Alan Platt, COO of CyberHive, explains how a string of high-profile incidents should prompt major companies to accept the inevitability of breaches, stop obsessing only about border security and protect themselves with rapid detection using new technologies such as cryptographically secured whitelisting.
When a well-resourced company such as the Marriott International hotel chain has 500 million customer records compromised, you know that standard cyber defences are failing somewhere.
The attack last November was one of a stream of incidents involving big-name companies that had protected themselves with what they thought were the best cyber defences available. The list includes such high-profile names as Ticketmaster, Under Armour, British Airways, Dixons Carphone and T-Mobile. All these companies have big IT budgets and must have invested substantially in advanced firewalls, sophisticated anti-virus technology (AV) and two-factor authentication.
Yet still they were breached and frankly, humiliated. With virtually every type of business dependent to some extent on technology, cyber criminals are increasingly targeting companies that would not normally think of themselves as technology experts. Data breaches are not just a threat to financial and technology companies – every organisation needs to consider just how large the risk is.
Also of interest: Data security: how to keep the investors happy
Can anyone seriously believe conventional security alone will protect their company?
These incidents would strongly suggest that conventional defences are no longer adequate against the rapidly expanding expertise of cyber criminals. Hacking groups, whether they are activists, arms-length agencies of unfriendly governments or gangs of criminals, have become far more accomplished. Not only are they devising new malware on a massive scale, they are constantly honing their methods of delivery.
Conventional security such as AV and firewall technology cannot cope with this deluge of threats. AV will work against basic attacks but is incapable of defending an organisation’s data from the increasingly sophisticated and bespoke attacks launched hourly by criminals.
Security experts G Data calculate a new malware variant is created by hackers once every 4.2 seconds. These new types of malware are too numerous to be assigned the “signatures” on which the anti-virus industry depends. Without the ability to recognise the signature, AV cannot block viruses at a company’s cyber perimeter. As soon as the AV industry identifies and blocks one type of attack, the hackers have moved on.
Also of interest: Collection #1 Data Breach: advice on passwords
It is folly for companies to rely on their staff to protect them
Unfortunately, human frailty only adds to the vulnerability of organisations. Most cyber-attacks originate from human errors within an organisation, they are not simply a question of clever coding. An employee may open a malware-laden phishing email, having been fooled by clever social engineering that makes a document with a malicious link seem familiar and convincing.
It is now relatively easy for criminals to infiltrate supply chains and replicate invoices and other routine business documents that dupe even the most senior executives.
Infiltration takes a human form as well. Criminals can suborn employees in data centres to insert unauthorised software on servers that may go undetected for months, all the while siphoning off valuable information.
Also of interest: Researchers reveal fingerprint scanners aren’t foolproof anymore
Breaching is inevitable
Unfortunately, it is now not a question of if companies will be breached, but when, which makes the need to act fast utterly crucial.
Ponemon, in their 2018 Cost of a Data Breach Study, point out that a breach detected within 100 days, costs on average $1 million less than one that takes longer to find and remediate. The average cost of breaches also went up by more than six per cent over the year to $3.86 million. Given that the EU GDPR legislation is now in place, the potential cost of hacks and data breaches is huge, quite apart from the longer-term reputational damage.
Ponemon also used Mean Time to Identify (MTTI) and Mean Time to Contain (MTTC) metrics to assess the effectiveness of an organisation’s incident response and containment processes. It took an average of 197 days to identify a data breach and 69 days to contain it. The previous year’s MTTI and MTTC figures were 168 and 67 days respectively.
These are very long periods of time for malicious software or code to be working away inside a major organisation’s systems. In the Marriott breach, the hackers gained illegal entry to the chain’s Starwood reservation system in 2014. The company may somewhere along the line have lost its encryption keys – which, if true, demonstrates that encryption is only as good as the processes and people that implemented it.
Also of interest: Hackers breached Airbus’ IT systems; stole personal data of employees
Detect breaches in seconds, not days and months
If the MTTI were reduced to a few days, the costs of a cyber breach could be massively reduced. But imagine reducing it to mere seconds, as is now possible, if board-level decision-makers and their security professionals change their approach.
Rather than believing they can defend all data at the perimeter, they should be mindful of the reality that mistakes can – and will happen. The most astute businesses are adopting new technology that uses a combination of hardware-based cryptography and whitelisting technology which shifts the emphasis from defending against known external threats and instead focuses on identifying attacks rapidly, enabling swift action to defeat them before they inflict damage.
This slashes the time to detect any unauthorised software on a server to just seconds, whether data is held in the cloud or on-premises.
It is a technology that uses the power and integrity of the chips found on the motherboards of every server. Solutions built on this technology check the status of servers every few seconds. This protects servers from all illicit activity with a speed and accuracy that is impossible with conventional technology.
Impervious to hacking, the combination of hardware-based cryptography and whitelisting ensures that no person or organisation can interfere with servers, falsify verification data or bypass server security. This technique even offers protection against insider attack by eliminating any single point of human weakness.
It may have a beguiling simplicity, but it works and is most effective way for businesses to protect themselves from the explosion in malware and the increased cunning and scale of cyber-attacks.
Innovation needs to come from the top
Of course, in cyber security there is never one magic bullet. Staff training and the retention of a defence-in-depth approach using anti-virus and associated technologies remain important. One factor common to many of the companies breached last year is that they are not technology-driven organisations. Companies that share this similarity should be taking cyber security more seriously at board level.
If organisations of this size and type have not recruited someone with extensive technical knowledge of cyber security to their executives, then they need to do so urgently. It is time to stop delegating responsibility.
What all major organisations need is an entirely fresh approach that recognises the inevitability of being breached, has the technology to detect it within seconds rather than days, and is ready to make cyber security a genuinely board-level issue. Then they will avoid huge fines and costs and the humiliation of being added to the list of brands whose customers have had their details stolen.