Breach Prevention: 5 Lessons LearnedSetting Priorities Based on 2014's Top Breaches
"2014 was a tipping point for cybersecurity," says Kennet Westby, co-founder and president of cyber-risk management firm Coalfire. Attacks were "more widespread and costly than any we've seen before."
Here are five breach prevention tips based on the lessons learned from 2014's major data breaches.
1. Manage Threats from Top Down
The high-profile data breaches of 2014 have helped to raise awareness among senior executives and board members of cyberthreats and the need for them to be managed from the top down, Westby says.
"This is new," he says. "We used to get a few dozen calls a year for cybersecurity management from an IT director or mid-level manager, and we had to fight an uphill battle to get attention from the top. Now we're hearing from board members and CEOs."
One catalyst for that rise in awareness among senior executives was Target's corporate restructuring following the company's breach, which impacted 40 million payment card numbers and the personal details of 70 million customers (see: 7 Lessons from Target's Breach). Gregg Steinhafel resigned as Target's chairman, president and CEO. Following his departure, the retailer made several high-profile hires, including tapping former PepsiCo executive Brian Cornell as new CEO and Jacquelin Hourigan Rice as senior vice president and chief risk and compliance officer, reporting directly to the CEO.
Target's hires could inspire other companies to restructure their organization charts to give more authority to the executive in charge of data protection, says Francoise Gilbert, founder and managing director of the IT Law Group. "If companies can follow the leadership of Target and, on their own terms and with their own budget, pay more attention to the protection of personal information and company data, they will quickly see the return on their investment," she says.
Boards and the C-suite need to look at cybersecurity as a continuous risk management function, Westby explains. "Understand what compliance measures need to be taken to achieve a basic level of security," he says. "[Then], determine what steps need to be taken for ongoing planning and testing."
In addition, having proper cyberthreat management requires the C-suite to create a culture of security within an organization, says Neal O'Farrell, executive director of the Identity Theft Council. "My No. 1 piece of advice is that vocal paranoia is vital," he says. "Worry and stress about security all the time, and talk about it constantly. That's the best chance you have for creating that culture of security that's so critical to avoiding the predictable and avoidable mistakes."
2. Ramp Up Employee Training
Mistakes made by employees are a common cause of major breaches and point to the need for ramped-up security training for all users, says Michael Bruemmer, vice president of Experian Data Breach Resolution.
"In 2014, we serviced just over 3,100 data breach incidents," he says. "About 80 percent of the root causes that were documented came from employee negligence." The No. 1 cause, Bruemmer says, was compromised administrative credentials that allowed for easy access through organizations' cybersecurity defenses.
End users will continue to remain a weak link due to social engineering, phishing and credential compromise, says Julie Conroy, a security analyst at Aite Group. As a result, organizations need to invest in user training and also "run simulated phishing attacks to help users learn via real-world scenarios," she says.
Every individual with access to information assets should receive training as soon as possible once starting their job, privacy and security expert Rebecca Herold says. In addition, they should receive security reminders and tips on an ongoing basis. "Otherwise their bad security habits will result in breaches," she says.
3. Monitor Third Parties
Third parties are often the source of a data breach, as major incidents last year demonstrated.
Home Depot's breach, which affected 56 million credit and debit card numbers, resulted from the compromise of a third-party vendor, a fact that is "eerily" similar to the circumstances of the Target breach, experts say. These incidents point to the need for ongoing third-party oversight, Herold says.
"Every organization contracting any type of entity to do work for them that has access to their information assets needs to ensure the entity has effective information security controls in place, and provide appropriate levels of ongoing oversight to the contracted entity to ensure they maintain appropriate levels of security controls," Herold says.
4. Establish Procedures for Security Updates
All organizations need to have documented procedures for implementing new and updated systems, applications and endpoints - and ensure that those procedures are carried out, Herold says, a lesson gleaned from the JPMorgan Chase breach.
In that incident, the breach likely started with a server the bank's security team overlooked when upgrading to two-factor authentication controls (see: Chase Attackers Exploited Basic Flaws).
"The Chase breach clearly shows how important, basic checks were overlooked during such upgrades," Herold says. "Were there any documented upgrade procedures in place? If yes, were they being followed? Was there a person or position given responsibility for overseeing them?"
5. Schedule Frequent Penetration Tests
Many large enterprises have sprawling IT infrastructures that have been cobbled together over time, which makes them difficult to secure, says Aite Group's Conroy. So it's important to hire penetration testers to review systems and their various endpoints for weaknesses.
"If you are not investing in white hat hackers to pen test your systems, this needs to be added to your plan, because if you are not proactively finding the weaknesses in your system, the bad guys will," she says.
And having systems penetration-tested once a year is not enough, Conroy warns. "We've seen time and time again that new development cycles lead to new gaps in security."