Right up to bitter end, massive cyber attacks made waves in 2016. In the heart of holiday season, Yahoo presented us with a lump of coal instead of a gift: their December 14 announcement of yet another massive breach of user accounts was shocking for many reasons. The scale of the breach is alarming: more than a billion accounts were compromised, and the associated names, phone numbers, birth dates, security questions, and encrypted passwords are in the hands of an unauthorized third party, as confirmed by law enforcement. Moreover, the data was stolen in August 2013, which means that Yahoo failed to detect the breach for more than three years, and that unsuspecting users have been exposed to identity theft and further account compromise for the entire period.
This most recent incident holds the dubious distinction of being the largest known breach in the history of the Internet, and may finally seal Yahoo’s fate. It follows closely on the heels of Yahoo’s September breach announcement about a 2014 attack that resulted in 500,000 stolen user account records, which topped yet another breach in 2012 that affected 450,000 users. Yahoo had ample warning and time, but there is evidence that security was not a high enough priority at the company struggling to reinvent itself in the shadow of giants Google and Facebook.
Unfortunately for Yahoo, they may become a legendary cautionary tale. Their $4.8 billion dollar deal with Verizonwill likely be downsized, their reputation with customers and partners sullied, and their stock devalued. We’ve seen other massive breaches lead to a cascade of negative incidents: stolen credentials that were used on multiple sites and services can be used to commit identity thefts, account takeovers, bank fraud, and breaches at other organizations.
Being jolted by such a harsh reality check should spur us to learn from others’ lessons and take meaningful preventative measures. Based on comprehensive assessments of the threat landscape, Information Security Forum recommends that businesses focus on the following security topics in 2017:
- The Internet of Things (IoT) Adds Unmanaged Risks
- Crime Syndicates Take a Quantum Leap
- Government and Regulators Won’t Do It For You
- The Role of the End User – the Weakest or Strongest Link in the Security Chain
We’ve provided an overview for each of these areas below:
1. The IoT Adds Unmanaged Risks
Just as privacy has developed into a highly regulated discipline, the same will happen for data breaches sourced in the IoT environment. Fines for data breaches will increase. As more regulators wake up to the potential for insecure storage and processing of information, they will demand more transparency from organizations and impose even bigger fines. The European Commission has said it is planning to push industry governance measures to improve the security of internet connected devices such as cameras, set-top boxes and other consumer electronics, amidst increasing exploitation of such devices to carry out online attacks.
The IoT will also transform supply chain leaders' access to information, as well as the exposure of operations to cyber-risk. Organizations of all sizes need to think about the consequences of a supplier providing accidental, but harmful, access to their corporate information. Even the smallest supplier, or the slightest supply chain hiccup, can have dangerous impacts on your business. Brand management and brand reputation are subject to the successful security of your supply chain and thus both are constantly at stake. Businesses must focus fixes on the most vulnerable spots in their supply chain now, before hackers, or other cybercriminals, find their way in to disrupt your global distribution of goods and services.
When it comes to corporate communications, the primary way that many connected devices communicate is via the cloud. Organizations need to understand that putting private information into the cloud creates risk and must be understood and managed properly. Organizations may have little or no control over the movement of their information, as cloud services can be provided by multiple suppliers moving information between data centers scattered across the globe. In moving their sensitive data to the cloud, all organizations must know whether the information they are holding about an individual is Personally Identifiable Information (PII) and therefore needs adequate protection. With increased legislation around data privacy, the rising threat of cyber theft and the simple requirement to be able to access your data when you need it, organizations need to know precisely to what extent they rely on cloud storage and computing.
2. Crime Syndicates Take a Quantum Leap
Criminal organizations will continue their ongoing development and become increasingly more sophisticated. The complex hierarchies, partnerships and collaborations that mimic large private sector organizations will facilitate their diversification into new markets and the commoditization of their activities at a global level. Some organizations will have roots in existing criminal structures, while others will emerge focused purely on cybercrime.
Organizations will struggle to keep pace with this increased sophistication and the impact will extend worldwide.Rogue governments will continue to exploit this situation and the resulting cyber incidents in the coming year will be more persistent and damaging than organizations have experienced previously, leading to business disruption and loss of trust in existing security controls. Emerging markets will be hit the hardest, particularly where newly connected organizations are novices with online security. This may also occur where the rule of law is weak and political structures are susceptible to co-option or corruption. Cooperation between governments and international organizations such as Interpol will be strained and appear feeble when faced by the challenges of safe havens for criminal organizations.
