Enterprises Are Losing the Security Breach Battle
As the proliferation of breaches continues to put more user data into the wrong hands, the causes are often insufficient IT security and lax policies.
Enterprises have battled security breaches for decades, but now they're under siege at a rampant pace. Even worse, the attacks now taking place are creating massive headaches and mistrust among these organizations' customers who are dealing with identity theft and related issues. Hardly a day goes by when a major breach isn't in the news. While the attack vectors may differ, the common denominator is most could be avoided if IT put the necessary systems, controls and policies in place and end users -- regardless of their technical proficiency -- were more up to speed on how to avoid the risks.
In the past several months alone, the second largest insurer, Anthem Blue Cross Insurance Companies Inc., disclosed a breach where the identities of 80 million customers were potentially stolen; Intuit Inc. had to warm its TurboTax customers to hold off from filing tax returns to ensure hackers couldn't steal their refunds; and, of course, there was the highly visible attack on Sony Pictures Digital Productions Inc., whose e-mail systems were accessed and some embarrassing discussions made public with costly consequences.
That just scratches the surface of the recent spate of high-profile compromises with victims, which includes JP Morgan Chase & Co., Yahoo Inc., The Home Depot Inc., plus numerous other smaller organizations that have suffered attacks but didn't necessarily make headlines. Despite best efforts today, enterprises of all sizes -- especially those who do business with consumers -- remain vulnerable to security breaches.
Industries specializing in business and professional services and retail and financial services, accounted for 41 percent of all disclosed intrusions last year, according to a report released in February by Mandiant, a Washington, D.C.-based subsidiary of security firm FireEye Inc. that specializes in corporate security monitoring. Companies in these sectors are among the most likely to have personal financial data that could be at risk.
Even more troubling, most breaches disclosed turn out to be preventable if only those affected had considered information security and protection of data a higher priority in terms of IT investment and policies. When it comes to preparedness, the healthcare industry is among the worst offenders, according to a survey of IT practitioners and end users released last month. That survey, conducted by the prominent information security researcher Ponemon Institute LLC (and sponsored by Varonis Systems Inc.), revealed that 56 percent of IT pros and 51 percent of end users respectively believe their organizations place moderate to low priority on data security, with some saying it's not at all important.
The vast majority of IT pros surveyed by Ponemon -- 79 percent -- said their organizations only enforce a least-privilege policy for data access or don't enforce one at all. Sixty-five percent of employees say they have access to sensitive data they don't need access to in order to perform their jobs, with 51 percent saying they actually see this data often. "After years of concentrating on and investing in perimeter security, cyberattacks and data breaches are a greater problem than ever," according to the report's executive summary.
The Cost of Complacency
The rise in breaches has cost victims tremendously both in dollars and damage to their brands. Take the now-infamous Target breach more than a year ago when 70 million customer identities were stolen. It cost Target $162 million, according to the company's 2014 Q4 earnings report, covering customer credit monitoring services, updates to its infrastructure, a falloff in revenue, among other expenses.
While Target appears to be bouncing back, the incident cost the CEO and CIO their jobs last year. Whether your company is Target or a small business, security breaches of any kind can cost any IT pro his or her job. How can you avoid making the same mistakes they've made?
First, it's important to understand the causes. While some are obvious, others require companies to consider the use of more advanced security prevention technology. Could the cause of these breaches be a lack of investment when it comes to new security technology? Is it a training issue, on both the IT and general employee side? Or is it an absence of corporate cooperation to collectively come together to battle new and rising threats? As the Ponemon study suggests, the issues lie in all three.
Two-Factor Authentication and Stronger Encryption
Last summer administrators at JPMorgan Chase discovered more than 90 of its secure servers accessed by unauthorized individuals for a span of two months. The result was the loss of personal financial information of at least 76 million households, making it one of the biggest data breaches in the United States.
Months after the incident, the bank revealed that hackers operating out of either Ukraine or Russia had access to the servers thanks to stolen login credentials of a bank employee. That's all it took to pull off the largest financial data heist in U.S. history -- a stolen user name and password.
