What effects do the highly publicized breaches of 2017 have on affected industries like Banking and Finance? Media and entertainment? Telecommunications? The list could go on. Have the visibility and attention towards these breaches created an increased awareness for cyber security and overall content protection? Shouldn’t this issue be addressed sooner rather than later?
The most recent attack on HBO as an example, and others from the recent past such as Tesco, JPMC, Target, Yahoo, Google, Office of Personnel Management (OPM), Anthem, Sony, Ashley Madison, Best Buy, Walgreens and many others illustrate how impactful a breach can be, and it will not be the last of its kind. From knowledge as to the cause of the HBO attack as well as the extent of the breach, it can be inferred that practices and controls surrounding information access, access controls, identity management, desktop security, and network intrusion monitoring and prevention, as well as other key components for content protection and availability, will be in the crosshairs.
There was an unprecedented number of records accessed by hackers in 2016, and that number is on the rise in 2017. Organizations in the top 10 had more than 300 million records accessed by hackers. Ask yourself, what is the value of that content? What is the value of reputation and reputation lost? What are some of the other effects of this activity?
This past year also showed that cyber criminals are becoming increasingly more organized and more sophisticated. Cyber security experts predict that most organizations will experience a data breach at some point – it’s just a matter of when – and as noted, industries are not immune from this trend. Cyber breaches are inevitable. Hence, realizing that can be a step in the maturing thought process. Moreover, security needs to be foolproof with dual safety from inside and outside. Building a cyber-resilient infrastructure to protect content, infrastructure, data, personnel, and other critical business and financial assets from the outside as well as from the inside is an effective approach.
Cyber defenses and resilience and ‘self-contained’ networks and infrastructure can be designed and layered in zones and enclaves to mitigate and limit damage internal to a client if there is a breach. This takes the form of micro-segmentation, data asset management as well as classification, supported by breaking apart many monolithic applications, databases, and programs where personal information is stored and making it harder for cyber thieves to find and act upon data. These are just a few of the thought provoking steps, and ultimately an out-of-the-box way of thinking, or disruptive thinking in the actions, technologies, policies, and support structures that clients can use to mitigate risks against such malicious intent and nefarious activities.
Liability to a company is a whole other issue in the event of a breach, fraud, or other nefarious activity. The problem of a breach expounds on itself as it is pervasive on many fronts from employees, to business partners, vendors, shareholders, clients, investors, and more. When a company is breached, before any liabilities can be determined, processed, and litigated, one must first determine the cause. Some voices in the legal arena have essentially provided another way of referencing breaches referring to them as ‘data security oil spills.’ To limit liabilities, organizations should have defense as part of their cyber and IT infrastructure that provides layered protection and supports ‘reasonable care’ in protecting confidential, sensitive, and private information. If it is found during any investigation that a particular company does not have adequate deterrents in place and is not practicing the exercise of ‘reasonable care,’ the potential monetary damages for liability will usually proportionally increase. This results in not only financial detriment to the company, but also damage to stockholder value, reputation, and consumer confidence as well.
Part of the defense mechanism in preventing attacks is focused solely on this damage prevention. Organizations are taking the offensive approach and developing their ability to discover incursions quickly to limit damage. It is not only important to have policy and controls in place, but organizations need to also strengthen their network and IT design. This involves implementing a layered or ‘zoned’ design, which essentially is not a new concept.
The defining principles of such a design is basically to ‘compartmentalize’ or ‘zone’ the company’s sensitive and confidential data and content to enclaves that have greater protection and are triggered access controls. Additional protections to complement the layered network and distributed system design can include extra logins, layered authentication, encryption, and segmenting sensitive data in different parts of a network, servers, databases, and other repositories. There are several other supporting practices to keep in mind for the support of an organization along with design, and those are the policies and procedures, and overall supporting processes in place to support an organization’s data, irrespective of a breach. Most organizations don’t exercise and maintain the maturity or sound policies, procedures, and processes that support data and content management. In particular, one policy and process that is highly critical is the classification of an organization’s data and content assets. If an organization does not have an asset management program that contains all assets – digital, logical, physical, and other, then how would the organization protect itself or assign value tagging for identified assets? Data and content classification, as well as the handling of the assets themselves is based on assignment and definition of the value, sensitivity, importance, and essence to the organization.
These are critical factors that must not be marginalized. The process portion of classification, as well as data and content management must also be tied into the organization’s incident response program, and be exercised regularly. Thus, if a breach occurs, the organization is better prepared to deal with the circumstances, while working towards a desired resolution in a timely fashion to the resumption to normal business operations.
It is worth noting that with the emergence of cloud applications, mobile devices, wireless connectivity and other forms of computing, the potential for attack points has grown exponentially. Proportionately, so has the market for security patches, and the detection and prevention of advanced malware, or advanced persistent threats. All threat vectors must be kept in mind when designing, implementing, operating, managing, and protecting the business. Cyber and IT assets are the backbone of the company’s daily operations and business functionality. Organizations, no matter what the industry, must be at least aware of the motivators for these malicious activities, and take proactive steps and measures of protection. The leading motivators for such cyber-attacks include cyber-crime, espionage, warfare, and hacktivism. Being aware of the threat landscape can help an organization prepare and support the daily business and operation of the organization.
It should be understood that cyber security is all about the ‘business’ and protecting the business, brand, and reputation, while enabling the business operations. The productive combination of aligning business and cyber/IT essentially provides and supports the lifeblood of a company’s success in traversing the risk invested in galaxies of cyber space, thus requiring a more rigorous way of thinking about protection than ever before. In 2017, trends that have started earlier are continuing and are leaning towards risk-centric data valuation, and the corresponding projects provide cyber security experts with the ability to elevate security architecture, risk management, physical, administrative, and technical controls from the corporate level to the far reaching remote locations and help to include third party contractors, vendors, and suppliers. Each entry and access point to an organization must be brought to the forefront and included in the risk profile to the organization, as an overall component to the overall risk profile. Organizations will continue to embrace the reality that they cannot live without the Internet, and therefore, they must implement the controls to thrive within it, whether in Banking and Finance, Oil and Gas, Transportation, Healthcare, or any other industry.
One must ask, what is your company doing to protect content and data, and what would be the effects and implications of a breach, that has happened to a competitor, if it were to happen to you? To date, the biggest breach, a US bank hack, happened back in 2014 when 76 million accounts at JPMC were hacked. There was a large scale loss reported but more personal information was compromised. From the overall content lost and/or compromised, one could conclude that the after effects of such a breach is for a long period.
In the shift from 2016 to the following years till today has been remarkable in the field of cyber security. The hack of HBO is still in headlines and will do so in the foreseeable future. Data loss, content leakage, and fraud will become more evident through surprising hacks and breaches. Who is next? Could it be you?