Legal grey areas will open up new market niches to organized crime. One of the most prominent markets will be for criminal groups who ‘hack back’ on behalf of legitimate organizations and who base their operations in countries with permissive legal environments. These groups will leverage ‘jurisdictional arbitrage’ to provide services to companies who have lost valuable data and are frustrated with the inability of law enforcement to cooperate internationally and deter expensive and embarrassing hacking incidents.
3. Government and Regulators Won’t Do It For You
In 2017, the number of data breaches will grow along with the volume of compromised records, becoming far more expensive for organizations of all sizes. Costs will come from traditional areas such as network clean-up and customer notification as well as newer areas such as litigation involving a growing number of parties. Public opinion will pressure governments around the world to introduce tighter data protection legislation, bringing new and unforeseen costs. International regulations will create new compliance headaches for organizations while doing little to deter attackers.
With reform on the horizon, organizations conducting business in Europe, or those planning to do so must get an immediate handle on what data they are collecting on European individuals. They should also know where is it coming from, what is it being used for, where and how is it being stored, who is responsible for it and who has access to it. The demands of the incoming EU General Data Protection Regulation and the Network Information Security Directive will present significant data management challenges to the unprepared with the potential for hefty fines for those who fail to demonstrate security by design and fall victim to cyber-attack or information loss.
4. The Role of the End User – The Weakest or Strongest Link in the Security Chain
In the coming year, organizations need to place a focus on shifting from promoting awareness of the security “problem” to creating solutions and embedding information security behaviors that aﬀect risk positively. The risks are real because people remain a ‘wild card’. Many organizations recognize people as their biggest asset, yet many still fail to recognize the need to secure ‘the human element’ of information security. In essence, people should be an organization’s strongest control.
Instead of merely making people aware of their information security responsibilities, and how they should respond, the answer for businesses of all sizes is to embed positive information security behaviors that will result in “stop and think” behavior and habits that become part of an organization’s information security culture. While many organizations have compliance activities which fall under the general heading of ‘security awareness’, the real commercial driver should be risk, and how new behaviors can reduce that risk.
A Continued Need to Engage with the Board
The role of the C-Suite has undergone significant transformation over the last decade. Public scrutiny of business leaders is at an all-time high, in part due to massive hacks and data breaches. It’s become increasingly clear in the last two years that in the event of a breach, the hacked organization will be blamed and held accountable. That means everyone in the C-suite is potentially on the chopping block.
The executive team sitting at the top of an organization has the clearest, broadest view. A serious, shared commitment to common values and strategies is at the heart of a good working relationship between the C-suite and the board. Without sincere, ongoing collaboration, complex challenges like cyber security will be unmanageable. Covering all the bases—defense, risk management, prevention, detection, remediation, and incident response—is better achieved when leaders contribute from their expertise and use their unique vantage point to help set priorities and keep security efforts aligned with business objectives.
Given the rapid pace of business and technology, and the myriad elements beyond the C-suite’s control, traditional risk management simply isn’t agile enough to deal with the perils of cyberspace activity. Enterprise risk management must build on a foundation of preparedness to create risk resilience by evaluating threat vectors from a position of business acceptability and risk profiling. Leading the enterprise to a position of readiness, resilience and responsiveness is the surest way to secure assets and protect people.
Don’t Become a Legend for the Wrong Reason
In the face of Yahoo’s bad news—and many other high profile breaches around the world—it is hard to ignore the pervasive threat of cyber attacks and their cancerous consequences. Government agencies, democratic elections, critical infrastructure, multinational corporations, and high profile individuals have been targeted and damaged this year. Every kind of organization needs to be more aware of emerging threats, shifting attack vectors, and the latest strategies for defending against them. And every person, from the CEO to the cashier, should be held to a higher standard of security awareness and accountability. The Internet is a vital, shared resource—a reality that should be more ingrained in our corporate and civic culture.
Incidents will happened; it’s impossible to avoid every breach. But you can commit to building a mature, realistic, broad-based, collaborative approach to cyber security and resilience. Maturing your organization’s ability to detect intrusions quickly and respond expeditiously will be of the highest importance in 2017 and beyond.