The latest HBO hack and leaked episodes of Game of Thrones shone a spotlight on the need for protecting proprietary data. For every new encryption or password management point solution enterprises put in place, there are likely hundreds of hackers figuring out a way to compromise those security countermeasures. Enterprises need to rethink their strategies to stay one step ahead; otherwise, they are just going to experience breaches over and over again.
Ankur Laroia, Solutions Strategy Leader, Alfresco Software, speaks to Information Security Buzz about how businesses can implement open, transparent processes and change their way of thinking to help protect against cyberattacks.
- What does the latest HBO hack reveal about data security?
The HBO hack highlights that every industry is susceptible to a cyberattack, even entertainment, with sometimes devastating consequences to reputation and finances. It also underscores the vulnerabilities associated with the inevitable proliferation of digital data and – when left ungoverned – the exposure sustained by enterprises. Studies have shown the next year represents a turning point in the digitisation of enterprise content. In fact, Alfresco recently commissioned a Forrester study that found the number of firms with virtually all digital content will shift from 14 percent today, to 50 percent in just two years. It also showed that 67 percent of end users have to reference external content every time they onboard new customers or partners, address customer service requests, or manage financial or accounting processes. This scattered content, whether it’s saved in Dropbox vs. on-premises, or some other non-integrated solution, poses a major security risk to enterprises.
- While this was “just” an entertainment hack, are you aware of other industries, such as insurance, accounting and medical, being proactive in preventing the same from happening?
The theft and/or compromising of vital information is becoming a fairly common phenomenon. This tends to be a two pronged issue; there are threats from outside the company and there are also rogue actors lurking within the organisation’s firewalls. Companies that store PII (personally identifiable information) such as financial institutions, as well as those that deal with patient data (hospitals, labs, health insurance companies) find themselves especially susceptible to attacks. Equifax is a great example of a very recent hack that leveraged a Zero-Day Exploit attack vector to compromise the PII of 143 million people, some of them citizens of the EU. Equifax like most large corporations have hardened their perimeter and put in infrastructure centric measures to thwart hackers from the outside. But to date, little has been done to address the internal environment to effectively inventory, secure, manage and dispose of data/information in the enterprise. Management of data, using an open source platform such as Alfresco’s digital business platform will help to reinforce security defence measures.
- Do the ways companies protect their data change if they have employees working all around the world?
We live in a global economy and the threats are both exponential and global. With the advent of outsourcing and offshoring, data theft/data compromise are existing risks that organisations must mitigate against. The challenges they face relate to the increasing amount of data, its volume, variety and velocity, which proliferate across systems and span the globe. Companies must adopt good information management practices along with modern technologies and platforms to effectively thwart bad actors.
- Are data breaches the “new normal” for companies?
Data breaches will happen. Most CSOs or CISOs have resigned themselves to the fact that their ecosystems will be penetrated at some point in time. This means that they should have a renewed focus on minimising the exposure, especially of sensitive information and limiting the surface area vulnerable to attack.
- Are hackers getting more sophisticated? Or are companies just not keeping up with cybersecurity?
Hackers are only getting more sophisticated and organised. There are nation states that have “elite, militarised hacking units” that constantly look for vulnerabilities in closed, black box software, where the code is available for perhaps a few divisions of developers to review. The hacking methodologies as well as techniques and tooling are growing ever more complex and this represents a challenge for companies to evolve their own defences.
- What are the three questions any company should be able to answer about its data security?
Whenever a company examines their own data security defences, they should be able to answer yes to these questions:
- Do we effectively inventory our most vital/precious/sensitive information?
- Are we effectively securing it?
- Do we have consistent protocols that are followed and updated policies that are in place to ensure effective governance/data lifecycle management of these assets?
If they answer no, then it is imperative that they perform an in depth assessment and audit of their security practices. Failure to do so leaves them more vulnerable to attack.
- What is the biggest issue companies will have to watch out for on the security front over the next year?
In the next year, we will see the further evolution of cyber threats. Hacks like the ones we’ve seen this year and last (e.g. Dropbox, Yahoo, HBO and the NHS), where a handful of vulnerable servers were compromised and then used to take down and steal information will become more common. Those attacks were meticulously planned, well-orchestrated and impeccably executed. That level of diligence on the part of the black hat community will only continue to grow.
- Where do you see the technology in 3-5 years in regard to preventing security breaches?
The approach to cybersecurity must be multi-layered. Processes within an enterprise should serve to underscore and bolster perimeter defences, as well as gather intelligence about external threats. For this reason, I predict that there will be a greater emphasis on business processes/protocols that help govern information through its lifecycle, coupled with investment in modern platforms such as Alfresco’s to inventory, curate, secure, archive and manage information effectively.