With an ever evolving regulatory landscape and with increasingly smart technology at our fingertips, it’s probably time we paused to examine the way we’re doing business. Just because it’s been done a certain way for years, it doesn't mean that’s still the right way. Businesses need to start seeing the bigger picture rather than forever playing catch-up, as so many are guilty of thus far. Breaking the cycle means analysing the threats that businesses can anticipate both now and in the coming months and years, and determining the smartest solution for them.
It’s time for change, and real progress. This article examines how and why it’s coming, whether you like it or not, and how to make it work for your business.
The rate of cyber-attacks is ever-rising and the cyber criminals are only getting smarter. Most large businesses suffer around three cyber-attacks per year, yet only 15% will be open enough to talk about it. IBM Security recently surveyed over 700 C-suite executives and found that while 55% favoured more industry collaboration in the fight against cyber-crime, 68% were also reluctant to share incident information outside their own business. This reluctance to disclose attack details is both disturbing and dangerous, because it is only through reporting and sharing information that we will learn about cyber security and how best to defend ourselves. The hacking communities most definitely share tips and learnings with each other. The idea of the hacker being a hoodie-clad teenager in his mum's basement is just no longer relevant; these are structured organisations with infrastructures that most corporations would envy; functioning ‘businesses’ with extensive resources, support networks and teams of highly skilled technical staff who work within operating business hours.
There are thousands of companies suffering financial loss, disruption, and theft of intellectual property as a result of cyber-crime and it’s only going to get worse. Breaches are becoming ever more aggressive and damaging and aren’t just on Windows anymore; they’ve spread to smartphones, Macs and Linux platforms. A recent report by Symantec revealed that malware has evolved to become smarter and more targeted, increasing at an astounding rate with 430 million new variants discovered in 2015 alone. After Lincolnshire Council in the UK suffered a highly damaging cyber-attack, their CIO revealed that “it was a new piece of software that our anti-virus hadn’t seen before, so they’ve had to write new files to protect us.” This is of little comfort; the data has already been compromised, time and money wasted and the business in question will remain open to attack to the next new strain of virus that comes along. By not disclosing valuable information surrounding attacks, we are rendering ourselves powerless, potential victims in the cyber security debate and sphere, and opening ourselves up too larger and more damaging incidents in the future. According to the latest report from the Microsoft Digital Crimes Unit (DCU), Malware will cost the global economy $3 trillion in productivity and growth this year. While an estimated 3.3 million people in the United States are affected by consumer fraud with losses of more than $1.5 billion annually, according to DCU, Microsoft based on the information from the report since 2014 has received more than 180,000 reports of fraudulent tech support scams from customers around the world.
Most businesses have no idea how vulnerable to attack they are. The costliest breach to date is £3m – could your company survive that? If somebody hacked your systems and was able to steal all of your sensitive data because of your outdated security measures - how would you explain that to the shareholders and investors? PwC reported in 2015 that 82% of senior managers said that cyber security is a high priority for them, but only half have attempted to properly identify the cyber security risks faced by their organisation through health checks, audits or risk assessments, etc., and only 29% have formal written cyber security policies. How quickly would cyber security become a priority for your business if your network was breached and your CEO or MD had to appear on national news channels to explain why? 25% of all businesses detected one or more cyber security breach in the last 12 months and as time goes on, clients won’t appreciate companies who remain tight-lipped on topics that keep cropping up in scandalous front page news articles every week. The now infamous TalkTalk breach in the UK has cost the business 9,000 customers in the second quarter of 2016. This means that in total the attack has cost TalkTalk $53 (£42m or €47) although the real cost is more likely to be in the region of $76m (£60m or €67m) once increased communication with customers, more call centre staff and the obvious improvements to its online security are included.
So far it’s been problematic trying to get certain dinosaurs to change their ways and see just how fast the future is coming, and the change that needs to happen to survive in it. Heads of IT manually storing passwords for a whole company in a physical book or on a single spreadsheet (password protected or not) is ridiculous and cannot continue. Yet it’s something so many businesses today are guilty of. Perhaps even yours holds privileged access information on spreadsheets on the network, or allows an individual to hold them offline? Change is inevitable, but what happens then? How do you take back control of your critical information? Change needs to happen at every level, so businesses need to start looking at the bigger picture, and at bigger solutions.
