Public reports indicate that approximately 319 million people have had their electronic records breached in the past couple of years mostly the result of cyberattacks on retailers, financial institutions, health insurance companies, doctors and hospitals, the federal government, the U.S. military, institutions of higher education and, ironically, data security companies. That’s the equivalent of nearly every American receiving a notification that their personal information has been compromised.
"Companies large and small are beginning to ramp up the resources they devote to data security"
The information breached is wide-ranging and includes names, addresses, Social Security Numbers, credit card numbers, bank account details, medical records, payroll data and security file information. Illicit uses of this information include identity theft for any number of reasons, notably financial and medical fraud, as well as extortion or personal exploitation.
Whatever the motivation, our new reality today is that data security is one of the greatest vulnerabilities facing corporations, the government and individuals. The risks to individuals are significant, as noted above. The risks to corporations are substantial as well and include financial risk, legal and regulatory risk, and reputational risk.
How did We Get Here?
Virtually everything is online. If you ask in a retail store whether they have a certain item, the clerk is as likely to look it up on a smart phone or tablet as they are to walk to the next aisle and search for it. We have become accustomed to an instant access to all kinds of information, from online purchase history to real-time bank account balances. This at-your-fingertips access is a great advance of modern life. It is also a key component that creates new vulnerability and associated risks as businesses operate within this third wave of computing.
Sensing opportunity in others’ vulnerability, hackers ranging from teenagers in their parents’ basements to professionals working out of foreign government-backed offices are targeting our data 24-7-365. Despite the threat – or perhaps because the threat is so vast – most organizations are not fighting to keep hackers out as vigorously as hackers are fighting to get in.
What should We do About It?
Having suffered attacks themselves or witnessed costly and well-documented breaches of others, many organizations are systematically improving their protections in response to what’s happening in the environment or, more purposefully, as part of an enterprise risk-management process. Companies large and small are beginning to ramp up the resources they devote to data security. The current average for such expenditures is about 8 percent of a given company’s total IT spending.
Clearly, better control over the environment within our organizations will help to reduce risk. But, as with most things in business, effectively addressing risk requires more than just hardware and software; it also requires dedicated human expertise. Five years ago, how many corporate C-suites included a Chief Information Security Officer, or CISO? Today, CISOs are among the most sought-after executives in the job market. For example, as part of a cybersecurity license standard Blue Cross Blue Shield implemented earlier this year, all Blue Cross and Blue Shield companies must identify a CISO as a point of accountability for data and cybersecurity.
CISOs are not only in great demand; they are also extremely busy. In addition to the day-to-day rigor of intrusion detection, audits, double - and triple-user authentication, and the like, companies are engaging specialized vendors to perform sophisticated compromise assessments. These assessments help gain visibility of the present state of dormant and active live threats within an IT environment. They can also result in newly detected data security incidents, some of which may be reportable. Although this might create a short-term financial and/or reputational challenge to a business, it is a responsible activity to undertake. In fact, all Blue Cross Blue Shield companies have recently gone through this type of assessment.
CISOs are also engaging third-party experts to play the role of the adversaries targeting the organization and use their tactics and techniques to test defenses. These simulations expose vulnerabilities and capability gaps that can be improved upon to enhance the security posture against relevant threats.
The cyber-threat landscape is quickly evolving, and the sophistication of attackers has increased significantly, with more and more reports of organized crime groups and nation-state involvement. A quick rundown of best practices in defending against these more advanced attacks includes:
1. Protect all layers of technology associated with enabling what it takes to offer the “at- your-fingertips” information to your constituents, namely your computing perimeter, network, PC endpoints, applications, databases and core computing infrastructure.
2. Protect your system administrative accounts and monitor their use; ensure that multi-factor authentication is required when using such accounts.
3. Segregate your systems into networks based on the sensitivity of the data.
4. Implement advanced security monitoring capabilities; preventive controls are not perfect, so a good detection program is required.
5. Limit workstation-to-workstation communications.
6. Document an incident response plan and continuously test it.
7. Secure the physical facilities where data is stored.
8. Drive cybersecurity awareness across the organization and test employees’ willingness to click unknown links and open unfamiliar documents.
Beyond these practices, a company should have sufficient funds reserved or insurance to address the economic loss that would accompany an incident.
Protecting Personal Data
A large portion of the U.S. population has, as a result of the recent breaches, been offered identity and credit protection and reparation services. While this has become common practice in response to a breach, last year Blue Cross Blue Shield companies agreed to offer such services to members prospectively, regardless of whether or not a breach had occurred. In addition to the obvious consumer benefits and peace of mind this delivers, such proactive offerings can help businesses avert losses up front, complementing early warning systems and thereby limiting potential damage and liability. That said, today many consumer programs are prohibited by regulatory agencies from receiving this service constraints that bear critical review in the name of consumer protection.
These services are only one weapon in the arsenal of individual data protection. Equally, if not more important, are some basic habits that every individual should adopt to help avoid becoming a victim of identity theft and fraud. Closely monitoring our bank account and credit card activity are among these. As employers, it is important to educate employees on how to follow good cyber-hygiene practices, for instance, not attempting to access unauthorized websites and not opening suspicious email messages, but rather bringing them to the IT security team’s attention.
Cyber threats are a fact of modern life, today and going forward. They are also a dynamic threat, meaning they cannot be solved for so much as managed through equally dynamic risk mitigation. The actions outlined above are a good starting point, as is keeping current with the latest threats to help identify and direct future actions to protect one of your organization’s most valuable assets, its data.