackmail to people that had their data exposed
• Malicious emails to the spouses of the site users. Details can often be easily found on social media of the site users, including details about spouse and children
• Information gleaned from the released data coupled with data on social media may make basic passwords easier to figure out
What your Business Can Do
Your business should leverage any data breach incident to review your security measures.
• Have a policy that stipulates employees use a separate personal email address from their business email addresses. If your employees have been with you for years, chances are they are still using a business email address for personal activities.
• Have a Bring Your Own Device (BYOD) policy that clearly states what type of personal emails can be received on the device. Include your attorney to craft the language of how to prohibit inappropriate emails and site visits.
• Provide a separate Wi-Fi, not connected to your network, in the work place for your employees. Let them use it during the work day for their personal devices. This helps employees keep personal emails separate from business emails.
• If you think any employees visited the Ashley Madison site using a business email, consider having a security team check the data dump using one of the new services available. Check with your attorney to ensure you are not infringing on your employees’ rights.
• If any employee’s email address is on the data dump, assign him a new email address and disable the old address. This will reduce malicious attempts to get to your network via the old address.
• Be prepared for the potential of blackmail of an employee listed in the data dump. Scams and extortion attempts can arise after release of confidential data that has societal implications.
• Have all employees change passwords, following standard password security measures.
One key learning from the Ashley Madison hack and data release is the broad range of impacts a company’s breach can have. Businesses need to be prepared not just for potential hacks into its own network, but the fallout from other data breaches.
For more information on a career in cybersecurity, please visit our programs and courses offered through The National Cybersecurity Institute.