A data breach is one of the biggest challenges for organizations. According to Privacy Rights, the US has seen more than 20,000 data breaches in the last 20 years
Breaches drain companies financially. For instance, a few years ago, a collections company filed for bankruptcy after a breach. In 2022, IBM and the Ponemon Institute found that the average global cost of a data breach is $4.35 million. The average cost of a breach in the US is a whopping $9.44 million.
The cybersecurity industry has a lot of work to do to fight against security breaches. John Overbaugh, Chief Information Security Officer (CISO) at Alpine Software Group (ASG), shared some insights with Robert Booker, Chief Strategy Officer, and Jeremy Huval, Chief Innovation Officer at HITRUST, in the podcast Trust vs. Breaches.
Here are some key takeaways from their conversation. To listen to the full episode, tune into your podcast streaming platform.
What are the causes of data breaches?
The book Big Breaches: Cybersecurity Lessons for Everyone identified six leading causes of data breaches. These are phishing, malware, compromised third parties, unencrypted data, software vulnerabilities, and employee errors.
To prevent such security breaches, organizations should adopt basic blocking and tackling techniques. They need to maintain good cybersecurity hygiene practices. However, often, cybersecurity hygiene is ignored. Companies choose to innovate and develop new features to attract new customers instead of investing in building an inventory of all the assets and endpoints in the environment.
Another problem is that there is no common definition of good cybersecurity hygiene. When building its latest Essentials (e1) Validated Assessment, the HITRUST team worked to close this gap by selecting essential controls needed to achieve good cybersecurity hygiene.
How should you protect your organization?
Companies need a comprehensive security strategy. A security program that relies on prevention is ineffective and incompetent. The best approach to protecting your organization is to have good preventive and detective programs that suspect and stop unusual behaviors. When someone gains unauthorized access, a good detective program prevents them from going far. On the other hand, a lack of a detective program means someone can own and operate your network for months.
Another critical approach is understanding that third-party companies may have incompetent information security. It is difficult to identify these third parties unless you dig deeply. One of the most critical steps before partnering with a company is to assess it and obtain a trusted assurance.
Are there false assurances?
Companies might say they hold X compliance or a Y certification and still be breached. This could be because their chosen assurance program does not do enough to protect themselves.
There are some assurance programs that ask the companies to dictate what security controls they have in place. These programs only check those controls for their effectiveness. Several assessments evaluate basic technical controls. However, to manage security from a risk-based perspective, you need to go beyond technical controls. You should look at your policies, procedures, processes, and how you educate your employees. You need to have a broader range of controls in place beyond the technical ones.
Look for the most prescriptive assurances, like HITRUST certifications. HITRUST assesses organizations based on required controls depending on their data, industry, and emerging threats.
What should you do after a data breach?
The first thing to do when you suspect a breach is to stop, step back, and refer to your policies and procedures. A mature company has documented guidelines on how to approach such a situation. Follow the plan. Ask for help. Include incident response experts who have the knowledge and skills to quantify the scope and tackle the problem. There may be ways to contain it and protect the rest of the data.
A major breach can end up in the spotlight. How the company responds can determine the impact on the company’s reputation. After being breached, the most important thing is to be forthcoming. When organizations attempt to underplay or pretend a breach isn’t a serious issue, they lose the trust of their stakeholders and customers. Companies that are open are best able to restore trust. Companies need to follow an open strategy with good communication.
For example, when RSA experienced the first-ever breach attributed to an advanced and persistent actor in 2011, the company took a leadership position in the industry. It explained what happened, educated the industry on Advanced Persistent Threats, and took the initiative to teach the industry how the attack worked and why it happened. Similarly, in 2020, Mandiant/FireEye was upfront about teaching the industry how foreign actors attacked its network.
Is there anything good about a breach?
While breaches are bad, can anything good come from them? Breaches result from previously unknown vulnerabilities, which can help companies identify new and potential vulnerabilities and make corrections. Companies may bring additional expertise to resolve a breach that can provide collaboration and knowledge sharing to strengthen their security posture. Breaches can provide an opportunity for sharing learnings with other organizations in an industry so that they can avoid the same perils and potential pitfalls.
There’s much more to learn from security breaches and how to protect your organization. For more insights on Trust vs. Breaches, check out the full episode.