Redmond magazine with a brilliant article presents the latest largest data breaches and cyber security incidents. It seems like the 2015 trend of insider threat and identity theft is gaining an exponential momentum. From exploring the different attacks the path for a hacker success is clear, just find the missing link in the network, this one employee user name and password and you are inside. The answer to the unbearable easiness of performing a breach lays in the basics paradigms of data security- security policy management, user credentials and authentication.
Enterprises Are Losing the Security Breach Battle
As the proliferation of breaches continues to put more user data into the wrong hands, the causes are often insufficient IT security and lax policies.
Enterprises have battled security breaches for decades, but now they’re under siege at a rampant pace. Even worse, the attacks now taking place are creating massive headaches and mistrust among these organizations’ customers who are dealing with identity theft and related issues. Hardly a day goes by when a major breach isn’t in the news. While the attack vectors may differ, the common denominator is most could be avoided if IT put the necessary systems, controls and policies in place and end users — regardless of their technical proficiency — were more up to speed on how to avoid the risks.
In the past several months alone, the second largest insurer, Anthem Blue Cross Insurance Companies Inc., disclosed a breach where the identities of 80 million customers were potentially stolen; Intuit Inc. had to warm its TurboTax customers to hold off from filing tax returns to ensure hackers couldn’t steal their refunds; and, of course, there was the highly visible attack on Sony Pictures Digital Productions Inc., whose e-mail systems were accessed and some embarrassing discussions made public with costly consequences.
That just scratches the surface of the recent spate of high-profile compromises with victims, which includes JP Morgan Chase & Co., Yahoo Inc., The Home Depot Inc., plus numerous other smaller organizations that have suffered attacks but didn’t necessarily make headlines. Despite best efforts today, enterprises of all sizes — especially those who do business with consumers — remain vulnerable to security breaches.
Industries specializing in business and professional services and retail and financial services, accounted for 41 percent of all disclosed intrusions last year, according to a report released in February by Mandiant, a Washington, D.C.-based subsidiary of security firm FireEye Inc. that specializes in corporate security monitoring. Companies in these sectors are among the most likely to have personal financial data that could be at risk.
Even more troubling, most breaches disclosed turn out to be preventable if only those affected had considered information security and protection of data a higher priority in terms of IT investment and policies. When it comes to preparedness, the healthcare industry is among the worst offenders, according to a survey of IT practitioners and end users released last month. That survey, conducted by the prominent information security researcher Ponemon Institute LLC (and sponsored by Varonis Systems Inc.), revealed that 56 percent of IT pros and 51 percent of end users respectively believe their organizations place moderate to low priority on data security, with some saying it’s not at all important.
The vast majority of IT pros surveyed by Ponemon — 79 percent — said their organizations only enforce a least-privilege policy for data access or don’t enforce one at all. Sixty-five percent of employees say they have access to sensitive data they don’t need access to in order to perform their jobs, with 51 percent saying they actually see this data often. “After years of concentrating on and investing in perimeter security, cyberattacks and data breaches are a greater problem than ever,” according to the report’s executive summary.
The Cost of Complacency
The rise in breaches has cost victims tremendously both in dollars and damage to their brands. Take the now-infamous Target breach more than a year ago when 70 million customer identities were stolen. It cost Target $162 million, according to the company’s 2014 Q4 earnings report, covering customer credit monitoring services, updates to its infrastructure, a falloff in revenue, among other expenses.
While Target appears to be bouncing back, the incident cost the CEO and CIO their jobs last year. Whether your company is Target or a small business, security breaches of any kind can cost any IT pro his or her job. How can you avoid making the same mistakes they’ve made?
First, it’s important to understand the causes. While some are obvious, others require companies to consider the use of more advanced security prevention technology. Could the cause of these breaches be a lack of investment when it comes to new security technology? Is it a training issue, on both the IT and general employee side? Or is it an absence of corporate cooperation to collectively come together to battle new and rising threats? As the Ponemon study suggests, the issues lie in all three.
Two-Factor Authentication and Stronger Encryption
Last summer administrators at JPMorgan Chase discovered more than 90 of its secure servers accessed by unauthorized individuals for a span of two months. The result was the loss of personal financial information of at least 76 million households, making it one of the biggest data breaches in the United States.
Months after the incident, the bank revealed that hackers operating out of either Ukraine or Russia had access to the servers thanks to stolen login credentials of a bank employee. That’s all it took to pull off the largest financial data heist in U.S. history — a stolen user name and password.
Even with JPMorgan Chase’s estimated $250 million security budget, the keys to its kingdom were lost and could have been completely avoided with the simple addition of a proper multifactor authentication process.
The tokenization of the JPMorgan Chase log-in system would have saved quite a bit of face and cut off the attackers on day one. Once an individual inputs credentials without the second authentication process (typically inputed through a user’s smartphone, computer or tablet), that password and user name would not have been enough to access the financial institution’s network.
Large cloud providers including Microsoft, Amazon Web Services Inc., Salesforce.com Inc., Google Inc. and Yahoo have all stepped up their multifactor authentication efforts in hopes of keeping a better lock on customer data. Microsoft recently added a new log-in feature that will call or text a user when they try to log in to their Office 365 account. Google also included a similar feature for its Gmail service in January.
With adoption rates for multifactor authentication growing, and an industry that is projected to be worth $13.2 billion in 2020, based off of projections by forecasting firm ABI Research, the struggle for IT to adopt it in their enterprise is to convince the higher ups that it deserves a slice of their security budget, especially for a log-in procedure that may appear to be cumbersome compared to the typical log-in/password system.