What’s actually going to change & what you’ll need to manage...
With new rules and regulations emerging almost every day, compliance is finally catching up with the times and if you aren't already overseeing the necessary preparations, you need to start doing so today. Businesses who have thus far largely remained unaffected by data protection laws shouldn’t get cocky or complacent either because those businesses are going to find themselves struggling to keep above water very soon. The Payment Card Industry (PCI) Data Security Standard (DSS), for example. It was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. The PCI DSS standards apply to all organisations that store, process, or transmit cardholder data and all affected organisations must be PCI compliant. Wallix provides support for PCI compliance with the Wallix AdminBastion (WAB) suite. It helps fulfil PCI audit requirements by recording all sessions created through the WAB in real time and providing a complete, granular audit trail. Investigators would be able to see the session as if it were live and determine if any mistakes or malicious activity occurred.
Compliance is now seen as a driver to managing a secure infrastructure, and the looming EU General Data Protection Regulation (GDPR) is a great example. The purpose of the GDPR is to give citizens back the control of their personal data and allow organisations to realise and reap the benefits of the digital era, but there will be grave consequences for businesses who don’t play by the new rules. These rules also come arm-in-arm with heavy financial penalties of up to €20m or 4% of annual worldwide turnover, whichever is greater.
It won’t just be the big brands we’ve seen so far in the media receiving those fines either; it will be small – and potentially devastated– businesses too. Boards and IT departments of all sizes should be paying careful attention because investors and stakeholders will soon be asking a lot of questions about security measures they’ll expect you to propose and put speedily into action. IT directors, and in fact, all senior management, should be familiarising themselves with the technical inner workings of the business and preparing to adapt to new ways of doing business, and fast. Every department will feel the impact. Even HR, for example, who are going to need to hire a Data Protection Officer (DPO) who understands how to handle data (including that used for marketing purposes) and ensures your compliance with GDPR’s Article 37.
“GDPR is a paradigm change in the way that data collection and use is regulated. We have moved from an era of relatively laissez-faire regulation of data in Europe to having the most stringent data laws in the world,” said Ross McKean, a partner at Olswang law firm, and you only have two years to get your house in order. “This is not a compliance or legal challenge; it is much more profound than that. Organisations will need to adopt entirely new behaviours in the way they collect and use personal information,” he said. If you didn’t care about compliance before, you certainly should now because soon, if (or indeed, when) a security breach occurs, a business that has failed to take the vital steps to protect the data won’t be receiving a slap on the wrist; their directors will be going to prison.
“Our passwords are failing us,” said Michael Barrett, PayPal’s Chief Security Officer. He’s not alone either, with President Obama recently announcing in a recent Wall Street Journal op-ed the launch of a new national awareness campaign to “encourage more Americans to move beyond passwords — adding an extra layer of security like a fingerprint or codes sent to your cell phone.”
Technology provides us with better ways to manage our key assets. The password as we know it may be dead - roughly 76% of all data breaches were enabled by weak credentialing and user authentication, according to the Verizon 2013 Data Breach Investigation Report – but passwords will always be required to manage the systems that deliver our data, irrespective of how you want to run your business. It will always be needed at an admin and system level to control data usage. Ensuring you have complete control and always know what is happening within your walls and systems is key.
Not to mention insider threats...
Some security experts think that the biggest threat to an organisation comes from these teams of highly organised and skilled cyber attackers, but they're overlooking the obvious. In fact, the CERT Insider Threat Database contains over 1000 incidents where insiders have either sabotaged their organisation, stolen information or modified or deleted data for the personal gain or identity theft. Potential threats could be lurking inside your perimeter, inside your building, or even across from your desk.
Ex-hacker & co-author (with Apple Computer co-founder Steve Wozniak) of 2011’s 'Ghost in the Wires: My Adventures as the World's Most Wanted Hacker', Kevin Mitnick said that: "Cyber-security is about people, processes and technology, and organisations need to bolster the weakest link - which invariably is the human element. It does not matter what security software you have installed, because it just takes one person in the targeted organisation to make a bad business decision, and "it's game over."
