The Three Certainties of Life: Death, Taxes, and Getting Hacked
Article on July 17, 2013
“Nothing is certain except death and taxes.” Or so Ben Franklin is credited with saying. I would add hacking to that list. Today’s cybercriminals possess the skills, sophistication, and technology to hack their way into nearly any system in a way that is virtually undetectable.
It wasn’t always so. Historically, human error caused data breaches—the loss of unencrypted backup tapes or laptops, for example. Organizations didn’t implement the controls they do now. Now, encryption, firewalls, and other security measures are standard procedure. These are, and will always be, necessary.
What I see as a whole new threat, however, is the increase in unsecured mobile devices—smartphones, tablets, and such. Data, although encrypted at the enterprise level, flows out to vulnerable access and distribution points that are hard to control. As the infographic, A Decade of Data Breach points out, 88.6 percent of healthcare professionals access patient information with unsecured smartphones. Compounding the problem is the volume of raw data distributed to these devices. The world’s computer servers process 9.6 billion petabytes of information a year.
Advanced Persistent Threat are Like Termites
Hackers can remain in a system indefinitely—a danger known as “advanced persistent threat.” Cybercriminals slip in below the radar and spread laterally, impacting as many systems as they can. With APTs, it has become increasingly difficult to detect an intrusion, and the average time from the initial breach to detection has grown exponentially.
I liken APTs to termites in your home: You no longer know where they first broke in. You have to remove one board—or one server—at a time to discover the source of the problem. And like termites, the problem is very, very costly. Reputational damage, customer churn, lawsuits, fines, and breach response costs can cost a company millions of dollars.
The Decade Ahead: Faced with the “Where” Question
We use to talk about if we are hacked… Then the conversation moved to when we get hacked… Now we should also be thinking where have I been hacked? The stealth mode of APTs continue and every organization is going to be faced with the where question.
The security and privacy risks will only increase with the proliferation of devices that can be hacked. In fact, the FDA recently warned the healthcare community of the vulnerability of medical devices to cyberattacks. Endpoint security—granting network access only to devices that meet specific standards—will be the real problem for IT professionals going forward. I shared additional thoughts on the landscape today and the outlook for the next decade, in the article A Decade of Data Breach: Tracking an Evolving Threat.