Why do data breaches happen? The answer seems straightforward enough: An organization's physical or network security is compromised, enabling the theft of employee records and intellectual property. Moreover, events such as last winter's Target breach show how tough it has become for enterprise IT departments to fend off attacks, with attackers now looking for weaknesses even in HVAC systems. Plus, there's the risk of insiders either willfully or accidentally exposing assets to prying eyes.
Today's threat environment is certainly daunting. In its 2013 Blurring Boundaries report, Trend Micro TrendLabs researchers predicted that there would be one major data breach each month in 2014. If anything, that outlook was a bit conservative. According to Identity Theft Resource Center's statistics, there have been 411 data breaches this year through July 22, exposing more than 11 million records. While not all incidents may qualify as "major" – many did not affect a single record – they covered every sector from healthcare to government, and together they represented a 21 percent increase from a year ago.
Complacency makes defense difficult
This rise should be an opportunity for enterprises to think about why they have been, or might get, breached. It's not as simple as cybecriminals improving their methods, even if there is a kernel of truth in the idea that the attacker has the initiative and therefore the advantage. Many security teams have become complacent, to the point that they don't even know whether the organization has been breached. Such was the case with eBay, which had its systems broken into in early 2014 but didn't discover the vulnerability until that May.
Complacency can take many forms, including but not limited to:
- Feeling that the company is too big or too small to be in danger: Big breaches (Target, eBay) confirm that even huge operations need risk mitigation, while the insider threat can hit an organization of any size. Loudhouse research from 2013 found that more than half of security incidents involved a worker, former employee or contractor. With even small businesses dependent on supply chains, the ingredients are there for a breach.
- Not investing in endpoint security and cyberinsurance: Executives may pay lip service to protecting customer data and company reputation. However, more than one-fifth of respondents to a 2014 EisnerAmper survey reported that their organizations lacked an enterprise resource management program, which could help with a breach. The C-level suite, rather than IT, still takes on too much of the responsibility of responding to technical crises. Enterprises also court risk by not specifically insuring data – courts generally don't consider it property, and it may not be covered by general liability policies.
- Not vetting suppliers and failing to assign proper responsibility: Companies are heavily reliant on vendors and partners for credit card processing, supplies and materials, infrastructure maintenance and consulting. Amid the growth of this ecosystem, leaders may assume that a breach caused by a contractor is not on them, despite their likely need to provide credit monitoring after such an event. This mindset can lead to the insufficient vetting of suppliers and the creation of weaknesses throughout the supply chain.
Complacency by the numbers
Overall, complacency leads enterprises to believe that what they're currently doing is enough. Traditional tools such as antivirus and firewalls, while important components of any defense, are wrongly seen as sufficient safeguards against targeted attacks and advanced persistent threats. These risks require new approaches to security that emphasize monitoring for early detection and threat removal, but teams have been slow to adopt them:
- A 2013 Quocrica report sponsored by Trend Micro discovered that 58 percent of the 300 enterprises surveyed had come across previously undetected malware on their networks.
- Among organization with 2,500 to 5,000 employees, less than 30 percent had deployed solutions for targeted attacks. Of ones with 5,000 or more, only 41 percent had done so.
- IT Governance's Boardroom Cyber Watch 2014 study, which surveyed 240 IT decision-makers, revealed that 36 percent of them felt that their companies had suffered an undetected cyberattack within the past year.
Complacency has technical and procedural consequences for enterprise security. Stakeholders, feeling safe, may not invest enough in endpoint security, while their processes for identifying, reporting and addressing breaches may fail to account for the scope of their organizations' operations as well as the advanced, furtive character of current malware.
"The high level of complacency, compared to the high level of uncertainty over whether or not an organization has been breached, shows that in many cases, the organizations' belief that they are secure against attack is likely to be unfounded," stated Alan Calder, founder of IT Governance, according to SC Magazine.
Monitoring the network and breaking the complacency spell
More specifically, security teams face major hurdles in keeping APT "dwell time" (the amount of time that malware lingers on the network without being found) to a minimum and using continuous monitoring tools to keep tabs on a variety of potential risks. The introduction of many new endpoints into the enterprise – especially smartphones and tablets – and widespread focus on data analytics for making sense of customer and product information also mean that organizations deal with much more network activity than ever.
The challenge of preventing data breaches is multi-faceted. In addition to record network activity behind the scenes, there are vulnerabilities that extend all the way to the end user, such as inadequately secured point-of-sale terminals. BitSight observed that even in the wake of the 2013 Target breach, retailers in particular continue to put customers who pay with credit card at risk.
Indeed, antiquated magnetic strip technology continues to cause headaches for businesses. As payment methods and network design evolve, organizations will get a nice boost to their security efforts, but the onus is still on them to institute and execute on a cybersecurity strategy that addresses cutting-edge threats. With APTs and targeted attacks taking off, teams must keep pace by using dedicated security software that supplements and extends the capabilities of existing infrastructure.