Have your cybersecurity strategies fallen behind the times? The landscape has already shifted rapidly so far in 2020. Above and beyond the constant background threats stemming from cloud vulnerabilities, machine learning, ransomware, and decentralization, we’re now seeing added stressors that put every company even more at risk. Many organizations are running with bare-bones staffing, mostly working from home, and taking care of the bare minimum.
Now, more than ever, keeping up with vulnerabilities is no longer just a nice add-on, but a core function to ensure your business’s survival. None of us can afford to let security fall through the cracks, because there are hackers out there waiting to take advantage, just like during any period of turmoil. That’s why staying prepared demands today’s tools and strategies.
Healthcare organizations are strained to their maximum, of course. Headlines in 2019 highlighted big-scale breaches at Quest Diagnostics and LabCorp, showing just how vulnerable health data truly is.
But they’re not the only ones. These days, no industry is safe, with big recent breaches in the telecom industry, both at T-mobile and Sprint in 2019; in financial services, Capital One suffered a huge breach, and companies dealing with online sales are always vulnerable, with recent attacks on Marriott, Ticketmaster, and British Airways.
And these are just a few examples of far, far too many.
Today, faceless hackers aren’t the only threat. Regulatory agencies and fines represent a serious challenge for any organization handling user data. And while a decade ago, most security strategies focused on the perimeter, with firewalls and other barriers, decentralization and IaaS have made it crucial to protect data rather than borders.
There are two huge reasons for treating user data with kid gloves. First, because we must earn users’ trust through transparency and compliance. And second, to avoid fines. Just in 2019, big-ticket fines made headlines against companies like British Airways ($230 million), Marriott ($124 million), and Equifax ($575 million). Fines are only going to go up as more jurisdictions bring in privacy regulation.
So how can you stay on top of everything you need to track these days? You can do it, but it’s not always simple. And it’s easy to be overconfident about your security strategy.
Most companies today are dealing with complicated hybrid systems. And when we’re talking about combining cloud and on-prem, legacy and leading-edge, breaches can’t be completely prevented. But good security habits can slow them and mitigate their impact.
Looking at what went wrong in a few of these high-profile breaches can help us adopt better cybersecurity hygiene practices going forward.
LifeLabs: Ransomware Price Tag
Just as healthcare workers are working on the front lines, healthcare informatics represents the front line when it comes to vulnerability. And healthcare data is among the most sensitive personal information out there, making it a valuable prize for hackers.
Canada’s largest provider of specialty lab services, LifeLabs was forced to pay hackers an unspecified sum after a ransomware attack in December 2019 that compromised 15 million patient records. Information breached included home addresses, passwords, birthdays, health card numbers, and even lab results.
While some ransomware attacks are the result of human error, like phishing or poor password protection, according to SC Media, 31.5% of vulnerabilities exploited by ransomware could have been patched and weren’t. Hackers build known vulnerabilities into their attack plans, betting lots of companies won’t be up to date.
T-Mobile: Flawed Data Handling
The T-Mobile breach, in November 2019, sounded all too familiar. The press praised T-Mobile for quick disclosure and for the fact that “only” 1 million customer records were breached.Despite the company’s claim that “we take the security of your information very seriously,” this was T-Mobile’s second big breach in just two years.
Media claimed that there was little risk to users because leaked passwords were encrypted. But few asked why encryption wasn’t standard operating procedure for other data. Users have high standards today for entrusting their data to a company, and it breaches that trust when companies demonstrate poor data handling practices.
Marriott: Falling Through the Cracks
Marriott International hotel chain acquired Starwood Hotels & Resorts in 2016 to become the world’s largest hotel chain. It wasn’t until 2018 that Marriott discovered that they’d also acquired a data breach that compromised personal data of 383 million customers.
Why did it take so long to spot the breach? While the original break-in was probably due to human error, something clearly got lost in the mergers and acquisitions shuffle. Marriott laid off much of Starwood’s IT staff, so they had to get up to speed on unfamiliar legacy systems. With nobody at the helm of IT, cybersecurity due diligence failed.
The lesson? C-suite awareness of cybersecurity as a central component of any company’s business plan can save a ton of headaches.
Whether a coincidence or not, Marriott just announced it has been hacked yet again. This time, the credentials of two franchise employees were used to extract 5.2 million Marriott Bonvoy subscriber records.
Capital One: Overconfidence in Cloud
The Capital One breach in March 2019 demonstrates the result of overconfidence in cloud security.
Former Amazon software engineer Paige Thompson was arrested for exposing personal data from 100 million credit card applications and bank account information. Thompson created a program to scan systems at Capital One and 30 other companies for an AWS firewall vulnerability. She was also “piggybacking” on companies’ IaaS instances, stealing their computing power to mine cryptocurrency.
Capital One probably couldn’t have prevented this breach. However, it does demonstrate that regardless of the level of protection promised by cloud providers, vulnerabilities will always exist.
Unlike with earlier stories of data breaches, in all of these examples, monitoring systems were in place. Yet these were usually too late or insufficient to prevent leaks.