Even with JPMorgan Chase's estimated $250 million security budget, the keys to its kingdom were lost and could have been completely avoided with the simple addition of a proper multifactor authentication process.
The tokenization of the JPMorgan Chase log-in system would have saved quite a bit of face and cut off the attackers on day one. Once an individual inputs credentials without the second authentication process (typically inputed through a user's smartphone, computer or tablet), that password and user name would not have been enough to access the financial institution's network.
Large cloud providers including Microsoft, Amazon Web Services Inc., Salesforce.com Inc., Google Inc. and Yahoo have all stepped up their multifactor authentication efforts in hopes of keeping a better lock on customer data. Microsoft recently added a new log-in feature that will call or text a user when they try to log in to their Office 365 account. Google also included a similar feature for its Gmail service in January.
With adoption rates for multifactor authentication growing, and an industry that is projected to be worth $13.2 billion in 2020, based off of projections by forecasting firm ABI Research, the struggle for IT to adopt it in their enterprise is to convince the higher ups that it deserves a slice of their security budget, especially for a log-in procedure that may appear to be cumbersome compared to the typical log-in/password system.
"The classic security conundrum is the people who are most senior from a business perspective are also the least likely to accept the inconveniences of proper security," says Jonathan Sander, strategy and research officer for Hawthorne, N.J.-based STEALTHbits Technologies Inc., which provides Active Directory security monitoring and services. "Senior people on the business side want to delegate the details of their actions, and that works fine in every respect except when it comes to doing IT securely."
Sander fears multifactor authentication could end up looking like an inconvenience by those higher up the ladder, and not worth the time or effort to implement. However, with the rising costs associated with customer data leaks, the prevention truly outweighs the cure, he says.
Strengthening the log-in process to limit who can access personal data can go a long way to avoiding a crisis. However, no matter how complex the log-in process, network breaches will still occur. That's why making sure sensitive data is properly encrypted is so important.
But the issue doesn't seem to be with nudging shops into employing encryption technology -- it's with categorizing which data should be encrypted. In the Anthem hack that exposed personal information -- including social-security numbers -- of 80 million health insurance customers, much of the data stolen was unencrypted. While the company said that health records were kept encrypted, the information taken by hackers was in plain-text form.
Keeping data protected with encryption tools and services is as close to a sure thing as you can get in the situation where attackers do breach corporate networks, according to David Kidd, vice president of governance of risk and compliance at Charlotte, N.C.-based Peak 10 Inc., which offers cloud-based infrastructure services. "When encryption is used, it is almost always sufficient to protect against almost any criminal threat," says Kidd. "The problem is, too few organizations properly classify critical information and then secure it through any encryption at all."
However, even with proper security tools in place, such as multifactor authentication and widespread encryption, breaches can still occur due to the human factor.
"When encryption is used, it is almost always sufficient to protect against almost any criminal threat."
David Kidd, Vice President, Peak 10 Inc.
Educating End Users
Both the Target incident in 2013 and last year's Home Depot breach, which exposed credit card information for an estimated 56 million users, were pulled off thanks to stolen credentials from an employee of a third-party firm that had access to the companies' networks.
More than the lack of adequate technological safeguards, the lax approach employees take -- intentionally or not -- when it comes to security can leave an open door for attackers to gain access. Along with keeping software like Web browsers -- the most vulnerable access point when it comes to targeted employee attacks -- patched, Kidd says that companies aren't doing enough to make sure employees are trained to avoid security mistakes.
"We sometimes forget that there are people behind the processes and technologies, and it's critical to select and screen employees carefully and to train them on the basics of information security," says Kidd. "The growing mobile workforce brings with it its own set of unique challenges, and these digital platforms need to be accounted for when securing customer data and privacy."
In fact, employee negligence, whether from unsafe online activities or from lost or stolen mobile devices that are connected to a corporate network, was the leading cause of all data breaches in 2014, according to credit rating firm Experian Information Solutions Inc. in its 2015 Data Breach Industry Forecast Report. Fifty-nine percent of security incidents that led to a loss of data were caused by either human error or malicious insiders, the study found. And this remains the top cause of all of these breaches this year.
