5 ways to avoid a cyber attack (unlike Marriott & BA)

    By Amy Montague, Tuesday 23 July 2019

    Both British Airways and Marriott Hotels were hit with heavy fines this month, as millions of user’s personal information were exposed. The new ruling means the Information Commissioner’s Office (ICO) can now implement charges of up to 4% of the brand's yearly revenue or £20 million, whichever is more costly. With the GDPR law now being over 12 months old in the UK, the wheels have begun to turn in the GDPR world and brands are still failing to catch up to the regulations expected of them.

    It’s fake

    British Airways has been issued a £183.4M fine after the cybercriminal gang Magecart gained access to 500,000 customer records since June 2018. But how did they do this? The attack itself centred around the creation of a false British Airways website, which lured unsuspecting customers to login and expose their payment card details, addresses and travel itineraries.

    BA themselves were ‘surprised and disappointed’ by the fine and have yet to appeal the ruling.

    Missing link

    Unlike BA, the Marriott incident is a bit less linear. So far, we know that 500 million guest records were exposed and as a result, the company has been fined £99M in GDPR charges. A popular method of infiltration is through email cloning.

    “This tactic is used in phishing in order to get malware onto a target network to then move laterally across all systems.” – Source

    Unfortunately, security isn’t a done and dusted process. It’s continuous, as programmes wither over time, cyber criminals delve into different infiltration methods and brands fail to continually security test their site.

    Hackers have a habit of going for big brands and so far, their methods are working. But what happens when they start targeting smaller brands with approaches that are known to work. Could your brand pay a £20 million fine in 28 days?

    - 60% of small companies that suffer a cyber attack are out of business within six months

    5 Ways to avoid a cyber attack & GDPR fine

    1. Security testing – Ensure your web testing agency is security testing with real users. Automated testing only skims the top of your website, whereas human testers delve deeper into your site to find any loopholes.
    2. Use Google – With Google you can search for copies of your site or slight variations of your site. Preventing any fake copies.
    3. Alerts – Set up alerts which inform customers when a user has logged into their account from a different IP address
    4. Two is better than one – a basic two-step authentication login is one of the simplest ways to increase security
    5. Updated – Make sure all your systems from email to in-store accounting are processed through modern programs. Not ones from the 80/90s.

    Both BA and Marriott thought their site was secure but failure to update or check basic security measurements have resulted in hefty fines and a decreased amount of trust from their loyal users. Could your site withstand a hacking incident or the costly fine which follows?

    Amy Montague

    Amy Montague

    As one of the Marketing Executives for Digivante, Amy provides and reviews most of the copy and visual content for Digivante. Amy has a natural flair for the creative and introduces aspect into her marketing role.

    Accelerate your conversion rate in 24 hours-1

    Accelerate Your Conversion Rate In 24 Hours

    Make the impossible possible with in-depth website, app testing and usability insights.