by Ken Stewart for Workflow
Identify theft, keyloggers, malware, phishing, ransomware, and state-sponsored hacking — hallmarks of the complex and intricate landscape of information security we inhabit today. If you haven’t been touched by a security breach yourself, it’s a certainty you’ve gasped inwardly as a friend or coworker shared their own story with you. Security concerns have become pervasive and palpable — a dark, alternate reality confirmed by the barrage of breaking headlines. What are you to do in the face of such wantonly malicious intent?
Today’s citizens simply want to feel safe. In the face of seemingly rampant threats to our safety, we eagerly trade common conveniences for peace of mind. And therein lies the dilemma security experts universally face — how stringent does security have to be to safeguard us from harm?
To cite the most commonly used example of large-scale data breaches, let’s look at Target’s late-2013 information security breach. While the mainline information security systems were hardened against external threat, a well-crafted social hack delivered via phishing email duped an unsuspecting, third-party contractor into exposing internal network credentials. Once in, the hackers deftly lifted more than 70 million credit and debit card accounts over the course of a few weeks, resulting in more than $200 million in estimated costs to the company.
Large businesses spend an average of 11 percent of the IT budget on information security, according to a 2014 PricewaterhouseCoopers (PwC) report, while small businesses spend an average of 15 percent of their IT budgets on information security. In light of the Target breach, 61 percent of organizations increased security budgets by an average of 34 percent according to the Ponemon Institute. Target itself committed to more than $100 million in systems upgrades to mitigate future attacks.
But does spending more equate to more security?
Spend More or Spend Smarter
After the Target breach, upper management’s concern about similar breaches occurring to their firms rose by over 30 percent in 2014, according to the Ponemon Institute. Budgets have continued to climb over the years, yet nearly 70 percent of today’s businesses have suffered a data loss incident in the past 12 months according to ClubCISO, an internet forum for security leaders. Nearly half of respondents in the Ponemon Institute study said breaches were discovered by accident, and recent data on actual information security breaches suggest that things haven’t improved dramatically. It took organizations a median of 146 days to detect a breach in 2015, according to a Mandiant M-Trends report compiling actual attack data. That’s abysmal, considering hackers caused over $200 million in damages to Target, alone, in under a month.
Today’s businesses have to be smarter about information security. To evaluate risk, businesses use risk calculations. Much like a weather forecast attempts to predict weather, risk calculations weigh potential risk against the likelihood of occurrence. In mathematical terms, Risk = Loss Value x Likelihood. This can be expressed as a monetary value to weigh the risk’s potential cost should it occur against the cost of preventing or mitigating the risk.
Technology spend is most often pointed at endpoint security, intrusion detection, and incident and event management systems. In other words, companies are most likely to spend on tools to detect attacks. And yet it takes organizations far too long — still — to detect and mitigate threats. This is because they are far too focused on ticking off regulatory and compliance checkboxes. Conventional threat assessments often don’t consider the new and evolving vectors of attack.
As evidenced by the November 2014 breach at Sony Pictures, the sophistication and scope of attacks have continued to mount. A hacker group infected and then erased everything stored on half of the studio’s 8,352 personal computers and servers, then fried the infected systems beyond repair. To make matters worse, the group stole intellectual property ranging from movie scripts and emails to more than 47,000 Social Security numbers. As if that wasn’t enough, the attackers leaked five Sony films to piracy websites for free viewing, and bizarrely threatened a terrorist attack against theaters that chose to play the studio’s film, The Interview.
What did the Sony security breach teach us? Most of us grossly underestimate the likelihood of a breach and creativity of the attackers once it happens.
“We’ve investigated multiple incidents where attackers wiped critical business systems and, in some cases, forced companies to rely on paper and telephone-based processes for days or weeks as they recovered their systems and data,” Mandiant reminded us.
The point of information security is quite simple: Reduce risk to an acceptable level. Preventing all attacks is a fallacy — you can’t. But you can work to mitigate a majority of damage and accept the risk of outliers in your security posture. But how can you protect against something you can’t even fathom?
Guarding Against the Impossible
Conventional threat assessments don’t consider the new and evolving vectors of attack (as in Sony’s case). Yet, for all of their complexity these massive attacks shared a singular thread — they preyed on human naiveté. In both cases, phishing scams prompted unsuspecting victims to provide credentials that ultimately led to the breaches. Social hacking, as it is often called, allowed the attackers access to private data via manipulation of a victim’s social behavior. Over time, this information provided leverage and intelligence necessary to extract truly valuable information from the corporation.
We have to remember that information security isn’t just for IT or security professionals. Information security — even physical security — is an “everyman” problem. By maintaining more awareness of the potential for threats, we can prevent social hacking at a grass-roots level.
One key tenet of information security that is most often overlooked is awareness training for end-users. Much like in any self-defense training, exposure to the possibility is key in promoting the correct response at the ground level. After any breach, screws are tightened and everyone is exposed to awareness training. Then people leave, new people are hired, and things change. Awareness training falls by the wayside or isn’t kept up to date with the current environment.
Another key tenet most companies overlook is the requisite focus on reducing the footprint of vulnerability. In other words, install measures and configure workstreams that limit the amount of damage for a single breach. Many techniques exist for this, such as enforced retention and destruction policies of important or potentially embarrassing information, limiting end-users’ sphere of influence should they be hacked, and insuring valuable assets against loss and theft.
Even with training, breaches are going to happen. In these cases, it is critically important to have incident response teams in place to leap into action when such things occur. Yes, these teams should be trained in how to handle a variety of situations, but they should also be creative and non-linear thinkers with the authority to act decisively.
It’s a Smaller World
The conveniences of technology have wrought a smaller world and brought us together in ways unimaginable a century ago. Yet for all of our wide-eyed wonder about the possibilities, a distinct fear looms over our head — the fear of being violated.
Where once we could keep a part of ourselves hidden — and safe — from the world, now we must face the distinct probability that everything about us is exposed. Whether it’s a criminal seeking monetary gain at our expense, a nation-state with an ax to grind, or our own government watching everything we do or say under the auspice of “security,” the very fabric of our world is now as a thin veil barely covering the most intimate detail.
Despite how small our world gets, there will always be room for those who have the heart for helping others navigate treacherous waters. Capitalizing upon the malcontents’ desires to gain from others misfortune offers you and I the unique opportunity to help.
But be warned. This has to go beyond simple hard-drive security kits and installing anti-virus software for a monthly fee. Those best at this craft seek out ways to exploit unsuspecting victims, and then offer wise counsel from a warm heart. These “white hat” crusaders understand the underbelly of the information trade, yet believe in equipping innocents to defend themselves.
You can choose to live in fear and indifference, believing there is nothing substantial you can contribute to the greater good. But remember, it is not the strongest of us that thrives, nor the most intelligent; it is those most adaptable to change. Prepare yourself for the journey ahead, because the security of information will only become more vital as our reliance upon digital interactions grow. Embrace change; embrace your place in helping others feel safe once again.
Ken Stewart is the founder of ChangeForge LLC
This article originally appeared in the November 2016 issue of Workflow.