Another year, another series of data breach headlines. 2018 has come to a close, and we’ve been looking back at one of the year’s biggest and potentially costliest breaches: the British Airways data breach that was announced back in September. With approximately 380,000 booking transactions exposed and more than $1 billion in potential fines and lawsuits, the breach offers many important lessons.
One such lesson is that companies continue to make the same basic mistakes when it comes to security. Consequently, hackers continue to use—and find success with—tried and tested techniques. In this three-part series, we’ve been taking a closer look at what companies can do to avoid these mistakes—namely, the fundamental security best practices they can implement and make an ongoing focus of their security strategy.
You can catch up on the British Airways breach and read about our first seven recommended best practices by checking out Part 1 and Part 2. To complete the series, here are our remaining three recommendations to help your organization improve its cyber defenses.
8. Close Security Gaps in Your Supply Chain
When the global retailer Target fell victim to a data breach in 2013, it wasn’t because of a sophisticated and coordinated cyber attack. Instead, hackers found a weakness in the security of one of Target’s HVAC vendors and leveraged it to access Target’s internal network. Ultimately, information from 41 million payment cards was exposed, and the company saw its expenses from the breach amount to $162 million in 2013 and 2014 alone.
The moral of this story is that when your organization provides contractors and third-party suppliers with access to your network, you ultimately lower your security level to that of the third party. Third-party vendors are often smaller businesses that may not have the latest security tools or may lack adequate IT personnel. Many third-party vendors also deal with hundreds or even thousands of client access points and policies, so ease of access is frequently prioritized over security. Cyber attackers are aware that third parties are often the weak link and target them as a way to make an end run around what would otherwise be a more robust security posture.
This is evidenced by the fact that many of the largest breaches in recent years have been traced back to third-party vulnerabilities. For example, earlier this year, customer support software company 7.ai announced it had suffered a cyber incident. Although 7.ai might not be a household name, many of its clients are; Sears, Delta Air Lines, and Best Buy all announced data breaches that traced back to this vendor’s breach.
The interconnectivity of applications and organizations can be a boon for business, but it can also be a major risk factor when vendors outside of your organization are given access to your customers’ data or have their own port into your network.
Modern identity and access management (IAM) solutions can help overcome these security risks by managing the distinct identity lifecycles for all of your organization’s users, including vendors, partners, contractors, and other external users, regardless of whether they exist in your HR system. By automating account creation, management, and deprovisioning, IAM solutions reduce the risk of human error and provide better visibility into and control of third-party accounts.
Access for third-party users can be limited to only what a given user absolutely needs in order to do his or her job and can be made time bound so that it is automatically revoked at the end of the specified period. Fine-grained access controls enforce least privilege access by limiting third-party users to only what is absolutely needed—and nothing more. Additionally, multi-factor authentication can be applied to all third-party access entry points to further limit risk.
9. Stay on Top of Security Investments
Long an afterthought, security must now be considered one of the foundations on which a business is built and operated, and it should garner as much attention as plans for new products, emerging technologies, and innovations. The days of setting a simple, single layer of defense are behind us; customers, employees, and partners traverse networks around the clock and expect services in real time. In other words, security isn’t something to set and forget.
With all of the traffic, devices, and users, it is crucial to keep security software and hardware patched and up to date to help prevent known vulnerabilities from being exploited by opportunistic cyber attackers. Patches and updates from vendors should be identified and installed as part of a regular maintenance cycle and according to existing application change management procedures. After all, out-of-date applications and operating systems are a favorite target of cyber attackers, with hackers trading in exploits known to be effective against outdated systems.
Similarly, it is important to test and evaluate existing defenses and evaluate new and emerging security products against your business needs to help ensure that your network has the flexibility to accommodate current and future security challenges.
Chances are your company is one of the 69 percent of organizations that aren’t spending enough on cybersecurity investments. According to a 2018 Ponemon Institute study, only 31 percent of IT professionals believe that their organization’s funding for security is sufficient to achieve a high level of cyber resilience in the face of rising security incidents. The British Airways breach illustrates that if you do not proactively invest in cybersecurity now, your organization can expect to spend more later, often many times more than what it would have cost to invest in prevention.
10. Be Prepared for the Worst
In today’s cyberthreat environment, it is a matter of when, not if, your organization will experience a data breach. Faced with this reality, organizations can begin to prepare for the worst by ensuring that they have the proper data backup solutions and procedures in place, and that they have cybersecurity insurance in place to help deal with the potential financial aftermath of a breach.
In the event of a ransomware attack, for example, having regular data backups eliminates the leverage that attackers have over your organization. Instead of paying off hackers to regain access to your own data (which they might not even release, even if you do pay up), your data can be recovered, ideally, from a daily backup.
Furthermore, the 3-2-1 principle is a good rule of thumb when it comes to backing up data: Keep at least three copies of your data, back up your data on at least two different storage types—for example, in the cloud and on your premises—and keep at least one backup copy off site. Regular tests of failover—a protection method in which applications switch over to backed-up data or servers in the event of a disruption—as well as business recovery protocols can also help make your organization more resilient.
The ransomware attack that targeted the city of Atlanta in March 2018 could have played out differently for the municipality if it had a stronger backup protocol and access to a cybersecurity policy. Nearly a third of Atlanta’s 424 necessary applications were held hostage by a group called SamSam, which demanded a $52,000 ransom for the data. In the meantime, residents couldn’t pay city bills, the court system was hampered by inaccessible records, and all government operations had to be done on paper. The city not only ended up paying the ransom to regain access to its data and systems, but also spending more than $2.6 million on emergency professional services and other efforts to resolve the issue.
Cybersecurity insurance is another option that can help your organization protect itself in the event of a cyber incident or breach. Despite the massive breaches of the past few years, many companies still do not have cybersecurity insurance, leaving them open to major damages in the event of a cybersecurity incident. As an added layer of support, a cybersecurity insurance policy can provide your organization with financial resources to help cover legal, public relations, IT, and other costs resulting from a cyber attack.
The Case for Security
The breaches highlighted in this series and the subsequent fallout faced by each organization illustrate the enormous financial and reputational consequences a data breach can have. In turn, these costs can help establish a strong business case for making security a priority and taking the proper steps to help protect your organization.
By doing the security basics right and putting a modern IAM solution at the core of your security program, your organization can render many of the usual tricks employed by cybercriminals useless and ensure that it is taking a proactive approach to security to keep your brand out of the headlines for all of the wrong reasons.