Big breaches are still happening, even if they’re not making headlines anymore. I’d like to identify five things we can do to mitigate the risk.
1) PEOPLE
In a lot of companies, employees have not been enrolled as part of the solution. Companies have to put more energy and effort into making sure employees understand risk and the dangerousness of the data they’re working with.
There are lots of ways to reduce the risk that employees pose. Some are technical, but most are conversational – namely, taking the time to help employees understand the risks and understand the value of the information that they access every day. When people don’t understand the extent of risk, they are inherently more risky.
2) LEADERSHIP
At the end of the day, the CISO is accountable. So there need to be strong policies – and disciplinary action to enforce them. When someone breaches a policy, the response shouldn’t be a slap on the wrist; it should be termination. If we’re serious about managing risk upfront, we might be able to prevent it altogether. When it comes to CISO accountability, make sure your policies are strong, your administrative safeguards are strong, your controls are strong, and your ability to audit is strong.
You should also know who has what roles, and review this continuously and consistently. There should be safeguards for permissioning so access isn’t just authorized by one person. While that might slow down the process of getting people access to what they need, if you’re in an environment where data is sensitive, it’s a requirement. The organization has to be aligned with the level of accountability required for the type of information it has.
3) THE CUSTOMER
Customers are often unaware of risky behavior that could affect their own information. Sometimes a customer breach can cascade into other breaches if customers are interconnected. And then the next thing you know, you have a whole host of people who have been compromised and might not even know it. Customers do bear some responsibility to ensure that their information is kept safe.
The company must share tools and resources that help prevent customers from having their accounts taken over, or their emails from being compromised. But you can’t cover everything, and that is one of the reasons why these breaches are going to continue to happen. Between employees and customers, you’re fighting an uphill battle.
4) LAW ENFORCEMENT
Law enforcement, both on the national and global level, is almost non-existent when it comes to cyber events. They save themselves for the highest-profile cases, and even in those instances, recovery after the fact almost never happens. One of the main reasons is because CISOs do not do a great job of sharing information. IC3 — the Internet Crime Complaint Center – exists for web reporting, but not a lot of people know about it or report to it regularly. And the sharing that happens there is post-event. There’s no central place for CISOs to share the information they receive, or the intelligence they develop from what they see against their own edge.
Technology moves so fast that law enforcement never catches up with attackers. Cybercrime is one of the easiest crimes to commit if you have the aptitude, and it’s a crime that criminals get away with more often than not. There needs to be more partnership between private companies and law enforcement with regard to sharing information, pre- and post-event. We will never see controls around cyber crime until we get real law enforcement and real consequences for people who perpetrate these crimes.
5) DESIGN
We’ll continue to see these large breaches because we continue to design our applications and our technology the same way: a single database with hundreds of thousands, if not millions of records in it.
We have the technology to design these platforms better, but we haven’t. This insistence on data warehouses, and putting everything in one place to make it easier to analyze the data, is more of a lazy design function than a secure one. The fact that security is usually brought into those decisions after the architecture has been built is problematic. I think we will continue to see these breaches happen because the design side insists on aggregating information instead of atomizing it. Why does a person need to exist in the same database with her age, address and the fact that she drives a black Maserati? We make it easier for attackers because we’re so busy making it easy for ourselves.
Designers don’t spend enough time trying to figure out how to design securely and proactively to ensure the company never ends up on the news. Instead, they hire a CISO after the fact and ask them to clean up the problem. So it’s no surprise that the average tenure of CISOs is between 18 and 26 months.
When I think about why these breaches keep happening and will continue to keep happening, it’s these five dynamics that make products and services fertile ground for cyber criminal activity.