What We’ve Learned Since the Target Breach November 3, 2015 Alan Kessler | President and CEO More About This Author > In December 2013, Target disclosed it had been the victim of a massive data breach, which was believed to have occurred around the 2013 Thanksgiving holiday. Initially, the company said the number of credit and debit cards affected was around the 40 million mark. In January of 2014, that number was increased to 100 million. To say that the Target breach had an impact on data security strategies and perceptions would be a vast understatement. In fact, the Target attack was one of the most notable cybersecurity moments of the 21st century, in that it lead to a year (2014) that saw a record number of data breaches. It also demonstrated how much financial and reputational havoc a breach could wreck on a beloved brand. For example, following Target’s disclosure, the company saw a 46 percent profit loss; concurrently, both its CIO and CEO tendered their resignation. ClickToTweet: What we’ve learned since the #TargetBreach – @kessalan http://bit.ly/1Q957sf pic.twitter.com/nPBNd5AgOL That Was Then, This is Now Since the Target attack, the cybersecurity landscape has grown even more precarious. Following the incident, we saw breaches of JP Morgan (76 million individuals affected), Home Depot (56 million affected), Anthem (80 million affected), Sony (for an in-depth look at just how impactful the Sony breach was, see my colleague Tina Stewart’s 2015 blog), the Office of Personal Management (aka OPM; almost 22 million affected) and the website Ashley Madison (over 30 million affected). To be clear, that list touches on the most high profile breaches of the bunch. It clearly doesn’t even come close to reflecting the 2014 number, nor the number of 2015 breaches already tallied by the Identity Theft Resource Center (currently sitting at 629 – and that’s with two more months left in the year). What really resonates with me is how large-scale breaches have grown beyond retail and credit cards to encompass much more sophisticated exfiltration of information – a characteristic that has (unsurprisingly, and with good reason) sometimes lead to an assumption of state-sponsored involvement. Target, it would appear, was financially motivated. The breaches that followed appear to have been driven by political and moralistic (Sony, Ashley Madison) or geopolitical/state-sponsored (Anthem, OPM) agendas. Beyond the evolution of breach motivations, executive and board-level attitudes have changed, as well. According to a survey by the Ponemon Institute, only 13 percent of senior management said their concern about a data breach was extremely high before Target. That number increased to 55 percent after the breach. What’s At Stake Three breaches in particular stand out to me, owning to the type of data involved and because that data is hugely valuable on black markets. They are Anthem (medical records; which are of course enormously personal), OPM (personnel records, the disclosure of which could put many government officials in dangerous situations) and Ashley Madison (for obvious reasons). Let’s start with Anthem. Healthcare data has become one of the most desirable commodities for sale, and for good reason. Extensive healthcare data contains enough information to not just apply for credit cards or loans, but it can compromise patients’ financial accounts and generate huge sums from fraudulent medical charges. As a result, healthcare data is at a premium. The Anthem breach, which resulted from compromised IT administrator credentials, created an initial entry point that caused the breach and exposed 13.5 million patient records. In our 2014 Insider Threat Report (healthcare edition) 48 percent of U.S. healthcare organizations reported either encountering a data breach or failing a compliance audit in the last year. Unfortunately, that means healthcare organizations are not even passing the lowest bar for protection of their patient information. Some of that might have to do with a lack of incentive on their end. While a recent Ponemon study indicates two-thirds of medical record theft victims pay an average of $13,500 to resolve the theft, Vormetric’s October Pulse Survey results found that 89% of respondents did not include medical records in their top three selections for personal data they would be most concerned to have lost in a data breach. Given this reality, we probably shouldn’t be so taken aback when say, China (the alleged perpetrator behind the Anthem attack) makes its way into the databases of American companies. Moving on to OPM: According to a detailed article by FCW, “hackers likely gained access to OPM’s local-area network on May 7, 2014, by stealing credentials and then planting malware and creating a backdoor for exfiltration. Actual exfiltration of data on background investigations did not begin until July 3, 2014, and it continued until August. In October, the hackers pivoted to the Interior Department data center where OPM’s personnel records resided. On Dec. 15, 2014, the intruders siphoned that data away. OPM has said the personnel records of 4.2 million people were comprised in that breach.” The article also noted “all official signs thus far have pointed to China as a leading suspect.” The Broader Implications As I’ve said in the past, it’s fair to think of OPM as the “government’s Target” in that it could stand to be a real game-changer, one that might actually compel the U.S. government to improve and strengthen its data security practices. By even the most casual observer’s estimation, the federal government has a lot of