What did we learn about cybersecurity in 2015?
- 04 February, 2016 23:22
A data breach can be the biggest kind of crisis an IT leader will have to face. And when an incident occurs, it’s an emergency situation – typically an all-hands-on-deck moment.
After the dust settles, however, it’s time to determine what lessons were learned from the experience. Your organization may have escaped 2015 without a data breach. But that’s no guarantee that hackers, cybercriminals and others won’t turn their attention to your business soon.
2015 by the numbers
According to the Identity Theft Resource Center (ITRC), organizations around the world suffered over 700 data breaches in 2015. The attacks covered every sector and records were lost in many sectors. For 2015, the ITRC reports the following findings:
- 781: total data breaches reported for 2015 (a slight decrease from 783 in 2014)
- 312: data breaches suffered in the business category
- 277: data breaches suffered in the medical/healthcare sector (35 percent of reported breaches)
Several conclusions can be drawn the ITRC’s reports. First, the total number of attacks continues to hold steady (albeit this data may be influenced by the willingness of organizations to report incidents). Second, the medical sector has been a top category for attacks for several years. Effective security in healthcare impacts all of us, so let’s consider that area first.
Increasing security maturity to respond to threats in the healthcare sector
Healthcare organizations suffered several high-profile attacks in 2015. The highly sensitive personal records held by these organizations include medication information, medical expenses and personal data such as physical addresses and dates of birth. With health information, fraud is only one possible loss scenario. Lost trust, embarrassment and damaged reputations are other consequences from health attacks.
“In the health sector, we have seen acceptance of the problem at the board level. This sector is continuing to increase in maturity,” says Christos Dimitriadis, president of ISACA, an international cybersecurity professional organization. In the IT industry, ISACA is well-known for the cybersecurity certification and professional development programs it offers to professionals. ISACA also conducts ongoing research projects to understand new threats and support members.
“The United States and Europe are continuing to develop their cybersecurity policies in response to these attacks. I also see increased interest in protecting privacy and that means more support to the health sector,” says Dimitriadis.
Health organizations targeted in 2015 included large organizations that provide services to a large percentage of the American population.
- UCLA Health System. Personal information for millions of patients was stolen. Unfortunately, the data was not encrypted which suggests a high likelihood of fraud and misuse. The organization announced the incident in July 2015 and notes that suspicious activity was first detected in September 2014. The UCLA Health System has offered identity protection services to impacted individuals. UCLA has described the incident as a criminal attack.
- Community Health Systems. Operating over 200 hospitals across the United States, Community Health Systems announced that 4.5 million records on patients had been accessed in a data breach incident in 2015. Information access in the incident included names, physical addresses and Social Security numbers.
“We are seeing an increasing trend in major cyber security incidents that lie undetected for six months or more,” says Dimitriadis. These long term security threats suggest that hackers and criminals are becoming more patient and willing to launch attacks with greater sophistication and patience.
Kaspersky and the U.S. military
Security providers face constant pressure to deliver reliable solutions and keep up with attackers. In 2015, security companies and military organizations experienced security incidents. Even organizations that take pride in their security measures are targeted and experience significant repercussions.
In June 2015, Kaspersky Lab, a Russian based cybersecurity company, announced that it was attacked by hackers. The company stated that several new techniques were used by the hackers. Exploiting vulnerabilities in Microsoft software was a key part of the attack. Even worse, the attack targeted software often used by IT staff to install updates on end user machines.
Key findings from the Kaspersky Lab
- Government sponsorship suspected. The company states that the sophistication of the attack suggests that an unnamed government may have sponsored the attack.
- Cybersecurity assets sought. Products that safeguard operating systems and prevent fraud were targeted by the attack according to Eugene Kaspersky, the company’s founder and CEO.
- Attack disclosure. Eugene Kaspersky recommends disclosing attacks to other impacted companies such as Microsoft and to law enforcement agencies. The company’s willingness to disclose the attack incident may be related to the fact that no customer data was lost and the company’s products were not impacted.
Security impacted by complex arrangements
Over the past decade, IT leaders have used outsourcing and contractors to reduce costs and increase flexibility. Unfortunately, these practices may increase security risks. In 2015, the U.S. Army National Guard (ARNG) suffered an incident where personal data (i.e. names, social security numbers, addresses, dates of birth and pay data) for up to 868,000 current and former members of the ARNG were transferred out of a secure environment by a contractor.
[Related: Top 10 security stories of 2015]
“The specific information was transferred by a government contractor and was used for budget analysis for various federal programs,” says Major Jamie Davis, U.S. Army National Guard. “We believe the specific files containing the personal information was safeguarded and not used to compromise anyone's identity.”
To err on the side of caution, military authorities took action in response to this incident. Notices were sent to each state’s National Guard unit. In addition, a call center was established to address questions and concerns related to the incident and possible identity theft. The military’s response shows that a proactive response may be needed even in cases where the probability of harm is low.
Improving cybersecurity in 2016
In 2016, IT leaders have a number of options to improve security. The specific mix of options an organization chooses will depend on its resources and current security matters. Dimitriadis’s advice to IT managers looking to improve cybersecurity:
- The internal challenge. “Lack of awareness in basic security matters and malicious acts by staff remain significant security risks. These threats can be reduced through training programs.”
- Use new technologies. “New technologies such as security as a service offer an excellent supplement to internal security departments.” The Cloud Security Alliance, established in 2009, has a dedicated working group focused security as a service. Security as a service means providing security services through the cloud.
- Combat social engineering threats. “There are technologies to block phishing emails and suspicious web links, training remains essentials to combat social engineering. For example, you receive a call or email from someone claiming to be a senior executive and they request sensitive data. In that case, it makes sense to verify that request by calling them back at their office phone number or checking with another manager prior to releasing the information.”