The world is currently experiencing constant change with. The phrase ‘unprecedented times’ has been said so often in the last few months, its already becoming somewhat cliché. Amidst the economic and social uncertainty unleashed by the pandemic and forced changes to personal lives and professional operations, data breaches continue to occur time and time again.
If anything, the current pandemic has exposed existing vulnerabilities in systems and created new cybersecurity dangers as work forces connect to corporate networks remotely, share data and access applications in the cloud. However, to think of data breaches as one breach is the same as another, would be naïve. Every data breach is unique. Notably, in their size.
The year of micro-breaches
Many observers who follow conversations on data and information security see 2020 as the year of the micro-breach and talk of it as a new, fresh threat for businesses to be aware of. Yet micro-breaches are hardly new. As far back as 2010, cybersecurity leaders have spoken about the prevalence of micro-breaches.
And, in my view, almost all data breaches start as micro-breaches – a smaller breach that compounds in its impact given the increasing complexity of our IT infrastructures. Malicious actors don’t typically penetrate terabytes of information all at once. Attackers are looking for a credential source – a single user’s authentication information such as a password.
A single stolen credential enables a hacker to gain access and use unpatched vulnerabilities of poor security configurations to escalate privileges within a system and therefore infiltrate more servers and gain access to a hierarchy of data. If that purloined credential opens enough doors, the micro-breach, i.e. the stealing of a credential, becomes a macro breach that makes headlines around the globe.
If micro-breaches are on the rise, that’s only because of an increase in the “attack surface”—the number of devices or access points that grant permissions to the network and without proper physical security, may inadvertently, through a small breach, give access to an organisation’s core IT systems.
These kind of trend stories serve as a reminder that good security hygiene is about staying focused on the things that really matter. A sensible approach to cybersecurity boils down to the same three key elements – all the time:
- building and maintaining the enterprise’s digital defenses by planning and budgeting a company’s resources and investments;
- adequate testing and planning;
- maintaining a current, vetted “trust” relationship used to authenticate users and devices and only then granting the minimal required access to your business network.
If there’s a “trend” story, it’s that my second and third points, especially, need to keep up with today’s increasingly malicious digital world.
But first, there’s the funding point. How much is enough to avoid being the subject of the latest headline? While there’s no hard and fast rule governing security funding, not investing a sizable proportion of budget, say 8 to 10 percent of the overall IT budget, can really negatively affect an organisation’s ability to counteract malicious, would-be fraudsters.
Testing and planning – the second pillar of good security hygiene – is happening inside most enterprises these days. That’s the good news. Businesses, however, need to take the next step. The way the typical company gauges risk is an audit. Depending on how diligent that company may be, it may sample a few assets and processes on a quarterly, six month or maybe an annual cycle. The risk posture arrived at by such audit processes are point in time and only based on small samples.
Companies need to have a more real-time picture of their risk. That involves adding instrumentation to a business’s controls so that a much wider percentage of its systems and processes are involved in network monitoring in real time. This is a shift from a point in time compliance assessment philosophy to a continuous compliance regime.
Companies also need to do more to shore up the threats from their own employees. Basic computer cybersecurity training should be compulsory. Even the simple act of holding a door to secure premises open for someone walking behind you can mitigate and destroy the very best security procedures. Everyone from the CEO to the interns need to have a basic understanding of security.
Planning is similarly a mixed bag. Companies generally have protocols in place for documenting and reacting to anomalies when they occur. Regulators and accreditors require businesses to have these security plans in place. The best among us, though, go the extra mile with war game-like exercises or sponsored hackathons to test their defenses.
Few companies, however, have a plan in place to recover from a breach. Understandably, companies are focused on technologies that protect their data. But organisations need to know that it is just a matter of time before they’re attacked, and they will be attacked. They must therefore assume some of those attacks will succeed. If they understand this, then organisations will start investing in the necessary disaster recovery side as well. Just a reboot of a system and no other security changes will leave that business susceptible to copy-cat cyber-attacks in the future.
It is important to have a more rigorous approach for managing trust relationships – the third pillar of adequate cybersecurity preparations. The trust relationship is how any organisation grants access to its network and determines what is in-bounds and what is out-of-bounds. The best strategy to prevent micro-breaches is the same as that for stopping macro-breaches — look very closely at your trust relationships and restructure them for today’s world.
At the very least, a company needs to have a way for segmenting its ecosystem – “micro-segmenting,” one might call it. Privileged access management systems should be used to limit people’s access only to what they need and to oversee what they are actually doing with those privileges. An organisation must exert rigorous management over all of its privileged accounts, especially the so called “service accounts” that software processes and agents use to access data.
Other techniques companies should consider to better control that trust relationship include:
- Better device authentication methods,
- A policy to reject any request that violates policies, even if they come from a trusted channel,
- Multi-factor authentication.
Zero trust models
Some organisations are even moving to a zero-trust model – a model that no longer assumes actors or systems operating from within a trusted ecosystem are automatically trusted. Rather, the model relies on verifications from even the trusted actors to be granted access. I don’t know if we’ll ever get to zero-trust, but businesses need to trust a lot less than we have been doing so far.
At the same time, as enterprises move to cloud services, share data, and take advantage of all that the internet of things offers, it is up to the people inside every enterprise to have the hard conversations to determine what level of trust is most appropriate for their organisation.
Businesses by now recognize the cost of inadequate security. The answer is to take these pillars seriously and apply the rigor required to ensure the next micro-breach doesn’t end up a major one. And, above all, create a culture where security is paramount and front of mind at all times.