Often, the root cause of breaches lies not in the failure of a tool but in finger-pointing and buck-passing. In too many organizations, core security responsibilities, like updates and patching, are divided up among multiple individuals and teams. A healthier approach involves making cyber hygiene a company priority, from management on down.
As we’ve all seen from the fines, bad PR, and even bankruptcies, cybersecurity is a business problem, not an IT problem.
That’s why a better approach is proactive and anticipatory, rather than constantly putting out fires. So how can your business shift to a proactive, rather than reactive model? Here are 3 key strategies.
No More Buck-Passing
According to this Bloomberg interview with VC Bruce Croxon, a big reason for the Marriott breach was that there was no single point person in charge of vulnerable data during the transitional period, which might have allowed the company to anticipate problems.
Even at the best of times, responsibility for IT security is sometimes passed around within organizations like a hot potato. So it’s no wonder that cybersecurity due diligence fell through the cracks during the Starwood acquisition.
Know Your Enemies
Today’s IT world may be complex and tough to navigate. But there are some things that never change, and one is that people are lazy. That includes hackers.
Rather than try to find a brilliant new way in, according to a classic Gartner study, hackers prey on known vulnerabilities more than 99% of the time. While the nature of the threats is evolving, basic, unexciting maintenance tasks like routine vulnerability analysis and remediation are still your systems’ best defense.
Defense in Depth
This is not really a single strategy but a collection of security best practices. Unlike in the past, no single approach can create as strong a line of defense as a multi-layered security model.
For example, the Capital One breach demonstrates the danger of overconfidence in cloud security. An in-depth layered approach combines segregating vulnerable servers, applying patches, encrypting data, and adopting a zero-trust model, as opposed to the traditional “moat-and-castle” model), maintaining secure cloud backups.
Other components you might consider adding to your business IT strategy include vulnerability testing, penetration testing, building staff awareness (to prevent accidental insider breaches and alert your team to signs of trouble), implementing a clear and consistent update plan for vulnerability remediation (patching), and formulating a response plan with clear breach-handling policies.
Why Don’t Companies Keep Up?
When it comes to keeping up with today’s cybersecurity threats, there are a few reasons companies don’t or can’t keep pace—leaving themselves open to attack.
According to Forbes, these reasons include the frustration of ongoing updates, fears of interrupting workflow, and lack of automation. There are a number of other reasons companies don’t keep up with data hygiene best practices.
Some of these reasons seem ironic when considering the facts. A company that might be afraid to “break” work processes that are working smoothly with a routine update may actually find itself vulnerable to massive work interruptions. IT managers may feel that putting updates in their team’s hands is more secure than automation, when in fact the opposite is true.
Companies may also believe that once they are meeting compliance regulations, like GDPR in Europe, they’re in the clear when it comes to security. While compliance can help protect user information, both the Marriott and Capital One breaches occurred after the rollout of GDPR.
And simply moving to the cloud also isn’t enough, as the Capital One breach shows. Certainly, cloud today is incredibly secure, and updates are more convenient and hassle-free. But cloud can’t fix every security issue, especially because, as IBM reports, most companies are only 20% of the way toward cloud targets. With hybrid solutions, security becomes more complex than ever.
Regardless of which strategies you adopt, cybersecurity today involves constantly monitoring a huge range of information. This includes personal data, local servers, cloud solutions, employee vulnerabilities, users, access, rights—preferably on a least-privilege model—endpoint vulnerabilities (including end users’ own devices, phones, laptops, etc.), as well as legacy systems. So take advantage of tools that help you streamline and integrate all your cyber hygiene needs.
JetPatch offers several effective responses to make managing this complexity easier. It can connect to a variety of data sources, instill automation and best practices within the organization, and apply patching across various environments and applications. This helps security and IT ops eliminate traditional problems with patching and help you keep all your moving parts organized.
It’s been more than a decade since the first high-profile data breaches came to light, and they’re still happening. Over the months to come, we will probably see even more as unscrupulous individuals and covert organizations take advantage of vulnerabilities as they emerge—in healthcare and every other industry. The COVID-19 reality has created a situation in which organizations are so focused on survival and on supporting remote operations, while often neglecting some of fundamental security hygiene practices.
Looking back on these infamous breaches gives us a clear picture of how complex security has become. Today, no single strategy can succeed, but a good cyber hygiene strategy that takes into account the complexity of today’s IT environment can prevent attacks and minimize damage.
While big companies are the ones that make headlines, smaller companies are breached all the time. Every organization needs to protect itself by eliminating security blind spots, introducing an automated, consistent process for minimal downtime, and end-to-end vulnerability remediation (including cloud).
JetPatch provides one way to accomplish this from a simplified, comprehensive dashboard. And as an added benefit, streamlining security will minimize IT workload and let your company move forward confidently, meeting business goals and objectives.
In today’s information economy, data is the most valuable thing your organization possesses. Keeping up with today’s changing cybersecurity demands will help earn users’ trust and avoid costly problems further down the line. And it’s not only possible—it’s essential for any business, in any industry.