It’s typical at this time of year to look back at the previous years’ data breaches and high-profile exploits, and say things got worse. However in 2014, things really did get worse from the standpoint of damage to some of the biggest organizations globally.
From the direct impact on enterprises to the direct impact on consumers in the wake of retail industry breaches. From the indirect impact on businesses like wasted time cycles, downtime and mis-allocated resources, to indirect overall impact felt by consumers - like NOT making purchases at specific retail stores or websites, or perhaps NOT investing money or doing business with financial organizations based on a security breach - we all felt the pain.
We've seen enormous swings financially, and in confidence of organizations, attributed to this year's attacks. But it’s not really just about the attacks. They are going to happen. I'd argue that its more about the nexus of forces around the way organizations and employees are computing, and the devices that are used (endpoints) for multiple purposes within the corporate network.
One could make the case that attackers rule the world and that no one is safe. The opposite could also be applied, in saying that organizations KNOW what they need to do, but just can't get there from a resource, time cycle or a technology perspective...and that attackers don't in fact rule all.
The increased need of ease of use, and 'access to' means more data in one place for attackers to take. Social worlds, proprietary information and data consolidation are colliding in the workplace, with applications like Facebook, iCloud and even business-focused apps like Dropbox are bringing a major element of risk from a data-centric POV.
Ease of use flows into everyday actions like paying for items, either online or at POS terminals, and consumers, payors, retailers and technologies safeguarding transactions all felt the pain in 2014. So much of this 'pro-sumer' activity online for example, can impact corporations when employees do dumb/bad things on corporate machines. The residual impact can be devastating.
From a macro perspective, organizations need to look at two key things: how they manage their security and make decisions - otherwise known as process; and how much importance they place on integrating new technology into their environments. And they need to understand how enterprise technology on the back-end impacts customers.
Getting these fundamentals right will ultimately push organizations to better capture attacker behavior and purpose-built malware in real-time. Additionally, it will help teams to add a level of seamlessness into their stable of security solutions, to at least have the opportunity to prevent an incident from becoming a full-scale breach.
The average consumer or non-technical employee at Company X won't know the difference on the back-end, and won't understand the complexities of how security teams do what they do, or even what the attacker activity will contribute to.
However, there are technologies in the market that work far better than antivirus or simple firewalls in terms of actually kicking attackers out of your systems, detecting their presence and precise activity - early and often - and that can help counter the skills and technology that they use to effectively 'own' enterprise systems. Again, these tools can help contribute to a healthier consumer outlook if companies promote security publicly or simply aren't breached...and better security ultimately contributes over time to better consumer confidence.
The impact on customers of big banks and large entertainment companies is critical, where PII, credit and debit card info is supplied willingly in purchase transactions. Blind trust ultimately can lead to bad decisions and data compromise, but companies can earn that trust back with implementing better security controls, just as consumers can make small behavioral changes to be safer
From the consumer standpoint, thinking about the following practices to safeguard your data will help your security profile for 2015:
- User debit and credit cards that incorporate pin and chip technology
- Don't use debit cards at payment kiosks
- Don't provide any personal information online unless you know there is a verification and encryption element to add your information
- If you use Google or Apple Pay and integrate your credit cards and bank account to make easier purchases, use two-factor authentication
From the user POV, or the non-technical employee in the workplace - who are responsible for inadvertent actions that contribute to over 90% of data theft - think about the following:
- Demand that your employer provides regular security training so you understand the real threat and impact
- Don't ever click into, or respond to an email from someone you potentially don't know, or if there is any doubt about the authenticity of the sender
- Don't ever provide financial details over email
- Cool it with social media - attackers are ramping up better tools to steal your identity and learn more about you than you really want to know
- Lock down your mobile phone - PW protect it, PW protect every app, and if you don't know how, yet you use your phone for or at work, ask your IT or security guy how.