The heart of tech is coming to the heart of the Mediterranean. Join TNW in València this March 🇪🇸

This article was published on April 25, 2016

From VTech to Ashley Madison: How the hacks of 2015 are reshaping cyber security

From VTech to Ashley Madison: How the hacks of 2015 are reshaping cyber security
Bob Hoogenboom
Story by

Bob Hoogenboom

Bob Hoogenboom is the Professor of Forensic Business Studies at Nyenrode Business Universiteit. The only private university in the Netherlan Bob Hoogenboom is the Professor of Forensic Business Studies at Nyenrode Business Universiteit. The only private university in the Netherlands founded in 1946 by industry leaders including KLM, Shell and Philips. This article is based on his vast experience in the field of cyber security.

It was around halfway through 2015 when a group of cyber-attackers who called themselves “The Impact Team” stole the data of 37 million users of controversial dating site Ashley Madison, and published the details online.

Such details included people’s email addresses, dates of birth and their credit card transactions. As a stand-alone event this is fascinating, great for small talk in the office, but it’s unlikely to strike fear into the hearts of senior professionals in organizations. However, the Ashley Madison breach was not the only cyber-attack to take a dramatic toll on an organization last year.

The VTech cyber-attack saw the personal details of 6.3 million children being leaked, those behind the Experian cyber-attack stole the records of 15 million customers, and this is to name just a few. Suddenly it’s become clear that organizations have every reason to fear for the security of their data and welfare of their customers.

We have a pressing problem with cyber-attacks which needs to be addressed. But how can we be sure the actions organizations are taking to tackle this problem are effective?

cyber security

I teach and conduct research in the field of online security at Nyenrode Business Universiteit, focusing on topics such as fraud prevention, integrity issues, and public-private collaborations in the security industry. I’m also a member of the Netherlands Intelligence Study Association (NISA).

Using this experience, I pinpointed four key developments in cyber security, as a result of the cyber-attacks in 2015, which an organization would need to harness in order to tackle the challenges posed by last year’s crisis for 2016 and beyond.

Increase cyber security spending

Understanding and managing cyber security risks is certainly a significant priority for leaders both in businesses and governments for 2016, and the first step for organizations is to assess how much they invest in cyber defences and question “Is this really enough?”

Credit: Shutterstock

Organizations are beginning to take action – PWC recently used the insights from The Global State of Information Security survey to reveal that 24  percent of respondents boosted their information security budgets, and 69 percent of companies incorporated cloud-based cyber security into their strategic initiatives during 2015.

It’s a good start, but simply increasing budgets does not go far enough.

Taking responsibility in the boardroom

It is important to acknowledge that cyber-attacks are beyond an organization’s control, but what can be controlled is how an organization chooses to respond.

This is why there should be an increase in the number of Chief Information Officers (CIOs) and even Chief Information Security Officers on corporate boards, to help ensure appropriate actions can be taken.

board room

In the previous decade, we’ve seen an increase in the number of Chief Financial Officers serving on corporate boards as a direct response to the global financial crisis.

Developing comprehensive cyber security plans requires a similar culture at boardroom level, developing an awareness of the importance of security that extends from the C-suite to the professionals in each function since breaches can occur at any level and in any department.

It’s important for management to communicate their support in complying with new cyber security policies if they are to strengthen the resilience their employees have in responding to potential cyber incidents.

We need to clarify the responsibilities of external security providers and organizations.


In the wake of the VTech cyber-attack, the company was widely criticised by the media for their poor security and lack of encryption. But who was to blame really?

It could have been down to the internal IT staff, but there’s also the possibility that an external provider’s product failed to be effective.

If greater transparency and responsibility are to be encouraged between companies, external providers and customers, we need to gain an understanding of the ongoing interweaving that takes place between the public and private domain.

For organizations to understand where breaches typically occur and how to best protect against them, they must ask themselves two relevant questions: Who is doing what for whom and who can we hold accountable in the event of a breach?

Employees need formal training for cyber-attacks

Aside from encryptions and firewalls, a company’s first line of defence is its staff – yet there’s a lack of formal education within organizations, despite regular security decisions they make, such as: “Should I click on this potentially shady link?” or “Should I enter my password on this form?”

cyber security

Knowledge typically comes from incidental and informal learning, such as news articles or the experiences of friends and family, rather than from management. The media’s focus is on who conducts the attacks, whereas expert information focuses instead on how attacks are conducted.

These differences prevent staff from understanding how persistent more mundane threats like viruses or phishing are, and how to protect against them.

Organizations need to encourage employees to be consistently alert and should take steps to educate them on cyber security, in an informal but efficient way.

In teaching employees to recognize when and how these threats occur, business leaders are taking the steps to clarify the responsibilities of dealing with cyber threats accordingly. In addition, they can easily identify the areas of security that need to be discussed at boardroom level.

This will vary according to the organization but, by having this system in place, we’ll finally be ahead in the cyber war.