2011 saw a shift not only in targets, but attack vectors. Smaller targets with fewer defences in place, and more external sources, earmark the reported breaches last year. Sure, there were the "biggies" like HBGary and Sony and RSA, but larger organisations typically have enough resources in place that a hacker will leave footprints, which in turn can lead to prosecution. Hackers want to avoid this, and what better way than to target a smaller or mid-sized organisation, writes information assurance official Ann Marie Keim, CISSP
One thing that remains a constant is an organisations’ reluctance to report a successful breach, unless extreme circumstances force it. Many things come bundled in the announcement of a breach, none of which is considered positive from a stakeholder's view: loss of reputation and impact on present and future business and customers, to name just two. The old adage that there is no such thing as bad publicity doesn’t quite ring true for the victims of a successful hack; just ask the officials from Sony.
A review of reported successful breaches for 2011, as stated by privacyrights.org, a clearinghouse website that along with other similar sites, tracks such statistics for US companies, breaks down like this:
- 49 against financial/insurance;
- 80 against retail/merchant;
- 57 against educational institutions;
- 74 against government;
- 190 against medical; and
- 9 against non-profit organisations.
The UK must abide by the restrictions stipulated within the Data Protection Act (DPA) and several outlets are sources for similar information. Among the requirements in the DPA is: "The data controller must take appropriate steps to ensure security, bearing in mind what is reasonable in the circumstances in relation to the nature of the information held; the harm that may be caused to individuals if the security of the information was breached; the cost of implementing security measures; and the current state of technological development." Financial services levy additional requirements and fines are steep for non-compliance. The FSA fined Nationwide £980,000 in respect of a stolen laptop which could have been used to further financial crime. (Source: yourrights.org.uk)
Why the big discrepancy among the medical profession and all the others? It’s a multi-pronged answer, but it boils down to mandatory and regulatory compliance. Reporting for privacy records and medical incidents must include both electronic records and paper records, thereby including all those small offices that still rely on paper charts and records.
The rest of the sectors would do well to follow in the medical arena's footsteps, with or without mandated government oversight. By pooling knowledge of successful breaches, trends can be spotted earlier; effective mitigations can offer a measurable result (thereby making the case to management easier for funding necessary) and be implemented quicker across industries. Lessons learned do not only help the victim organisation but spotlight real-life security issues as well as the measures taken to avoid repeats to other organisations. Economies of scale can come into play by companies in the same sector joining together to expand the purchasing power of defence tools. We’re all in this fight together, and can only benefit by joining our expertise as we struggle to defend against the moving target of the advanced persistent threat and malicious activity.
This was first published in January 2012