What lessons can companies learn from major data breaches?

27 Oct 2017

Multilayered security is key. Image: REDPIXEL.PL/Shutterstock

In recent months, data breaches and unsecured data stories concerning major companies have dominated the news – so what can businesses do to protect themselves?

From data breaches at Equifax and Deloitte, to the recent discovery of Accenture’s unsecured troves of private data, businesses have never been more aware of the threat of cybercrime than now. The fact that such large companies either suffered breaches or left large amounts of confidential data unsecured has many businesses wondering how they can improve their own security practices, from SMEs to Fortune 500 companies.

Siliconrepublic.com spoke to a range of cybersecurity professionals and experts about the problem of poor security protocols, new cybercrime trends to be aware of, and what needs to be done to protect sensitive and valuable data from attack.

Managing thousands of digital assets

Alex Heid is a white-hat hacker and chief research officer at SecurityScorecard, a leading New York-based cybersecurity monitoring and rating platform. He explained that massive companies such as Equifax and Deloitte “will have a massive ecosystem that they are responsible for maintaining, with digital assets numbering in the hundreds of thousands”.

He added: “It is quite common for things that were intended to never be exposed to the public internet to be misconfigured and exposed.” He explained that the job is much easier for the hacker, who simply needs to find a single malicious entry point, “whereas the enterprise has to constantly monitor hundreds of thousands of areas for exposure constantly”.

Guy Podjarny, CEO and co-founder of Snyk, a London/Israeli platform that finds and fixes vulnerabilities within companies that use open-source code, said that centralising sensitive data is a major issue. He described centralisation as the “classic problem of putting all your eggs in one basket”.

Podjarny said: “The damage from such treasure troves of data can be disastrous, as demonstrated by the magnitude of the Equifax breach.”

“The key to success is in putting in multiple layers of defence, such as strong encryption of the credentials, limiting the number of records that can be read in a given timeframe.”

Deeper and multilayered defences make it harder for attackers to get to your data, even if you were compromised.

Technology sprawl

Less-than-stellar security practices are likely to be more common than we think, said Podjarny, and most companies’ security posture “is worse than what they think, and most companies we believe to be in great security shape are nowhere near as resilient as we think”.

Consider the vast sprawl of technologies and applications in these massive companies, each with their own individual security challenges. “Security doesn’t have a natural feedback loop – if you’re not managing it well, it doesn’t hurt until it hurts really bad.

“We need to find better ways to make security visible to keep us from forgetting it and let us continuously improve our defences,” Podjarny stated.

As was seen with the Equifax breach, the protection of customer information is something that more companies need to invest resources and time into.

George Avetisov, CEO of New York-based decentralised biometric authentication firm Hypr, was firm in his assertion that biometrics, PINs and passwords used for authentication, should never be stored in the cloud or otherwise shared.

“Their singular, or bulk, loss is so damaging to users and the service provider.”

Economic disruption and national security

He also made the point that Fortune 500 companies and political circles with weak security posed even larger risks to individuals, saying “issues of economic disruption and national security come into play upon the loss of closely held data”.

Whether it’s static credentials (also called bearer tokens) that can be used by another person, or biometrics that tie identity to a person, it’s important to consider where these credentials are stored.

“Biometrics, PINs and passwords should be kept on-device, in the hands of those to whom they belong: their owner.”

Podjarny explained that handling security well is quickly becoming a core competency for businesses that want to survive, and doing so is no easy feat. “Attackers are getting more sophisticated by the day; the pace and complexity of software development is accelerating, and the cost of a breach is rising rapidly due to the vast amounts of data companies hoard, and stricter regulations like GDPR.”

Of course, security can never be perfect, and much of this comes down to visibility and “security hygiene at scale”, as Podjarny put it.

Awareness and literacy is crucial. “If you have a strong grasp of the applications, data and systems you have, and are able to secure access and patch known vulnerabilities in those, you’ll be well set up for success,” said Podjarny.

Developments in cybercrime

So, with cyberattacks growing more sophisticated at such a rapid pace, what kind of new developments should CSOs, CIOs and indeed everyone be aware of? Podjarny predicts increasing sophistication in automated attacks, using the same technologies that defenders use, notably machine learning, to penetrate more systems with lower cost.

The increasing value of data is also playing a role in the cybercrime world. “As data payloads get bigger and more valuable, the black markets for stolen records will continue to evolve and grow, and data with long shelf life – like the personal details stolen from Equifax – will be especially valuable,” said Podjarny.

He added that criminal activity around cryptocurrency is set to become a more regular occurrence.

Cloud computing risks

Avetisov said that all of the recent major data breaches “have one thing in common: the warehousing of too much sensitive data. Credentials for accessing cloud-based systems containing data should be decentralised.”

Implementing new technologies in today’s largely legacy authentication system of centralising sensitive data doesn’t address the root problem, he maintained.

Cloud computing security is a major challenge, added Podjarny.

Configuring access permissions on one storage bucket is easy, but correctly configuring access to thousands of them, each with a complex set of fast-changing clients, is extremely hard. Companies employing large numbers of teams must also be cognisant of differing levels of knowledge about cloud security protocols.

Podjarny concluded: “Technologies like cloud storage scale your digital business but, to remain secure, you have to similarly transform your security practice, ranging from better processes to automated security tools that can be embedded into your development and operations workflows.”

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects

editorial@siliconrepublic.com