2015 was a bumper year for data breaches, with 475 million records being stolen across the most-severe 200 hacks. TalkTalk, Ashley Madison, Carphone Warehouse, Rakuten & LINE Corp all hit the headlines for high-profile data breaches. Most hacks don’t make the news, but with a whopping 30,000 websites being attacked everyday, it’s imperative that the level of security assurance in your organisation is sufficient to mitigate the risks.
Cast your mind back to 2015! The United States Office of Personnel Management (OPM) hack is a good example of where the level of security assurance was not sufficient to prevent the data breach. The OPM, an independent agency responsible for managing the United States federal government civil service, discovered a data breach while upgrading their security detection and monitoring systems. OPM were aware of a previous security breach suffered by Keypoint Government Solutions, a US government investigation service provider, which compromised the personal information of federal employees, they did not realise at the time that Keypoint security credentials were also stolen. A second breach was later discovered, where computer systems containing personal information of former, current, and prospective federal employees, and in some instances their partners and spouses, were compromised.
Further investigation concluded that the personal information used for background checks of 21.5 million individuals were affected, including 5.6 million fingerprint records.
This case highlights a number of vulnerabilities that hackers can exploit: OPM didn’t detect a breach until months after it had occurred, due to a slow uptake of up-to-date detection and monitoring systems. OPM’s Director, Katherine Archuleta, told a government committee that Social Security numbers were not encrypted as the networks were “too old”, highlighting the need to prioritise updating systems for security benefit. Additionally, the data security of third party providers becomes a concern when access credentials are shared outwith the organisation, as with OPM and Keypoint.
A large data breach creates the need for a thorough investigation, which interrupts regular business. It can harm relationships with clients and providers, who trusted the robustness of your security. It can harm an organisation’s brand and industry reputation, and sour deals that are still in the works. And on top of that, it will still require the same system security upgrade that could have prevented the breach if it had been prioritised earlier.
In the last 12 months, three quarters of large organisations in the UK suffered data breaches due to staff, 58% more than the previous year. Most of these are due to poor understanding of security issues, lack of instituted protocol, or lack of awareness of protocol. While disgruntled employees or ex-employees are a potential security risk, accidental exposure is more common. When asked about the cause of the single worst security breach in the last year, 50% of UK organisations blamed inadvertent human error.
The way to mitigate the risk of employee access is to keep a clear auditable trail of all access to company systems.
Every data breach brings both financial and reputational loss, with the average cost of a data breach in the UK being £3.6 million, and the reputational damage bringing more long-lasting consequences. The TalkTalk data breach in October is already believed to have cost the firm in excess of £35 million, from the initial incident response expense, additional IT and technology costs and lost sales.
Personal reputations can also be put on the line following a breach, with CEOs and CIOs having to justify their decisions as they are quizzed on what went wrong and why they weren’t prepared. The fallout from the incident brings a long-term financial cost, as customers lose faith and the Information Commissioner metes out fines.
There is often debate as to which department is responsible when it comes to data breaches, and which budget will foot the bill in dealing with the fallout of a data breach. As it is an issue involving the computer infrastructure, it’s often seen as the responsibility of IT, but it is an issue of security and a threat to the business, which normally resides within operations or loss prevention. Ultimately, it is usually the Chief Information Officer (CIO) or Chief Information Security Officer (CISO) who must take ownership of data breach prevention, as it often takes executive decisions to be proactive and co-ordinate activity over different departments.
With 65% of the causes of data breaches being due to poor authentication practices, a strong Identity & Access Management strategy is crucial in mitigating a huge proportion of the risk.
Identity and Access Management is at the heart of corporate security – ensuring the right people have access to the right systems at the right time. It meets the needs of the end-user, who wants convenience and ease of use, while satisfying corporate demand for governance and control. Automated provisioning enables quick on-boarding and ceasing of access when employees leave. Single Sign-On (SSO) allows employees to log in once, and access all of their systems.
True SSO can be difficult to achieve, as to be totally robust, it must cover remote access, access via mobile devices, access to web applications, legacy systems etc. Very few single systems are able to integrate so universally, because they need to be able to adapt to different environments, complex system architectures and crucially work with both new cloud apps and old legacy systems. It’s crucial that the IAM solution you choose has this functionality, as an IAM solution with gaps can create more problems than it solves.
With a good IAM solution in place, this centralised control of system access not only eliminates the problem of weak password practices by users, which will guard against data breaches, it also allows the organisation to track and monitor access to systems, to aid in identifying the source of a breach.
Find out why 2015 was the 'Year of the Hack' and how to avoid being on 2016's list.
Think you may need Single Sign-On? Check out the 10 signs you need SSO.