The cyber breaches covered by the press tend to be attacks from the outside; internal attacks are often never discovered (attackers sometimes have 200 days before being discovered), or if they are, are not reported. Lots of companies deal with the attacker by firing, disciplining, or tightening up security unless they’re obligated to report it to official channels. Yet the insider threat remains one of the most intractable in cyber security. You already have security and compliance programs in place. They’re probably even pretty impressive. However, every set of defences has its own set of weaknesses no matter how much time or money has gone into them, and the abuse of privileged access is always the weakness that stands out from the others – the five worst data breaches in recent years can all be attributed to privileged access exposure.
You need privileged users. You trust your people. But what if there is a problem? Who's watching them? What if a privileged user makes a mistake and accidentally renders a system insecure? That innocent mistake will still cost you. Worse still, what if a malicious or disgruntled employee with privileged user access goes rogue and decides to attack from within, for financial or vengeful reasons? It’s naïve to pretend it doesn’t happen, and foolish to ignore. Some of your privileged users – contractors and vendors, for example - may not even work for you. Who’s keeping tabs on them? Who’s watching the watchers? Who’s guarding the lockbox that contains the keys to all your systems and data repositories? If something goes wrong, you are going to need to know exactly who did what and figure out how to repair the damage.
A disgruntled employee (someone who’s just been fired or someone who is just suffering personal problems, for example) with administrative access to privileged systems that are key to the daily running of the business can be monitored, but this can become arduous when it’s impossible to know what their ends might be. There’s no hard and fast rule for spotting a hacker and early warning signs are easy to miss, especially in an otherwise talented and hardworking employee. Most companies can think of one grumbling employee perhaps with a grudge to bear, and such a character can easily go unnoticed enough in a busy work environment to cause irreparable damage. One incident saw an employee (a privileged user) remotely block access to systems within 30 minutes of being fired, and another saw a privileged user proceed to attack his ex-firm remotely for four months, deleting crucial files on servers, removing key backup disks and deleting numerous records from an important database used by various other systems. A careless or malicious employee can defeat the best security technology that money can buy, and several high profile cyber breaches in the last decade prove it. Take for example the infamous case of Gary Min, who worked as a research chemist for Dupont for 10 years and spent the following 10 in prison after his theft of $400 million dollars’ worth of electronic documents after deciding to take a job with a competitor in Asia. Sometimes, businesses leave themselves so exposed that people are even tempted into hacking through say, orphaned accounts. These are privileged user accounts that many companies forget to decommission when the privileged user moves to another job role or company, and which leave businesses wide open to attack.
Contractors & Third Parties...
Working with contractors and third party companies is a fact of business life. According to PwC, 81% of companies outsource part of their operations to an external service provider, and why not, when there are benefits to be gained in cost, agility and productivity? It carries immense risk however, and PwC also recently revealed that around 18% of major security breaches in 2015 were attributed to an external service provider. Indeed, there is an ever-growing list of examples of cyber-attacks that can be traced to third-party suppliers, perhaps the most famous being the Target breach in 2013, and the most recent being insider trading by hacking newswire services and fraudulent tax claims by the compromising of a third-party hosted US Internal Revenue Service website.
According to a Booz Allen Hamilton report, the majority of third-party risk incidents at an organisation are likely to occur in an existing relationship. Typically, companies will choose a supplier that is low-risk and put a lot of effort into establishing a relationship, but there is nothing in place to keep an eye on that level of risk or flag if it changes. Risk impact can be defined by a variety of metrics: loss of revenue, loss of company value, diminished brand equity and market share, increased cost of capital, higher insurance premiums and civil litigation from investors, shareholders, business partners and others. Low-risk suppliers can easily become high-risk over time. Poorly understood key indicators, difficulty in getting hold of relevant and timely information and poor relationship management, dedication and training mean that such supplier relationships are often under-managed.
BYOD (Bring Your Own Device) policies now predominate and analyst firm Osterman Research found that there are now twice as many personal devices such as iPhones or iPads in the workplace as corporate-issued tech. It allows people to work with the tools they're most comfortable with and increases productivity, and it's driving cultural change in IT departments because businesses are forced to do things outside of their comfort zone. BYOD is coming, so businesses need to get smarter about the security risks that come with it because remaining in control is essential.
