Death, Taxes, and a Data Breach
Certain things in this world are inevitable. Where there is life, there is death. Where there is government, there are taxes. And, where there is data, there is a breach.
Like all things that are inevitable, it is not a question of if, it is a question of when.
With enough time, that which is living will die. Governments that need to sustain, will tax. Companies that have data – especially those with valuable data, will be breached. Unfortunately, many organizations today act if they are immune to such an event. Most either are too afraid to look closely at their actual risk, or too arrogant and fail to see it.
The first fundamental take-away in such an environment, one where a hack/breach is inevitable, is that managing data security (or user identity) is not an absolute. Companies need to think more about managing security risk, than solving the security “problem.”
One aspect of security risk management is managing users’ cyberhealth. In fact, over 90% of breaches are caused by user behavior.
Consider the recent attacks against high-powered brand-names like Equifax, Yahoo, Dell, Marriott, and British Airlines (and as I am writing this, Quora and the National Republican Congressional Committee).
Do you think any of them had a sense that they would be hit with a breach?
Equifax certainly didn’t and the outcome was the exposure of personal data of 143 million Americans and a response that made them look unprepared.
Neither did online news and search giant Yahoo!, now part of Verizon, have a notion that it would be devastated by an attack that resulted in data theft affecting more than 1 billion accounts and cost them over $350M.
Or Marriott, who announced on November 30th, 2018 that 500 million guest records might have been breached. But don’t worry, they’ll pay to replace your passport (but not the inconvenience of you having to do so).
How about Dell, British Airlines and the over 4000 other companies that have been breached in 2018 alone? There are far too many attacks going on for companies to sit back and assume nothing like that will never happen to them.
And while companies are starting to do social-penetration testing on their employees, they’re not doing enough, and certainly not yet making customers aware of the security behaviors they have that are putting these companies at risk.
Imagine if the results of social penetration testing could impact security policy risk analysis?
Imagine if users could be taught to be more account-security-aware, non-intrusively and without adding friction to their login process?
Imagine if all the information we know about user credentials and behaviors could be leveraged in real-time to improve a company’s user-security posture?
Security Failures Have Bottom Line Impact
It’s not a matter of “technical impact” either. This is a business risk. A reputational risk. Risks with real dollars associated to them. Verizon lowered their bid for Yahoo! By $350M after the scope of the breach was fully realized.
Everyone will be breached. It is inevitable; it is guaranteed. The corporate mindset must change and account for this eventuality to be better prepared and minimize the damage. Doing so could help save organizations millions of dollars in losses and prevent rapid brand erosion.
Once breached, the cost of security incidents can be significant. According to the 2017 Cost of Data Breach Study by the Ponemon Institute and IBM, which queried 419 organizations worldwide about data breach incidents:
- The average cost of a data breach is $3.62 million
- The average cost for a lost or stolen record is $141, and
- The average size of a data breach (the number of records lost or stolen) increased 2% compared with the previous year.
These are staggering and damaging numbers. The good news is that most large brands will be able to survive the breach. Unfortunately, most smaller brands will not.
Companies owe it to themselves, to investors, to employees… to do more and stop being so comfortable with the status quo.
What Should Companies Do?
Instead of starting from the viewpoint of invincibility, they need to start from the mindset of vulnerability. Assume breach and have the tools and capabilities always working to identify the suspicious behaviors that are associated with compromised accounts, compromised devices, and the suspicious use of resources.
I get it, it is easy to have a false sense of security when there are layers and layers of security tools in place costing millions of dollars a year. It is easy when the security team tells the executives that they are safe and secure. It is easy when the security team has followed the security playbook of tools to buy.
Unfortunately, what often happens is a case of language failing us, and while the language we use describes a secure environment, it doesn’t describe the implied risk to the certainty..
Reality is that most companies lack the security visibility to really understand if they have been breached or will be. That is why the average time to discover a breach has risen to almost 90 days. The key for a better defense is knowing where to look, getting a continuous view of one’s security cyberhealth, and being able to use that data in real-time to improve security risk posture/policy. Without a clear line of sight into the ever-changing threats and vulnerability landscape, there are no amount of security tools that can help.
Where Do Companies Go Wrong?
Given that most breaches start with the user (>90%), a good start would be to understand the cyberhealth of both internal and external users. However, most companies focus heavily on non-user based security. They build walls and moats to keep the bad guys out. This is unfortunate, as hackers today no longer have to break into companies; they just log in as the good guy. Times have changed. Hackers already have privileged credentials; billions and billions and billions of them. Many hackers take advantage of these comprised accounts to access and steal sensitive data from organizations. It only takes one, just one; and the exploits begins.
So, if over 90% of breaches are user-derived, then why is there such limited visibility into these threats? Because traditional security approaches and tools were never built to look at the user as its greatest threat; as such, the visibility they don’t provide creates a massive blind-spot for hackers to exploit. Take a look at the Dell breach, for example, that was announced on November 28th, 2018. Dell reported that its customer-facing website was breached. Even though Dell states that it has no evidence that any data was taken, they forced all of its users into a password change. Would Dell need to take such a drastic countermeasure if they really knew who its users are? Because Dell, like so many others, have zero visibility into their users, they can’t tell good from bad.
Dell is obviously not alone. Some of the most noteworthy breaches have involved the exploitation of the user. That is why security must start with the user. Users are a company’s greatest asset, but also its greatest threat. Without a holistic view of a user’s security, breaches will continue to happen. Companies must be able to understand their users better, so they can be smarter in their approach to mitigate any risks. It is not always about adding more layers to authentication, encrypting more data and creating more barriers. The shotgun approach rarely works in security. Sometimes a little user education and a view into a user’s cyberhealth can go a long way. Certain things in this world are inevitable. Good or bad, the choice is to either look the other way or take it head on. Like all things in life, acceptance and preparedness are key. Breaches will happen, just like death and taxes.