The Breaches Just Keep Coming (and So Do the Ramifications)
Recent high-profile data breaches prove that the problem is getting worse, not better. If traditional security tools and approaches aren’t working, what can companies do to protect themselves from the next data security breach?
The Breaches Just Keep Coming (and So Do the Data Breach Consequences)
Unfortunately, cyber breaches in the retail industry just keep coming. Consider these high-profile examples of massive data breaches from just the last few weeks:
- Panera Bread (due to an improperly prepared web application)
- Under Armour (via “un-fit-bit” applications”)
- The Hudson’s Bay Company’s Lord & Taylor and Saks Fifth Avenue chains (malware)
These data breach examples show how the problem is getting worse, not better. For example, in the case of the Hudson’s Bay Company, hackers stole data from more than five million cardholders over a one-year timeframe. Worse, the breach wasn’t even detected by the retailer’s security solution. Instead, the criminal group, JokerStash, was bragging on the dark web that it had credit card data for sale. The Hudson’s Bay Company now believes malware infected its POS credit card systems.
All industries are susceptible to a data security breach
It’s not just retail. In another case, several weeks ago the “SamSam” ransomware crippled the city of Atlanta and brought most government agencies to a screeching halt. Police officers had to resort to writing case notes by hand. The city’s auditor department was down to only eight working computers. The water department could not accept payments, or even determine which invoices had been paid. The SamSam hackers demanded $51,000 in ransom to release the city’s infrastructure and data.
According to reports, a cyber-security audit conducted in January of the city’s IT infrastructure found severe vulnerabilities that had been left unaddressed for so long that no one was even thinking about security in their daily operations.
No matter the cause of these breaches, both companies have already released the standard apology of “We’re sorry for any inconvenience this may cause.” Yet for those consumers who have to wait and see if their identity was stolen, such an apology may not be enough.
Traditional security tools fall short
As an industry, we need to attack these issues in a much different way, especially considering that the current methods are not working.
Everyone in the industries realizes that breaches are not going away, but the most common security tools often focus on detecting a threat (hopefully before it becomes a full-blown data security breach). This makes sense until you hear additional facts:
- Enterprises receive more than 5,000 alerts per day from their current tools.
- There is no way that even highly staffed InfoSec departments can investigate all of these alerts.
- For example, Equifax had 172 senior security resources on staff, and they still did not realize that their systems were breached for many months
- Receiving intrusion alerts from across the entire network is not an effective way to secure critical business data, including PII, financial, and more.
- As the saying goes, “when you attempt to monitor/secure everything, you end up protecting nothing.”
- By design, traditional security tools are “single-minded,” with no simple way to aggregate the results together. For example, endpoint tools monitor endpoint devices, firewalls monitor north-south traffic, etc.
Related: Avoid Compliance Fines and Improve Incident Response with Automated Breach Identification and Notification
Failure is not an option: Noncompliance is costly
The regulators are fed up. Data privacy regulations are growing in number, and now have very real penalties for noncompliance.
- 23 NYCCR 500 gives financial, banking, and New York-based insurance companies three days to notify the state of a data breach.
- The upcoming EU GDPR regulation has a data breach notification requirement of 72 hours. If this is not met an organization can be assessed fines of 4% of revenue or €20M Euros. In addition, U.S.-based companies who merely hold EU citizen data will still be held accountable to the GDPR regulation.
- Regulated organizations are seeing the tightening of industry-specific regulations like NIST, PCI, FISMA, and harsher enforcement of HIPPA.
- Twenty-six states have their own fines for breaches if impacted citizens are not notified in the appropriate timeframe.
Read More: Legal Community's Growing Interest in Cyber Security
New solutions, new results
We, at CSPi, have been placing our focus on making the inevitable data security breach irrelevant by securing an organization’s most critical data no matter where it is stored, accessed, or used. We can deliver on this concept with the following solutions:
- Myricom® nVoy Series: These tools give security teams a critical advantage: They tell you when you are breached and detail the exact PII/PHI or other critical records that were exposed. They also let you know if you have to report the breach or not – by providing the evidence if those records were properly encrypted. They provide the forensic detail in simple files that reduce any Investigation or audit from weeks or months to just a day or two.
- ARIA™ SDS solutions: Automatically secures bare metal, containerized, and VM deployments as they spawn. ARIA is implemented through a series of lightweight software-defined security instances (SDSi), which among other services help encrypt the data on a per-application use basis and can be cost-effectively deployed in any environment without application performance impact.
Interested in learning more about how to deal with a data security breach? Download our white paper, “Automated Breach Detection,” or contact us today.