IT security budgets, though on the rise, are more focused on new software and hardware, and tend to overlook investing in staff security education. "Currently only 54 percent of organizations report they conduct security awareness training for employees and other stakeholders who have access to sensitive or confidential personal information," read the report. "Making a significant dent in the number of breaches in 2015 will require companies to pay more attention to raising the security intelligence of employees."
Not only should IT focus on facilitating a culture of security among employees, but it should look to limit the damage caused by human error by monitoring employee behaviors and properly identifying who needs access to what data. "Not every employee needs access to critical data," Kidd says. "By encrypting systems and limiting access, corporations can proactively mitigate the risk of a hacker breaking into their IT network."
While it's unknown the extent of work that the third-party vendors responsible for the breach were contracted to do for Home Depot and Target, minimizing access to outside parties to only what they needed might have gone a long way with reducing the impact the breaches had.
Prioritizing on strengthening security from the inside, both on an education level and an increase in security tools, will go a long way toward curbing the growing tide of corporate breaches. However, one enterprise is not alone in the battle, and cooperation across corporations and industries can help with the struggle against a shared foe.
Increase Breach Information Sharing
When a major data breach occurs, the company and those customers who had their data stolen aren't the only ones affected. In the case of a theft hitting a major financial institution, the list of those touched by the action can reach among the thousands of vendors and retailers that must face the fallout of fraudulent charges made with stolen personal information.
The standard operating procedure for too many years has been for corporations to hide the fact a breach has occurred to avoid embarrassment, only revealing scant details once the data stolen presents a clear threat to customers. The justification for secrecy has come from a rational position, according to Eddie Schwartz, certified information security manager and chair of the nonprofit Information Systems Audit and Control Association (ISACA), which advocates and educates on best practices for IT governance.
"There are a few reasons that corporations keep breaches secret," Schwartz says. "First, some details of the breach would provide information that would be valuable to adversaries looking to do further harm to the company. Second, disclosure of aspects of a breach that are highly confidential can inadvertently hurt a company well beyond the actual cost of the breach."
Unfortunately, with the rate of critical breach attacks on the rise and the cost per breach also increasing, the pitfalls of secrecy heavily outweigh the benefits. Bringing transparency to a security incident to both the public and industry peers can limit the damage done and prevent similar situations from occurring down the road.
"Further information sharing among cyber defenders will improve the ability to understand the tools, tactics and procedures of attackers, to identify the methods the bad actors use to perpetrate their attacks and to identify and shut them down more quickly," Schwartz notes. "This approach can potentially either stop or limit the damage of a breach."
This was the reasoning behind President Obama's executive order announced at February's Cybersecurity Summit in Palo Alto, Calif., which looks to increase information sharing regarding corporate breaches between corporations, law enforcement and government agencies. The goal is to set industry best standards and to share pertinent information concerning data leaks through national Sharing and Analysis Centers.
Many major tech and financial firms, including Intel Corp., Apple Inc., Bank of America and Kaiser Permanente have put in their support for this framework that will open communication channels. While a federal approach to curb corporate data breaches will have its detractors, the support shown in the short time since being announced demonstrates a growing willingness by large corporations to share security incidents in the name of data security. The goal moving forward will be to hammer out a comprehensive framework that will bring smaller enterprises into the fold, while providing individuals and corporations safe harbor from legal actions when coming forward with data breach information.
When it comes to IT and their battle with security intrusions, it's not a question of if your network will be compromised; it's a question of when. As the sophistication of attacks continue to evolve, and the financial reward for hackers to steal private data exists, customer and corporate data will continue to be a target. While no network will ever be 100 percent immune, approaching the situation with an increased commitment and investment in cyber security tools, increased awareness among employees and an openness to share information that affects all can go a long way into making sure your business is not the next to lose millions and customer confidence by being the next victim of data theft