The State of Security – Data Breaches in 1H 2016
In an election year, everyone asks the question about whether or not you are better off than you were four years ago. There are many ways to answer such a question, and various people make arguments from various angles and data points.
Now, more than half way through the year, hardly anyone could claim that the data breach crisis due to cyber attacks has improved. Even of the number of reported breaches declines to some degree or the total number of records lost to an attacker is somewhat smaller, the specter of loss remains formidable. In addition, enterprises and organizations hardly seem better equipped to solve the problem of a motivated attacker getting into their network and working in stealth to steal or damage assets. If each data breach headline in the news is a wake-up call, most companies are still sound asleep.
Is mass complacency the problem? No one cares about a breach, and it’s just a fact of life? Or is there just a resignation that nothing can be done to thwart an attack, so cyber-insurance and a smart response plan is the best one can do?
It’s hard to imagine that complacency is the issue. The stakes get continually higher for breaches. Lately the SEC, FTC and other regulatory bodies are making sizable moves that indicate that penalties for a data breach will start to soar. Courts have been ruling to make victimized organizations responsible for all damages, and they have allowed class action litigation to pool plaintiffs’ complaints into more sizable amounts.
It is also clear that brand damage and loss of customers comes as a result of a major breach. Over 150,000 subscribers dropped TalkTalk, the British telcom provider, in the months following its breach, contributing to a revenue shortfall. The mobile provider disclosed $80 million in losses due to customer churn.
And speaking of losses, it is not just PII and financial information at stake. There is growing acknowledgement of intellectual property loss or compromise and theft of company or trade secrets. The Panama Papers incident earlier this year points to what could be possible. Imagine the devastating loss that law firms and their clients could experience when an attacker takes all and holds it for ransom or posts in in some public forum.
Clearly, things are not getting better. At the same time, most organizations are no closer to solving the issue than ever. Existing security tools are obviously not up to the task. Even with the best next-generation gear and well-established policies and rules, attackers get into a network as though the perimeter didn’t exist. Legacy vendors claim incremental benefits that don’t even come close to solving the real problem. One industry test report just released claimed up to 100% effectiveness for security systems to prevent breaches. Really? Since when did the truth get so unbelievable?
The state of the “union” is not good. Ask any in-the-know security professional if they have the ability to detect an active attacker that has compromised a host or user account and is at work on their network, trying to gain control of assets? Almost everyone is likely to admit that they do not. If some think they have the capability to detect active attackers, ask how they would know iand what is their level of confidence?
The future is not all bleak, however. The recent Cyber Weapons Report shows that malware is rarely used in post-intrusion attack activity, but if you focus on the real way that attackers conduct their business, you can find one at work. Behavioral profiling is showing a great deal of promise in uncovering these steps. With machine learning, broad detection and advanced analytics you can determine whether or not there is an active attacker working towards a data breach. It’s time to turn the tables on attackers and vote for a better future. Maybe we can make security great again?