What did we learn about cybersecurity in 2015?

Cybercrime is always a hot-button issue, and last year was no different. What lessons can we learn from some of the more insidious trends and events to better prepare ourselves for the year ahead?

A data breach can be the biggest kind of crisis an IT leader will have to face. And when an incident occurs, it’s an emergency situation – typically an all-hands-on-deck moment.

After the dust settles, however, it’s time to determine what lessons were learned from the experience. Your organization may have escaped 2015 without a data breach. But that’s no guarantee that hackers, cybercriminals and others won’t turn their attention to your business soon.

2015 by the numbers

According to the Identity Theft Resource Center (ITRC), organizations around the world suffered over 700 data breaches in 2015. The attacks covered every sector and records were lost in many sectors. For 2015, the ITRC reports the following findings:

  • 781: total data breaches reported for 2015 (a slight decrease from 783 in 2014)
  • 312: data breaches suffered in the business category
  • 277: data breaches suffered in the medical/healthcare sector (35 percent of reported breaches)

[Related: 27% of all malware variants in history were created in 2015]

Several conclusions can be drawn the ITRC’s reports. First, the total number of attacks continues to hold steady (albeit this data may be influenced by the willingness of organizations to report incidents). Second, the medical sector has been a top category for attacks for several years. Effective security in healthcare impacts all of us, so let’s consider that area first.

Increasing security maturity to respond to threats in the healthcare sector

Healthcare organizations suffered several high-profile attacks in 2015. The highly sensitive personal records held by these organizations include medication information, medical expenses and personal data such as physical addresses and dates of birth. With health information, fraud is only one possible loss scenario. Lost trust, embarrassment and damaged reputations are other consequences from health attacks.

“In the health sector, we have seen acceptance of the problem at the board level. This sector is continuing to increase in maturity,” says Christos Dimitriadis, president of ISACA, an international cybersecurity professional organization. In the IT industry, ISACA is well-known for the cybersecurity certification and professional development programs it offers to professionals. ISACA also conducts ongoing research projects to understand new threats and support members.

“The United States and Europe are continuing to develop their cybersecurity policies in response to these attacks. I also see increased interest in protecting privacy and that means more support to the health sector,” says Dimitriadis.

Health organizations targeted in 2015 included large organizations that provide services to a large percentage of the American population.

  • UCLA Health System. Personal information for millions of patients was stolen. Unfortunately, the data was not encrypted which suggests a high likelihood of fraud and misuse. The organization announced the incident in July 2015 and notes that suspicious activity was first detected in September 2014. The UCLA Health System has offered identity protection services to impacted individuals. UCLA has described the incident as a criminal attack. 
  • Community Health Systems. Operating over 200 hospitals across the United States, Community Health Systems announced that 4.5 million records on patients had been accessed in a data breach incident in 2015. Information access in the incident included names, physical addresses and Social Security numbers.

“We are seeing an increasing trend in major cyber security incidents that lie undetected for six months or more,” says Dimitriadis. These long term security threats suggest that hackers and criminals are becoming more patient and willing to launch attacks with greater sophistication and patience.

Kaspersky and the U.S. military

Security providers face constant pressure to deliver reliable solutions and keep up with attackers. In 2015, security companies and military organizations experienced security incidents. Even organizations that take pride in their security measures are targeted and experience significant repercussions.

In June 2015, Kaspersky Lab, a Russian based cybersecurity company, announced that it was attacked by hackers. The company stated that several new techniques were used by the hackers. Exploiting vulnerabilities in Microsoft software was a key part of the attack.  Even worse, the attack targeted software often used by IT staff to install updates on end user machines.

Key findings from the Kaspersky Lab

  • Government sponsorship suspected. The company states that the sophistication of the attack suggests that an unnamed government may have sponsored the attack.
  • Cybersecurity assets sought. Products that safeguard operating systems and prevent fraud were targeted by the attack according to Eugene Kaspersky, the company’s founder and CEO.
  • Attack disclosure. Eugene Kaspersky recommends disclosing attacks to other impacted companies such as Microsoft and to law enforcement agencies. The company’s willingness to disclose the attack incident may be related to the fact that no customer data was lost and the company’s products were not impacted.

Security impacted by complex arrangements

Over the past decade, IT leaders have used outsourcing and contractors to reduce costs and increase flexibility. Unfortunately, these practices may increase security risks. In 2015, the U.S. Army National Guard (ARNG) suffered an incident where personal data (i.e. names, social security numbers, addresses, dates of birth and pay data) for up to 868,000 current and former members of the ARNG were transferred out of a secure environment by a contractor.

[Related: Top 10 security stories of 2015]

“The specific information was transferred by a government contractor and was used for budget analysis for various federal programs,” says Major Jamie Davis, U.S. Army National Guard. “We believe the specific files containing the personal information was safeguarded and not used to compromise anyone's identity.”

To err on the side of caution, military authorities took action in response to this incident. Notices were sent to each state’s National Guard unit. In addition, a call center was established to address questions and concerns related to the incident and possible identity theft. The military’s response shows that a proactive response may be needed even in cases where the probability of harm is low.

Improving cybersecurity in 2016

In 2016, IT leaders have a number of options to improve security. The specific mix of options an organization chooses will depend on its resources and current security matters. Dimitriadis’s advice to IT managers looking to improve cybersecurity:

  • The internal challenge. “Lack of awareness in basic security matters and malicious acts by staff remain significant security risks. These threats can be reduced through training programs.” 
  • Use new technologies. “New technologies such as security as a service offer an excellent supplement to internal security departments.” The Cloud Security Alliance, established in 2009, has a dedicated working group focused security as a service. Security as a service means providing security services through the cloud. 
  • Combat social engineering threats. “There are technologies to block phishing emails and suspicious web links, training remains essentials to combat social engineering. For example, you receive a call or email from someone claiming to be a senior executive and they request sensitive data. In that case, it makes sense to verify that request by calling them back at their office phone number or checking with another manager prior to releasing the information.”

Join the CSO newsletter!

Error: Please check your email address.

More about ISACAKasperskyMicrosoftUCLA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bruce Harpham

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts