Should we change our thinking around data breaches?

27 Feb 2019

Image: © Wilm Ihnfeld/

Cybersecurity expert Steve Tout says that a more proactive approach is crucial to guard against data breaches.

Data breaches are a growing risk and can have devastating effects on the organisations that experience them as well as the people whose information is stolen.

As founder of Forte Advisory and previous CEO of VeriClouds, Steve Tout has seen trends develop over his 18 years in the security industry with firms such as PwC and VMware.

Tout is a seasoned expert in identity and access management, and he told that the way many security professionals approach breaches needs to change to truly tackle the issues in a proactive manner.

What should be done to change the narrative around data breaches?

In 2019 we are already seeing data breach incidents that are largely preventable. The patterns I am seeing are: overprivileged access, lack of visibility in multicloud environments, little to no access governance in place and poor password hygiene. None of these problems are related to technology – they are leadership and management challenges.

Historically we’ve seen business leaders look at investment in their cybersecurity portfolio as a cost centre, as a cost of doing business. Their rationale has been: ‘We haven’t had a breach yet and if we did the recovery costs would amount to less than doubling or tripling our budget on protection.’

The CFO will look at breach avoidance as an operating expense on an Excel spreadsheet, and there is no compelling return on investment (ROI) when looking at cyber in this way.

I’ve always talked about there being two ROIs in the investment in cyber: the risk of ignoring and the ROI. The main point I would make about changing the narrative around data breaches is that most of them are totally avoidable. Customers and citizens are beginning to hold companies and governments to higher standards of ethical behaviour and due care.

Can you talk about the issue of credential compromise and how this relates to dealing with breaches?

The game strategy is so simple that my 11-year-old daughter understands it: use the same compromised credentials that hackers do, albeit in a secure manner, but as a protection mechanism, not a hacker scheme. Problem solved.

The reality today is that many leading organisations think they are protected from these types of attacks by enabling 2FA or by calling on the popular service Have I Been Pwned (HIBP) in a programmatic way, and that is just a false sense of security.

2FA is not and cannot be deployed everywhere, and HIBP is not a security solution. Having the ability to prevent logins using breached credentials is a transformation for most organisations, and fills a huge gap left by low adoption rates of 2FA solutions. 2FA and HIBP are not enough.

How can organisations streamline their cybersecurity responses?

The best way for an organisation to streamline its incident response is to not have an incident to begin with. That comes from being proactive with regards to investment in its cybersecurity technology portfolio, embracing adaptive, intelligence-driven security solutions, and investing in maturing the disciplines and capabilities of the programmes themselves.

First off, we looked at how investing in a cybersecurity programme can have ROI measured in top-line growth. Not only can an organisation achieve a better security posture overall, delivering safer online experiences, it can touch the customer in important ways that enhance the lifetime value of that customer.

Secondly, there are some excellent new technologies available today – PETs such as identity proofing, identity threat protection and authentication protocols like FIDO U2F security keys – that enhance security posture while providing enhanced user experiences across desktop, mobile devices and things.

Thirdly, technology alone doesn’t cut it. Every security programme has risks. Not acknowledging them or planning for them puts the programme at risk of failure (best case) or leaves the business vulnerable to a data breach, and none of us want that to happen.

What poor habits lead to breaches in terms of both individuals and organisations?

A major shortcoming in business today is the fixed mindset of security leaders – ‘This is my security strategy for 2019, so I’m set’ – and a false sense of security that comes from the idea that ‘I have MFA enabled, so I’m protected’.

I posit that weak and compromised credentials have never been the leading cause of data breaches. That just so happens to be how cybercriminals get into a network, which is right through the front door.

It’s the fixed mindsets of business and security leaders that leave organisations vulnerable to cyberattacks and consequently to devastating data breaches. The fixed mindsets and false confidence are dangerous, yet I encounter them a lot more than I’d like to.

Do you think a change in outlook is on the way for how we deal with breaches? If not, what will it take for it to happen?

The silver lining in all that I’ve said so far, which might sound gloom-and-doom, is that I do see a change in outlook for how we, as an industry, are beginning to think more proactively about breaches.

There are some companies who are finally going far beyond asking Have I Been Pwned to assuming a state of breach, that we are all victims now and U Have Been Pwned already.

In 2018, we saw a renewed interest in zero-trust security, which acknowledges that controlling access through legacy perimeter-centric models is no longer effective. A lot of companies are already on board with this movement. Like any model or framework, zero trust has its own set of challenges, but it’s promising. I just hope that it doesn’t come and go like the Macarena dance did.

I’m also encouraged by the amount of interest in privacy by design and the potential to persuade businesses to proactively invest in better security controls that differentiate their offerings, if not to simply do the right thing.

In October 2018 the Oasis group announced support of dozens of companies and 12 countries (including the UK, China, Canada and Korea) to define a new international standard for consumer privacy by design. This is the ISO Project Committee 317 aiming to prevent data breaches and give consumers more control. With companies such as American Express, Amazon, Equifax and many others behind this initiative, I am optimistic about the future of privacy.

Ryerson University and Deloitte have partnered to offer privacy certification that shows promise of ushering in a new era of privacy protection for the consumer.

My hope here is that more vendors will join the movement and help organisations become more proactive and less remedial with less effort.

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects