Guest author Armond Caglar is a senior threat specialist at TSC Advantage.
Data breaches are on the rise in organizations as diverse as the U.S. Nuclear Regulatory Commission (NRC), Anthem BlueCross BlueShield and Sony Pictures. Many of them appear to have been sponsored by foreign governments.
With sophisticated attacks coming with increasing frequency from China, North Korea, Russia and other regions, companies need to refine the ways in which they defend against such onslaughts to protect their customers, partners and sensitive data.
The Insider-Outsider Nexus
External cyberattacks attributed to hostile nation-states continue to garner attention, and rightfully so. Last year’s attacks against Sony Pictures demonstrated this.
But lost in the headlines is the under-reported reality that credentialed insiders within corporate networks represents a far more sinister avenue for cyber-infection and, ultimately, data loss. A 2013 Forrester Research survey found that 70% of data breaches were the result of insider activity—and a full quarter of resulted from accidental or unintentional employee disclosures.
As a result, companies wishing to avoid the fate of Sony Pictures need to think about safeguards on non-technical sources of risk as well. For instance, they might want to ensure that employees wipe whiteboards clean of sensitive data and recognize common behavioral indicators associated with insider threats.
Such educational efforts aren’t just a good idea. Employees often inadvertently serve as vectors for external attacks—for instance, by clicking on malicious email links that install malware on corporate networks. Such malware can impersonate high-ranking company officials or take advantage of their security privileges to spread and obtain access to valuable confidential data.
The Long Tail Of The Sony Attack
Like Sony, companies concerned about external cyberattacks have to consider long-term damage that goes well beyond the initial losses. Such damage—for instance, reputational harm—is harder to quantify and something an insurance policy won’t cover. Previous breaches and remediation provide no trusted inoculation from future risk.
This is the second major breach Sony suffered—its PlayStation Network was comprised in 2011, forcing the company to pull it offline for more than three weeks—although the more recent attack was distinctly different in scale and scope. Leaked emails show producer Scott Rudin and former entertainment chief Amy Pascal insulting Angelina Jolie and President Obama. What if Jolie refuses to make movies with Sony moving forward? How do you quantify that damage? Or, perhaps the damage manifests internally among Sony’s employees who have undoubtedly read some of the internal emails branded as racist, sexist or otherwise discriminatory.
Sony will undoubtedly face higher insurance premiums moving forward (assuming it’s insurable at all). Or it may face a policy with more exclusions because it’s now considered a higher risk. Every insurance application inquires about previous losses, and there will be very few underwriters, if any, that will accept this risk without major offsets in exclusions to future coverage or much higher rates.
Sony CEO Michael Lynton may boast that the company is covered for more than $100 million, but somewhere down the line are underwriter(s) who must now pay $100 million to Sony, so the damage flows downstream. This will only push underwriters to want a more comprehensive pre-binding understanding of the risk they are taking on.
The consequences of not knowing what they are insuring results in huge payouts that directly affect not only their bottom line, but their ability to offer affordable insurance to other companies.
How To Thwart External Attacks
State-sponsored cyberattacks help nation-states exercise power and protect their interests, much like diplomacy or military force. Despite the alleged failure of the Sony attackers to use proxy servers to mask their identities, for the most part state-sponsored attacks are advanced in their signatures, not sloppy, and choose their targets based on the perceived intelligence value they represent.
While businesses are investing in technology solutions to secure endpoints and deter and monitor network intrusion, these efforts haven’t slowed the number of breaches.
It’s time to shift the way we address cybersecurity in a way that places the emphasis on holistic posture and maturity of existing security investments, rather than a strictly sensor-based approach. Determined actors will always find vulnerabilities, whether through targeting third-party vendors, exploiting an unlocked door or preying on lousy cyber-hygiene and other behaviors by employees during foreign travel.
Before implementing the various holistic solutions in defense of sensitive assets, going back to basics and truly understanding what data is considered the most sensitive can help a business build a proper security plan from the inside out.
Such a data classification policy can begin with the simple act of defining and categorizing data based on its degree of sensitivity, as well as determining the value it represents to future earnings. From there, a proper risk assessment can provide an understanding of threats to these assets, as well as the limitations of current policies and controls.
As we continue to say in the market, cyberrisk is not an IT issue; it’s a business problem. One or two people inside an organization cannot carry the burden of strengthening corporate defenses.
The entire team, regardless of position, must be continuously trained to understand corporate security policies and procedures, as well as the latest types of threats targeting U.S. firms. Breach-proof security doesn’t exist, and businesses can’t afford to believe in the infallibility of IT solutions alone in fending off foreign-sponsored attacks.
Photo by Alexandre Dulaunoy