Over the last few months, there’s been a lot of buzz about the Ashley Madison data breach. From front-page news to late night punch lines, the hack has attracted a lot of attention, but the truly scary element of the story is what lies behind how it was possible.

A New Generation of Hacker

Back in the 1980s and 1990s, hackers were a relatively small group of people, capable of breaking into some of the world’s most sophisticated systems. They were the villain in the action movie for years. We feared hacking, but there were enough jobs with few qualified coders and programmers to keep them occupied. Today, though, with thousands upon thousands being trained in technology, the highest level of interconnection of information in history, and a new level of “hacktivism” where political opinions and ideals can be the motive for a data breach, we have a new set of problems all together.

Lessons from Ashley Madison and Excellus

As you can imagine, companies are not eager to explain to the public how they were hacked. First, it’s often because they don’t yet know themselves. Second, as a black eye for the company, it’s more prudent to say that the problem is being addressed. Third, revealing a weakness can invite a new wave of attacks (especially with wide media coverage) when they’re already down.

The website Ashley Madison, a source for those looking for extramarital affairs, was hacked for the user data, including names, addresses, credit card information, and other critical information. This information was then dumped onto the web, following through on the hackers’ threats. Excellus, a branch of BlueCross BlueShield, was also hacked recently and the records of over ten million patients were compromised.

It’s unknown whether these were internal or external hacks, though the possibility of an “inside job” is less likely. What we know is that these databases probably had one of two frighteningly common weaknesses. First, the database itself was directly accessible from the Internet. This suggests that the defenses between any given user and the stored information were weak at best. Second, the companies fell victim to what’s called a “cross-site scripting attack.” Here, hackers can implant a malicious code to a site that uses JavaScript to collect information or provide a service.

The Core Problem

The real dilemma for businesses is striking the balance between network security and functionality. Many smaller, newer businesses cannot afford the tightest security and even more existing businesses can’t implement ideal conditions as it could easily turn off customers or clients.

Still, corporations from around the world have been buying into companies like Okta in San Francisco to improve network security for the most basic of employee functions (e.g. email, cloud access). These kinds of startups are specializing in adding new layers of security without dramatically reducing what your workers can do. Since it’s possible to be attacked by a hacker directly, contaminated by an unwitting customer, or compromised by a vendor or contractor it’s the newest essential to every business out there.