work to do in order to ensure this type of attack doesn’t happen again. If you think the American public may have ignored this one, think again. According to our July 2015 Pulse Survey, 92% of Americans want actions to result from nation-state cyberattacks. This attitude is understandable; after all, government data offers much more than just financial gain. Two paramount drivers include stealing government secrets and stealing critical intellectual property – pretty frightening stuff. While nation-state attacks are not a new phenomenon, an increased reliance on the digital world has exposed the United States to yet another espionage conduit. Needless to say, it remains to be seen as to exactly how much damage the OPM attack may cause government personnel. And that’s just plain scary. Unlike Anthem and OPM, the Ashley Madison breach opened the door for public shaming, moralizing and appeals from the hack victims for forgiveness (not something we’re generally used to; it’s usually the companies that are appealing for forgiveness from the hack victims!) As my colleague Charles Goldberg so deftly put it in his August blog post, “because of the private, highly personal nature of the site, the implications of the breach will reach far beyond the typical attack at a retailer or financial institution. As opposed to the very real financial significance of a credit card breach or the financial and emotional strains of identity theft, this breach introduces a whole new layer of collateral damage, potentially for millions of families.” My point here isn’t just to rehash the severity of these breaches from a numbers standpoint; rather, it’s to underscore that post-Target breaches have moved into a more personal, psychological and just plain unexpected realm than we ever could have imagined. What Can We Do About It? Despite all the post-Target doom and gloom, there are absolutely steps companies can take to better protect themselves. Since the theme of this blog is learnings since Target, I’ll start with one the company dropped the ball on: Secure Your Supply Chain In September 2013, Target’s HVAC provider Fazio Mechanical Services was compromised by an alleged email phishing attack. It is believed network credentials issued by Target to Fazio were stolen during the attack. Shortly thereafter, the attacks on Target started. When it comes to the “supply chain” (which, for an enterprise, might include technology partners, cloud partners and other non-technology vendors, such as energy or food service suppliers) it’s important to know if these third parties are taking data security as seriously as you. Do your vendor management practices include specific requirements for data security? If they don’t, they should. Information is the new currency, which means that everyone who touches that information outside of your employees and your customers is in your information supply chain. Protecting data throughout the supply chain provides an opportunity for security to be seen less as a tax and more like a competitive advantage. Organizations cannot ensure their customers’ private data will be secure unless the entire chain is taking appropriate security precautions – from the HVAC vendor on down. In November 2014 blog, I outlined a list of five top “best practices” for CISOs working with supply chain partners on data security. I recommend you take a deeper dive here. Acknowledge That Compliance Is Not Enough – Then Go Beyond It (Warning 3,000) While I’m not a tattoo person, if I had to get one under duress, I might go with this statement. Following the Target breach, the company’s Fazio issued a statement saying it was in full compliance with industry practices. Guess how many of the breach victims likely felt better after that statement. Did you guess zero? If you guessed zero, we have at least one thing in common (besides the fact that you are interested in this blog). Many government agencies live and die by compliance standards put in place years and years ago, which means the companies or government organizations on the receiving end are also forced to live and die by these standards. Bob Bigman, former CISO of the CIA, dives into the drawbacks of a compliance-centric strategy here. You’d be wise to pay heed. And, this brings me to the “going beyond” portion, wherein I recommend you… Encrypt Everything. Do It Now Encryption scrambles up information so that it’s essentially useless to those that don’t have the decryption keys. Put simply, encrypted information is much more difficult to penetrate than unencrypted information. Here at Vormetric, we (shocker, I know) believe encryption should be at the forefront of conversations about cybersecurity. We believe that message is getting through, although there is still a misguided reliance on traditional strategies such as malware detection, user identification, password authentication and data and router and firewall protections. As former CTO of the CIA Gus Hunt put it, “When you get through the outer layers, it is pretty easy to get the goods. The data is soft, often unprotected, once an intruder sneaks through the outer layers.” In the blog linked to above, I walk the reader through some of the key technological and business considerations companies should keep in mind when contemplating an encrypt everything approach for data-at-rest. I also discuss the very important question of how to approach privileged users, and factors to keep in mind when managing encryption keys. As we near the second anniversary of the Target breach, there’s no better time to get your security ducks in a row. Do it, and do it now.