The average cybersecurity data breach costs more than $3 million. How can you avoid that cost? And how can your company avoid falling prey to hackers?
Not long after the Internal Revenue Service reported a data breach in late May that affected more than 100,000 people and resulted in more than $50 million in refunds tied to fraudulent returns, security experts chimed in and chided the federal agency for not installing better protection. Never mind that the IRS claimed to have stopped more than 3 million other suspicious claims, or that it reported this breach itself: There were millions out in the open here -- our millions -- and, besides, data breaches always make for sensational headlines.
No matter the industry, no matter the size of the company, hackers want to find their way in, and they likely will. Big names like Home Depot and Target flooded the news during the last year and a half with significant data breaches, but numerous major manufacturers have fallen victim, too.
Electronics manufacturer Foxconn was breached back in 2012 by a hacktivist group that released every employee's login information. Two years earlier, Honda was hacked in a breach that revealed millions of vehicle identification numbers. Boeing, meanwhile, was compromised repeatedly from 2009 until 2013 in an effort by foreign nationalists to filch defense program manufacturing plans. And those were just some of the bigger names and breaches that were actually made public. Plenty more were kept quiet.
"There's a temptation, when looking at privacy and trust, to think of it as primarily a technological problem," said Doug Cutting, chief architect of Cloudera and the founder of numerous open source projects, including Lucene, Hadoop and Avro. "I think technology can play a key role -- we need to encrypt things, we need to manage the keys for encryption in careful ways, we need to follow best practices -- but it's not the whole story.
I think technology can play a key role -- we need to encrypt things, we need to manage the keys for encryption in careful ways, we need to follow best practices -- but it's not the whole story.
"Technology can be defeated, we've seen again and again. Just because you encrypt something, just because you put up a firewall, it doesn't mean people aren't going to get in, just like just because you have police, it doesn't mean people aren't going to break laws."
A handful of recent studies tab the average cost of a data breach from $3.5 million to $6 million. How can you protect yourself, your company and, with more and more connections to the Internet of Things (IoT), the operations of your factory?
First, be aware of the security differences that are a part of IoT devices. Any IoT device connected to the cloud provides a greater opportunity for outside sources to compromise and breach your equipment and your operations. But how much greater? A study released last year by Hewlett-Packard reported that 70% of the most commonly used IoT devices contain at least some vulnerabilities, notably password security and encryption, but also denial-of-service attacks and software shortcomings.
"The Internet of Things presents a challenge in fending off the adversary given the expanded attack surface," said Mike Armistead, vice president and general manager of Fortify, part of the Enterprise Security Products division of HP. "It's more important than ever to build security into these products from the beginning to disrupt the adversary."
Perhaps the easiest way to guard against threats to IoT devices is to treat them like you would any computer already on the floor. Use the same kinds of alphanumeric passwords, require regular password changes and make sure employees are aware of the protocol (more on that later). The most recent Data Breach Investigation Report, released by Verizon in April, reported that "no widely known IoT device breaches have hit the popular media." That's not to say that none have, nor that none will, just that they aren't a major factor right now.
Don't underestimate seemingly small threats. Even a single rogue hacker can halt production for a shift or longer. Tim L. Bryan and his team were called in late last year to clean up after a breach that a client believed was an external attack on its website. Malicious, sure, but nothing enormous in scope, just a hacker showing a company its technology was vulnerable.
"Our first step was to triage what happened, then ultimately stop another attack from happening," said Bryan, the director of forensic accounting and technology services at Crowe Horwath. "We were able to determine who did it -- a foreign entity known for exploiting websites with an outdated component, then defacing them -- and when we started the investigation, it took a different turn. We found out, months before, they'd been breached and they didn't even know it."
This isn't new, of course. Back in 2012, former Wired senior writer Mat Honan wrote a story for that magazine titled Kill the Password (or Kill the P@55WØrD, if you will) that detailed a history of password interception and data breaches stretching back to the Peloponnesian War more than 2,400 years ago. The practice has definitely evolved, right alongside the technology.
Bryan managed to clean up the mess, and he noted that a large chunk of hackers are "more interested in the notoriety of accomplishing the breach." But even though your devices and information are about as likely to be compromised by bored teenagers as they are by organized criminals, Bryan said, "Companies need to understand what systems they utilize, have good documentation, actively monitor for vulnerability, and run patches and updates. They need to know how good their incident response plan is, and they need to know that, as soon as that incident response plan is put into place, it's almost out of date."
Always have a data security plan in place, experts advise, starting with risk and threat analysis, right through security policy mapping, incident response policies and procedures, testing and review.
Keep in mind your legal responsibilities for a possible breach. "We had a client who experienced a data breach six or eight weeks ago," said Michael Marrero, partner and co-chair of data privacy and information security at Ulmer & Berne LLP. "This is a client who does have some consumer sales, primarily through its web site, but mostly sells to third parties." Because of the nature of the company's sales -- not many direct consumers -- officials were hoping to slide under the radar. State statutes, however, required notices to be mailed to every affected customer, as well as regulators in each state where at least one of those customers lived.
"One of the ways where we realized the client realized it wasn't ready for a data breach like that was in the security and protections in place for its electronic data and also in its relationship with its vendors," Marrero said. "One of the first things we did when we got word of this data breach was reach out to those vendors,and learn what we could hold them responsible for."
His client, unfortunately, had signed contracts with the vendors that severely limited the liability, a "rude awakening," Marrero said. Make sure all outside contracts have language regarding data breach responsibility, so you're not caught off guard later.
Never forget the human aspect of security. The human element is a more common culprit in data breaches than you might think. Christopher Wilkinson, a data security manager at Crowe Horwath, leads teams who go in and attempt to identify and determine vulnerabilities. He has tested some organizations for a decade, and every year they struggle just because of simple mistakes people make. "We do penetration engagement testing for between 200 and 300 organizations on an annual basis," he said. "If you give me a list of 100 names within an organization, I'm always going to be able to find one or two individuals who are susceptible to ploys" as simple as email phishing.
According to the Data Breach Investigations Report, email attachments constituted about 40% of breaches in 2014, and an email link about 35%. Inform your employees on policies regarding the use of confidential data, and perform regular security awareness training.
"Nothing's really secret anymore, unless you work for the government," said Sami Luukkonen, a senior manager at Accenture. "For those of us who work for public companies, all the security breaches become very public very soon, and that's when you lose the trust."
With the IoT growing exponentially, connectedness offers an exciting avenue to improved productivity and profitability for manufacturers. But that same connection offers a potentially catastrophic vulnerability for your company and its facilities. And it's doubtful the risk will lessen anytime soon.