An organisations' risk profile changes with the introduction of any new technology into the workplace. If Jean has her phone stolen whilst she’s on holiday in Hawaii, a thief just gained access inside your perimeter and up to 128GB of data, and even if she simply loses it, that's your data just lying unprotected somewhere. What’s worse is that only around a quarter of devices can be remotely wiped.
Other risks include:
- Lack of visibility when it comes to monitoring the activities of malicious imposters using mobile devices to attack your data.
- Inability to lock down devices that are not company-owned or controlled.
- Accidental non-compliance, e.g. an EU employee who travels across borders with personally identifiable data, violating EU Privacy Laws.
- Malware delivered by mobile devices remotely
- Malware used to hijack a mobile device that has remote access to confidential data and internal systems of records (the user might not even know that the phone is being hacked).
Another disturbing finding by Osterman Research was the overwhelming majority of businesses who, whether they are aware or not, are not insured specifically against cyber security breaches. Astoundingly, only 3 in 10 have policies that cover personally-owned devices and only 6 in 10 have policies that cover cloud computing.
There is still a lot of work to be done and businesses need to change their behaviour, and fast. Symantec’s 2016 Internet security Threat Report warned that cyber breaches are ever on the rise (with a 35% rise in crypto-ransomware attacks, to be specific). Extra firewalls, stronger passwords and staff training sessions are like using sticking plasters on a gaping wound; businesses across the globe need a comprehensive solution that offers complete protection. We continue to see a steady stream of cyber-attacks on firms that assume they have the best security yet still don't have a proper understanding of the possible impact on their business, or what they should do about it. Cyber-crime is evolving faster and faster every day, yet businesses have been slow to react. Many out of reluctance to embrace change. Only 17% of companies have sent their staff to some form of basic cyber security training in the last year, for example, according to a UK Government report. There’s also often a concern about ‘upsetting the apple cart’ of a friendly staff culture by imposing strict new rules and policing employees.
Companies do need to completely restructure to keep up with these changes. "The overall approach by organisations to information security needs to be strategic as well as operational, and different security initiatives should be prioritized, integrated and cross-referenced to ensure overall effectiveness,” says Alan Calder, CEO of IT Governance. Businesses should be preparations immediately and review business practices, from governance, control, organisation and processes, to sourcing and technology. According to PwC’s Stewart Room, you’re going to need a new compliance journey, a new transparency framework and a new enforcement, sanctions and remedies framework for starters. Yes, there will be a cultural change, but it’s for the better because it speeds up execution and processes and makes them more reliable. Unfortunately, there are always stick-in-the-muds who will want to continue doing things the ‘old’ way, but they’re not going to be around for much longer.
Businesses who want to survive and flourish need a Privileged Account Management (PAM) solution. PAM keeps organisations safe from accidental or deliberate abuse of privileged access, offering a secure, streamlined way to authorise and monitor all privileged users across all relevant systems. It allows you to access in real time and block or flag suspicious activity. You can grant privileges to users for specific systems, or only grant access at specific times and create a watertight audit trail of all privileged activity. You probably already have a PAM solution in place but it may not be the right for your business. They’re notoriously difficult to fully implement and some senior users often ignore them, leaving the business exposed to the very risks they are supposed to mitigate.
Wallix solves that problem with a PAM solution that is easy to deploy with a virtual or device platform. It’s a solution designed from day one to be ‘agent-less’ and unlike many other PAM solutions, WAB doesn’t force IT departments to install special software on every system where they are managing privileged user access (which can inhibit effective PAM for BYOD). Instead, Wallix provides the tools to make PAM a pervasive, enduring and consistent force in your security and compliance efforts.
WAB is all-seeing and lets businesses control, oversee, monitor and record administrator sessions across various systems, so you’ll always know who’s doing and looking at what. It protects them so that hackers can’t use exposed admin passwords to gain access to data, helps you to comply with new standards and builds a policy around your administrator accounts. So, if you’re audited during or after a security breach, you can rest assured that you won’t be losing millions or in any trouble with the EU Commission. It’s opportunity that hackers need, so don’t give it to them.
There’s a better way of doing business now, so everyone should be embracing change. It should be viewed for what it is: a golden opportunity to get ahead of the game and to at the forefront of your industry.