Internet-based technology and services are expanding with such speed that security has been left behind. As the Internet evolves at an untethered pace, hackers are iterating just as rapidly as the innovation. This has left us with a technological void that is being all too easily exploited, leading to a lack of clarity on how to effectively mitigate the risk from a corporate governance perspective.
On November 10th, federal prosecutors announced charges relating to last year’s JPMorgan Chase hack. In what it referred to as, “the largest cyber hacking scheme ever uncovered,” prosecutors detailed how hackers stole information from over 100 million individuals and hacked into over 12 different organizations, seven of which were financial institutions.
“The breaches of these firms were breathtaking in scope and in size,” said Preet Bharara, the U.S. attorney for the Southern District of New York. “The conduct alleged in this case showcases a brave new world of hacking for profit.”
Whether it is financial institutions, retail, health care, government or online services such as Ashley Madison, recent high-profile data breaches have shed light on a lack of understanding as to the extent of vulnerability from cyber attacks at the C-level. Any industry with sensitive information, and particularly those who collect and manage personal and financial data, is a target for hackers. With seemingly no ability to prevent the hack, or to prevent the media from sensationalizing it, big business has paid the price with damaging headlines on the one hand and fines, compensation or simply paying the hackers extortionate sums to get their data back on the other.
So, what’s going to happen now? Well, to date, the federal government has failed to provide any national cybersecurity legislation, leaving departments of government, as well as individual states, in a position where they are being forced to enact their own.
While states such as California and Massachusetts already have regulations in place regarding data leaks, New York was the first to conduct a cybersecurity audit of its banks in 2013. The findings of this audit prompted the New York State Department of Financial Services (NYDFS) to recently issue a letter unveiling potential new cybersecurity regulations for banks and financial institutions. While these regulations only apply to institutions under NYDFS jurisdiction, they are a good example of what financial institutions in other states can expect to see in the future.
“The New York State Department of Financial Services considers cybersecurity to be among the most critical issues facing the financial world today,” wrote Anthony Albanese, acting NYDFS superintendent.
The NYDFS regulations, which seem only a question of when, rather than if, they will be mandated, would require banks and financial institutions to implement a number of significant measures ranging from requiring the use of multi-factor authentication to using encryption and maintaining an audit trail. The NYDFS is taking such a position since its member institutions have not been able to sufficiently protect themselves against hackers. But with all the wealth and brain trust within the banking sector, why is that?
Like many decisions in life and business, the hardest problems are usually best solved when broken down to the lowest common denominator. While the NYDFS notification outlines very important and necessary cybersecurity measures, it doesn’t deliver any context around why these regulations have come into focus. Whether consumer or corporate Board member, we’ve become conditioned to expect hacks. We’re told, and we tell ourselves, there’s nothing we can do, the hackers have more sophisticated methods than we have tools to stop them. Actually, no. The reason we are facing this crisis is a simple one, and it involves leaving the old domain mentality in the past.
Securing Data at the Data Level
Currently, network and data security operate like a medieval fortress. The network perimeter is secured by strong castle walls, and perhaps even ringed with a moat and drawbridge. And once the fortifications (firewall, anti-virus, spam filter, etc.) are breached, the invaders have access to the treasures inside.
In the past, these defenses provided adequate protection against cyber attacks. However, these technologies are all reactive to attacks based on known previous exposures. This is where security has been well-and-truly left behind; cyber attacks are no longer limited to specific and repeated methods. Many use a mix of programmatic and social engineering to achieve their goals.
So, the hard truth is the data within an organization’s walls is no longer safe from determined hackers under the fortress model. On top of this, since current technology is based on perimeter defense and keeping uninvited visitors out, data breaches occurring inside an organization, due to human error or malicious employee activity, are not addressed at any level.
As for the data an organization has shared and sent outside of its domain? Well, no one has ever expected that could be protected. Once the treasures have passed through the fortress gate and across the drawbridge, organizations have come to accept that their data is simply at the mercy of anyone it comes in contact with. But, there really is no reason it has to be this way.
All that is required is a change in mindset, away from the nervous acceptance of the status quo to an expectation of proper security. You can achieve this by securing the data itself. Instead of building thicker walls and a wider, deeper moat, view each piece of data as separate and valuable in itself, and then protect it accordingly.
By securing and encrypting data at the data level, organizations benefit from pervasive and persistent data security wherever that data goes, even when it travels and is sent across domain boundaries.
A System with Your Security on its Mind
So, let’s assume that your organization now has each and every file, folder and database secured by encryption. Is that enough? In a word, no. There’s still the issue of rogue employees, with legitimate access to your data, as well as the social engineering methods that hackers are increasingly using as a method to gain access to an email account or network. Put simply, on a corporate network with potentially millions — if not billions — of data files, an adequate security system still needs to monitor and enforce user access according to corporate governance, policies and procedures.
But with so many users and vast amounts of files, this does seem like a mountainous task, and certainly not something that could be tracked manually. Enter User Behavior Analytics – the monitoring of user behavior by algorithmic methodologies or, as it’s more commonly known, Artificial Intelligence (AI).
User Behavior Analytics enables organizations to monitor user behavior in real-time, recognizing the difference between typical user behavior patterns and identifying the subtle deviations that represent risk. It does this by analyzing and recording key behavioral attributes to form a data set the system then uses to determine if any anomalous activity is truly a threat to your organization. If any activity is deemed high risk, the system would respond by temporarily revoking the questionable user’s credentials and alerting IT Administration. If the user is genuine, they can contact IT and be reinstated.
In summary, for any CIO, CISO, CTO or even CEO reviewing their cyber defense strategy, they need to think beyond the swath of latest-and-greatest versions of the familiar. For true cybersecurity, organizations must combine data encryption, identity management (using multi-factor user identification and not just username and password), user behavior analytics and tamper-proof auditing. Only then can IT Administrators and C-level leadership begin to sleep soundly at night.