Epsilon Data Breach a Training Opportunity on Recognizing Phishing

Companies should be taking advantage of the Epsilon data breach and other similar incidents to train their employees to recognize what a data breach looks like.

With a number of high-profile data breaches dominating headlines recently, especially the latest one from email marketing company Epsilon, smaller companies may be wondering what they can do to ensure how they can survive a similar attack. The answer seems to be training employees to recognize targeted attacks using these "real-world" incidents.

Epsilon, a large email marketing services company with a roster of A-list clients, disclosed April 1 that attackers had stolen customer data belonging to several of its clients. While the extent of the breach is still under investigation, the initial list of affected companies includes several financial organizations, major hotel chains and big retailers. The company warned that thieves might use the information to launch a phishing campaign to trick users out of more sensitive personal data.

All organizations, regardless of size or industry, should be taking advantage of the Epsilon breach as a learning opportunity. There will be a "plethora of phishing samples for training people," Randy Abrams, director of technical education at ESET, told eWEEK.

While many people will learn about phishing the hard way, this could be a "huge" educational opportunity that would help millions more people learn to protect themselves against phishing, he said. In the long run, the number of people affected will not be any higher than if the breach hadn't happened, according to Abrams.

"It's just that for many people it will happen sooner rather than later," he said.

Smaller companies need to evaluate what information is critical to their business operations, and secure that information accordingly, Marcus Carey, security community manager at Rapid7, told eWEEK. They have to minimize damage, as a "determined attacker" will get in with enough time, resources and motivation, according to Carey.

Organizations should train their staff using recent breaches, "since they are real-world examples," Carey said. Developing an incident response/awareness program and running practice scenarios will also help employees to "act on instinct" and recognize the scams for what they are, which will help organizations minimize the damage when an attack occurs, he said.

Smaller organizations are generally "less of a target" for this kind of theft unless they have "high-value clients," Abrams said. However, that doesn't mean these organizations can count on security through obscurity, as there are a "plethora of cyber-crime attacks" that can penetrate the weaker defenses, he said.

ESET's Abrams said smaller organizations should trust in hosted services as they generally have "higher-quality security expertise" than they can afford to have in house. He differentiated his recommendation from the Epsilon breach, noting that the company was a "spam company," not a security company.

The organizations sharing their customer data with third-party providers should be making the effort to clearly understand the provider's security process right at the outset, Dick Mackey, vice president of consulting at SystemExperts, told eWEEK. Companies need to assess the level of risk of going to a third-party provider before a breach happens, and have a "specific partner security management program in place," Mackey said.

Abrams agreed: "There is no perfect security. If the net result of outsourcing your security is an improvement in security, then it is a good thing, but there is no perfect security, only risk management," he said.

What the Epsilon breach highlights is that no one is immune from the problem, Anup Ghosh, chief scientist and founder of Invincea, told eWEEK.