What effects do the highly publicized breaches of 2017 have on affected industries – banking and finance? Media and entertainment? Telecommunications? The list goes on. Has the visibility and attention towards these breaches created an increased awareness for cybersecurity and overall content protection that this issue should be addressed sooner rather than later?
The most recent attack on HBO as an example, and others from the recent past such as Tesco, JPMC, Target, Yahoo, Google, Office of Personnel Management (OPM), Anthem, Sony, Ashley Madison, Best Buy, Walgreen’s and many others illustrates just how impactful a breach can be, and it will not be the last of its kind. From knowledge as to the cause of the HBO attack as well as the extent of the breach, it can be inferred that practices and controls surrounding information access, access controls, identity management, desktop security, and network intrusion monitoring and prevention, as well as other key components for content protection and availability, will be in the crosshairs.
There was an unprecedented number of records accessed by hackers in 2016, and that number is on the rise in 2017. Organizations in the top 10 had more than 300 million records accessed by hackers. Ask yourself, what is the value of that content? What is the value of reputation and reputation lost? What are some of the other effects of this activity?
This past year also showed that cyber criminals are becoming increasingly more organized and more sophisticated. Cybersecurity experts predict that most organizations will experience a data breach at some point – it’s just a matter of when – and as noted, industries are not immune from this trend. Cyber breaches are going to happen so realizing that can be a step in the maturing thought process. In the building of a cyber-resilient infrastructure that protects content, infrastructure, data, personnel and other critical business and financial assets from the outside as well as from the inside, keeping the bad guys out is a focus but protecting the inside cannot be overlooked either.
Cyber defenses and resilience and “self-contained” networks and infrastructure can be designed and layered in zones and enclaves used to mitigate and limit damage internal to a client if there is a breach. This takes the form of micro-segmentation, data asset management as well as classification, supported by breaking apart many monolithic applications, databases and programs where personal information is stored and making it harder for cyber thieves to find and act upon data. These are just a few of the thought provoking steps, and ultimately an out-of-the-box way of thinking, or disruptive thinking in the actions, technologies, policies, and support structures that clients can use to mitigate risks against such malicious intent and nefarious activities.
Liability to a company is a whole other issue in the event of a breach, fraud or other nefarious activity. The problem of a breach expounds on itself as it is pervasive on many fronts from employees, to business partners, vendors, shareholders, clients, investors and more. When a company is breached, before any liabilities can be determined, processed, and litigated, one must first determine the cause. Some voices in the legal arena have essentially provided another way of referencing breaches referring to them as “data security oil spills.” To limit liabilities, organizations should have a defense as part of their cyber and IT infrastructure that provides layered protection and supports “reasonable care” in protecting confidential, sensitive and private information. If it is found during any investigation that a particular company does not have adequate deterrents in place and is not practicing the exercise of “reasonable care,” the potential monetary damages for liability will usually proportionally increase. This results in not only financial detriment to the company, but also damage to stockholder value, reputation, and consumer confidence as well.
Part of the defense mechanism in preventing attacks is focusing solely on such. Organizations are taking the offensive approach and developing their ability to discover incursions quickly to limit damage. It is not only important to have policy and controls in place, but organizations need to also strengthen their network and IT design. This involves implementing a layered or “zoned” design, which essentially is not a new concept.
The defining principles of such a design basically “compartmentalize” or “zone” the company’s sensitive and confidential data and content to enclaves that have greater protection and are triggered access controls. Additional protections to complement the layered network and distributed system design can include extra logins, layered authentication, encryption and segmenting sensitive data in different parts of a network, servers, databases and other repositories. There are several other supporting practices to keep in mind for the support of an organization along with design, and that is the policies and procedures, and overall supporting processes in place to support an organization’s data, no matter if breached or not. Too many organizations don’t exercise and maintain the maturity or sound policies, procedures and processes that support data and content management in their organization. In particular, one policy and process that is highly critical is the classification of an organization’s data and content assets. If an organization does not have an asset management program that contains all assets – digital, logical, physical and other, then how is the organization able to protect itself or assign value tagging for identified assets? Data and content classification, as well as the handling of the assets themselves is based on assignment and definition of the value, sensitivity, importance and criticality to the organization.
These are critical factors that must not be marginalized. The process portion of classification, as well as data and content management must also be tied into the organization’s incident response program, and be exercised regularly, thus if a breach occurs the organization is better prepared to deal with the circumstances, while working towards a desired resolution in a timely fashion to the resumption to normal business operations.
It is worth noting that with the emergence of cloud applications, mobile devices, wireless connectivity and other forms of computing, the potential for attack points has grown exponentially. Proportionately, so has the market for security patches, and the detection and prevention of advanced malware, or advanced persistent threats. All threat vectors must be kept in mind when designing, implementing, operating, managing and protecting the business. Cyber and IT assets that are the backbone of the company’s daily operations and business functionality. Organizations, no matter what the industry, must be at least aware of the motivators for these malicious activities, and take proactive steps and measures of protection. The leading motivators for such cyber-attacks include cyber-crime, espionage, warfare, and hacktivism. Being aware of the threat landscape, can help an organization prepare and support the daily business and operability of the organization.
It should be understood that cybersecurity is all about the “business” and protecting the business, brand and reputation, while enabling the business operations. The productive combination of aligning business and cyber/IT essentially provides and supports the lifeblood of a company’s success in traversing the risk invested in galaxies of cyber space, thus requiring a more rigorous way of thinking about protection than ever before. In 2017, trends that have started earlier are continuing and are leaning towards a renewed focus on risk-centric data valuation, and the corresponding projects to provide cybersecurity experts the ability to elevate security architecture, risk management, physical, administrative and technical controls from the corporate level to the far reaching remote locations, to include third party contractors, vendors and suppliers as well. Each entry and access point to an organization must be brought to forefront and included in the risk profile to the organization, as an overall component to the overall risk profile. Organizations will continue to embrace the reality that they cannot live without the Internet, and therefore must implement the controls to thrive within it, whether in Banking and Finance, Oil and Gas, Transportation, Healthcare, or any other industry.
One must ask, what is your company doing to protect content and data, and what would be the effects and implications of a breach, that has happened to ‘”someone else,” if it were to happen to you. To date, the biggest breach, a US bank hack, happened back in 2014 when 76 million accounts at JPMC were hacked. There was large scale loss reported but more personal information was compromised, so if one looks at the overall content lost and/or compromised, one could conclude that the effects of such a breach even from a few years ago, still has impact.
Indeed, 2016 leading into 2017 to current day, was a remarkable year in the field of cybersecurity. The hack of HBO is still making headlines and will do so for the foreseeable future, and data loss, content leakage and fraud becomes more evident through a variety of hacks and breaches. Who is next? Could it be you?