Riding This Year’s Data Breach Roller Coaster

Meet Dawn Marie Hutchinson. Dawn was hired last year as the head of information security to keep Urban Outfitters void of future attacks. Dawn believes that Urban Outfitters should not have to disclose when a breach occurs.¹

Dawn is not alone. She is among a group of executives taking a stand in a debate on the merits of disclosing attacks. With a belief system that breaches don’t always lead to harm, the organization is fighting for breaches to be handled quietly. At a meeting of the National Association of Corporate Directors last June, members questioned the value of full-disclosure when it comes to attacks.

Dawn sees the world differently and believes that disclosing cyber-attacks can put a large target on the company’s back, ultimately highlighting to hackers that their system is vulnerable. But yet many executives, investors, customers and essentially every individual affected by a breach disagree; companies have a responsibility to disclose hacks.

<ClickToTweet>:    As organizations continue to feel vulnerable to attacks, @Vormetric discusses recent breach transparency debate. http://bit.ly/1sYR6yu

The debate continues after the recent revelation that Russian hackers had stolen more than a billion online credentials across 420,000 sites, sending Internet users scrambling to change their passwords and wondering how to keep information safe; ultimately restarting the conversation that opened users’ eyes during the Target breach last year.

This hack has the potential to be the largest known collection of stolen Internet credentials. At a time when there is a heated debate brewing about whether or not to keep this kind of information hidden, many are left wondering what non-disclosure will fix in data breaches.

A breach of this magnitude isn’t surprising given the fact that organizations aren’t recognizing the risks that can lead to these kinds of breaches, or investing in the kinds of data-centric security that is best at preventing these attacks. A global survey of enterprise IT professionals commissioned by analyst firm Ovum earlier this year found that very few were leveraging Data Security best practices:

• Only 38 percent of organizations use data access monitoring – a technology that can identify attacks in process by looking at who, where, when and how data is accessed;
• 60 percent of survey respondents feared mixing data from different countries could result in privacy and compliance violations;
• In spite of existing protections, 80 percent of organizations felt vulnerable to theft of privileged user account credentials by malware – without data access, monitoring and controls, theft and misuse of these credentials can directly result in a breach.

In a March 2014 blog post, Top 5 Data Breach Trends for 2014, I predicted the top security threats for 2014 as we were headed into an ‘all signs pointing to better preparing for data breaches’ era. Checking in four months later, these trends are still on-point:

• Revenue Loss Means Board Room Focus:In early May, Target CEO Gregg Steinhafel announced he was leaving the company, less than five months after the retailer disclosed the massive data breach that jeopardized as many as 40 million payment card accounts. According to Avivah Litan, Gartner analyst, this was a “watershed event” for the retail industry; CEOs have “since built closer ties to chief security officers, often having CSOs report directly to them.”
• Retail Breaches: An Easy Target:The day after I wrote my trends for 2014 post Specs, a Texas wine retailer’s network, was breached. The hack started in October 2012 and affected 34 of the stores throughout Texas. The breach continued until March 20, 2014, potentially providing hackers with customer names, debit or credit card details, card expiration dates, card security codes, bank account information from checks and possibly drivers’ license numbers.²  Following the discovery of a possible breach in June, P.F. Chang’s revealed that 33 restaurants across the country were affected by a breach. Credit card information was likely stolen during the breach.³
• Cloud and Big Data = Big Target for Cybercriminals:As we saw with last week’s news, a gang of criminal hackers amassed more than 1 billion usernames and passwords linked to half-a-billion email addresses. The massive trove of data — stolen from hundreds of thousands of websites — was discovered by the Milwaukee firm Hold Security.
• Government and Healthcare = High Risk:In mid-May, an investigation found that a server at the Montana Department of Public Health and Human Services had been hacked. The server contained names, addresses, date of births and social security numbers of roughly 1.3 million people.²
• Compliance Will Grow Bigger Teeth: Last month, the Florida Information Protection Act of 2014 went into effect, stating an organization must provide written notice to the state attorney general no later than 30 days after determination that a breach affecting 500 or more Floridians has occurred. This move redefines the concept of ‘personal information.’

Servers and databases continue to hold the bulk of each organizations structured and unstructured data assets and they are also involved in the vast majority of high-profile data breaches.

According to Vormetric’s recent Insider Threat Report, only 9 percent of organizations that responded to the 2014 Vormetric insider threat survey felt safe from attack, and more than a quarter felt that their organizations were vulnerable. Almost half felt that insider threats are now more difficult to detect than was previously the case.

The insider threat to corporate information systems never goes away. It remains consistently high and is increasing. New technology, including the implementation of cloud and big data projects, adds to data theft and loss opportunities. Regulatory and compliance issues, alongside the requirement for companies to protect themselves from brand damage and revenue losses, drive the requirement to provide better protection.

Rather than spending more time and effort maintaining older security products, better value would be provided through targeted replacement, integration and control ultimately ensuring only authorized users can get access to sensitive data.