A fast-growing consumer app company aimed to secure its users’ privacy, but found critical gaps that weakened its cyber resilience.
Background
With a customer base of millions of active users, the client aimed to minimize the potentially massive business impact that privacy violations could cause.
Solution
The client’s CRO implemented Hyver to identify attack routes that put user privacy at risk and build a risk-based security program.
Results
– Short-term results: Hyver identified two critical issues and took immediate action that reduced the risk by 96%.
– Long-term results: Hyver’s cybersecurity roadmap doubled the organization’s maturity score in two years.
Crown Jewel: Keeping the Data of Millions Safe
Many successful SaaS companies are known for their fast growth. But growth is a double-edged sword; profits increase but so does responsibility and complexity. Companies with millions of clients must protect sensitive data, since failing to do so could result in data privacy regulatory fines amounting to hundreds of millions of dollars.
Building the Risk Profile
Hyver conducted a baseline assessment of the organization’s security posture that covered the client’s external attack surface, networks, and cloud environments. By analyzing findings across the client’s attack routes, Hyver quantified the risk exposure according to likelihood and business impact.
Fully Compromised Within Hours
Despite being a cloud-native, tech-savvy organization, the client had a massive attack surface and problematic policies and procedures that resulted in lower-than-average security maturity scores.
Critical Findings – Privacy is Only a Part of the Problem
Excessive trust in early employees
Growing from seven employees to 7000 in six years, the client had to make fast organizational, IT, and security adjustments. Organizational culture adjustments took a backseat, and so did the principle of least privileges.
Hyver discovered this issue primarily in production environments, where early employees had access to everything. While this issue can lead to privacy violations, it can also lead to major disruptions, downtime, and breach of code integrity. Excessive trust in early employees is a major risk factor and is frequently seen in fast-growing SaaS companies.
Employees have access to unlimited customer data
The second critical privacy finding was a lack of segmentation. To enable the business to move fast, the client allowed all employees to view every user’s activity history and personal information. This provided malicious actors with thousands of potential entry points that could be used to obtain sensitive information.
“It’s nice to know our concerns are taken care of, which includes assets our team did not identify as top concerns. Hyver identified attack routes that boosted our maturity very fast and very efficiently.”
The Client’s Cyber Risk Officer
Mitigation & Results
The conventional solution for both findings is a long-term architectural shift. However, since this can take years to design and implement, Hyver identified a short-term solution to reduce the risk exposure immediately.
Hyver focused on sensitive production environments. It limited the process so that only a few carefully selected individuals could conduct a code review and accept publishing changes. While this solution was a quick fix, it could not be a long-term strategy, as the individuals experienced a “review fatigue” and became (albeit intentionally) a bottleneck.
A second short-term solution was therefore implemented to segment employee access by region. With 26 countries, the risk was immediately reduced by 96%.
The conventional solution took longer—just under two years—to be fully implemented. Once the change was completed, the security maturity score rose dramatically, and the CRO’s top concern about privacy was under control.