The Nasstarian
Brought to you by

Breaches Galore Tell Us No Organisation is Safe, But a Few Simple Steps Can Build Resilience

In opinion / By Phil Muncaster / 02 August 2017

Even in the crazy world of cybersecurity, the past few weeks have seen a remarkable glut of data breach stories hit the headlines. Taken together they point out a few consistent truths about the threats facing firms today: namely, that they can come from anywhere and hit organisations of all shapes and sizes. But before you despair, there are things that all firms can do to make themselves a less attractive target for hackers, and more resilient to insider threats. With major new European data protection laws less than a year away, there’s no time to delay.

From bad to worse

The incidents we’ve seen over the past fortnight comprise a collection of cautionary tales of which Aesop would be proud. First there’s Newcastle City Council, where an errant employee sent the details of thousands of children and their adoptive parents to over 70 strangers after attaching a spreadsheet to a group email in error. It’s a classic example of the damage that can be caused by negligent insiders. Something more deliberate happened at Bupa, where a malicious insider stole health insurance details related to over half a million people and was promptly fired.

The list goes on. A simple configuration error at publishing giant Dow Jones led to an Amazon Web Services (AWS) S3 bucket being exposed to anyone with an AWS account; that’s over a million users. That file repository is said to have contained personal and financial details related to possibly as many as four million customer accounts. A similar thing happened at Verizon, where a third-party contractor error exposed names, addresses and account details, which researchers claim could have impacted up to 14 million customers.

Securing third party contractors, partners and other entities is becoming increasingly challenging for IT bosses, compounded by the fact that hackers view these companies as a poorly defended “stepping stone” into target organisations. That’s what happened at Italian banking giant UniCredit, where attackers gained unauthorised access to personal and loan data from 400,000 customers via a third party.

The management of outsourcing contracts has come under serious scrutiny in Sweden, where the government is in danger of collapsing after a botched deal which might have exposed highly sensitive data to foreign spies. A 2015 Swedish Transport Agency (STA) agreement with IBM ignored security service warnings and necessary security checks, as the government looked to accelerate the deal for financial reasons. This meant outsourced workers in countries like Romania, the Czech Republic and Serbia – which is suspected of sharing intelligence with Russia – were allowed to view key documents. These included data on military vehicles, photos and home addresses of Air Force pilots, police suspects, elite SAS-style operatives and those in witness protection schemes.

Look inside

These incidents tell us several things about modern security threats. One the one hand, they can happen to organisations of all sizes, and in any sector. They also tend to stem from insider negligence or policy failure at the breached organisation or its partners. That seems to run counter to the perception often given in the media that shadowy cyber-criminals and state-sponsored hackers are the number one threat to firms. But it’s true: of 874 incidents studied by the Ponemon Institute for its 2016 Cost of Insider Threats report, 598 were caused by employee or contractor negligence; 191 by malicious employees and criminals; and 85 by imposters using stolen credentials.

Now for the really bad news. Insider-related incidents cost on average $4.3m (£3.3m) for the affected organisation, according to that same study. Breaches can in fact end up costing a lot more. TalkTalk admitted a 2015 breach that came about as a result of a hacker exploiting a simple SQLi flaw has cost it £60m and counting. The coming European General Data Protection Regulation (GDPR) will up those potential costs significantly, with maximum fines for non-compliance of €20m (£18m) or 4% of global annual turnover, whichever is higher.

If the examples above weren’t enough to convince you, here are some more official stats. In the US, reported data breaches hit a half-year record high recently of 791, a 29% increase on 2016 figures during the first six months of the year, according to the Identity Theft Resource Center. In the UK, meanwhile, a recent government report claimed that 65% of large firms have detected a security breach or cyber attack over the past year, with a quarter spotting at least one a month. The true scale of the problem is likely to be even greater.

A way forward

The good news is that following industry best practices will set your organisation up pretty well to withstand the worst cyber threats. The key is to maximise resilience against breaches and ensure you have the right monitoring capabilities in place to spot any further incidents as early on as possible. The longer it takes, the more damage could be done. Certainly don’t try to hush up major security incidents as the Swedish government tried to. The truth will out in the end and cause way more PR damage, as well as lead to potentially huge GDPR fines.

Frameworks and accreditation schemes such as ISO 27001, NIST and the UK government’s Cyber Essentials initiative can also help organisations implement a baseline of good security practices on which to build.

Consider the following:

  • Anti-malware security at endpoint, network, gateway and server layers
  • Tight access controls (multi-factor authentication) and “least privilege” policy

  • Comprehensive user education programme, communicated regularly to all staff

  • Incident response plan, regularly tested

  • Regular patching

  • Strong data encryption at rest and in transit

  • Regular off-site back-ups

  • Apply same standards to third parties and regularly audit their controls

  • Continuous network monitoring and pen testing

Defence in-depth is the future

Nasstar has many layers of security protecting its hosted platforms but it is crucial that its clients creates a cyber savvy culture within their organisation. That comes from the top down, and it spreads via effective training and regular updates to ensure best practice is always front of mind for staff.

That’s why as a managed service provider, Nasstar puts a major focus on education and training – of our own staff and those of our clients, in things like Cyber Essentials. Security is present at every layer of our organisation, and it can be in yours too. Contact us today for more information.

Phil Muncaster

Phil Muncaster

Phil is an internationally known technology writer, having regularly written for The Register, InfoSecurity and IT Week on the subject of technology, IT and security.

Comments powered by Disqus