It’s particularly galling when a company specializing in security issues gets monumentally hacked. That was the case for Stratfor, which suffered a massive data breach just before the holidays that exposed thousands of client names, e-mail addresses and credit card numbers. Adding insult to injury, hacktivist group Anonymous revealed on Twitter that it was able to get at the data because the company hadn’t encrypted them, according to the Associated Press. Stratfor’s travails serve as a re- minder to all companies that they need to get their cyber security policies and practices in order. Here are some issues to consider.
1. Beware of the mobile threat.
Mobile devices have become ubiquitous and more powerful. Companies can no longer just protect employees’ laptops, but must be aware of tablets, smartphones, iPods and anything else with a brain and wireless connectivity. Inadequately secured devices, if stolen, can give thieves access to corporate networks, allowing them to steal sensitive data.
Employees downloading new apps may download keystroke-logging software as well, giving hackers access to their credentials—but few people have anti-virus software installed on these devices.
“2012 is going to be a significant year for mobile threats enterprise-wide because so many devices are being adopted,” says Dave Marcus, director at security firm McAfee Labs. Companies “have to start looking at mobile devices like other devices—‘If it’s got data on it, it’s got my corporate data on it, then I’ve got to manage and secure it like every other device on my network,’” he adds.
2. Review privileges.
Do all users really need all the access rights they now have? Keeping privileges to a minimum limits the damage hackers can do if they get into a user’s account, as well as the damage employees can do on the way out the door.
Controlling privileges can also help with compliance since “most regulations, including SOX, HIPAA, GLB and PCI, have a clause on the level of access to key IT assets,” says Jim Zierick, executive vice president at security vendor BeyondTrust.
But privileges can be hard to manage, especially in big organizations with lots of applications. “Users are proactive about acquiring access they need or want, but rarely ask for access to be taken away even if they no longer need it,” says Michael Bennett, chief information officer for the U.S. unit of defense contractor BAE Systems.
One option is to roll out a centralized system to allocate and manage privileges, which allows for quick changes if employees are hired, fired, move internally or temporarily need special access for a project.
Companies should move beyond automated provisioning, access control and auditing solutions to add a new security control and abstraction layer that sits between the information and the people who use it, Bennett says. This allows the data to be displayed in a way that the particular user—and device—needs to see it, “while denying access to anything not specifically required by and permitted to the user,” he adds. “Apart from the huge security gains, this architecture makes it much simpler to support the many different kinds of access devices that users want to bring to work.”
No system is completely hacker-proof. If a security hole—or human error—allows key data to leak out, companies must be ready to deal with it quickly and effectively. And that’s going to require more effort than before.
The Securities and Exchange Commission’s guidance issued in October reminds public companies that breaches could be considered material events that need to be disclosed, says Richard Bortnick, an attorney at Cozen O’Connor. Private firms may be affected if they are suppliers or partners of a public company.
States are also rolling out or toughening up disclosure laws, including California, Bortnick says.
After a breach disclosure, companies should be prepared for lawsuits, says Bob Parisi, senior vice president at consultancy Marsh. As the result of a recent court ruling, plaintiffs no longer need to show actual harm or imminent threat of harm, but simply increased risk of potential harm to take their cases to trial, he says.
And lawsuits are now being filed faster, just days or even hours after a breach is disclosed rather than months later, Parisi says. Companies need to respond quickly to a breach, which may involve more than just offering credit monitoring to clients whose information has been compromised, he says, and remedies should be relevant.
“If you’re a hospital losing patient data, offering credit monitoring might not be the most appropriate response,” Parisi says. “If what you offer is the wrong remedy or no remedy at all, you’re basically waiving a red flag in front of the potential plaintiff class.”
4. Encrypt, encrypt, encrypt.
In the past, encryption slowed down systems and inconvenienced users, so it was used only to protect data traveling over the Internet. Technology has improved to the point where companies can encrypt data that’s stored on mobile devices, moving across internal networks, even stored inside databases, without adding lag or hindering productivity.
The new technology operates on a more basic level, even embedded into the hardware. If a breach occurs, the stolen information can’t be used and no disclosure is required.
One organization taking this approach is AGS Capital Group. “The risks and penalties of breach laws are increasing, so we are looking at increased and mandatory encryption on all employee computers and laptops,” says Allen Silberstein, CEO and chief investment officer at AGS. “So if the hard drive gets into the wrong hands, the information remains protected.”
5. Add new authentication mechanisms.
Most applications require only a user name and password. Companies have been reluctant to ask customers to use a second form of authentication, such as an additional password sent by text message.
As breach notification requirements and costs escalate, companies should take another look at second-factor authentication, says David Miller, chief security officer at Covisint.
In the past, the second form was often key-chain fobs that generated one-time passwords—and employees who misplaced their keys would be locked out of the system. But the solution now could be a cell phone.
“A mobile device can run a one-time password-generating app to supply a PIN for network access, hold a digital certificate that uniquely identifies the device or can receive an automatically generated text message with a one-time password to authenticate each login,” says BAE’s Bennett. “Using a mobile device that a user already has, as opposed to issuing another physical device for authentication, makes a lot of sense.”
For a look at what the Securities and Exchange Commission wants companies to disclose if they’ve been hacked, see SEC Provides Guidelines for Disclosing Cyber Attacks.