Updated Ed. Note:
We continue to see a rash of data breaches that impact organizations ranging from Equifax, the SEC and most recently, Deloitte. It’s clear the challenges of commercial and government cybersecurity continue to converge. Their causes are myriad, but the fact remains: these were all preventable had the affected organizations applied cyber best practices and monitored typical behavior and data access.
This blog originally contained a statement from Dr. Richard Ford, the perspective of our senior vice president and general manager of global government security, Tim Solms, and some comments from the point of view of a financial services organization. We’ve added thoughts on Deloitte from Brandon Swafford, CTO of Data Protection and Insider Threat Security at Forcepoint
Today's disclosure on the cybersecurity breach at Deloitte, along with the recent Securities and Exchange Commission (SEC) and Equifax news, appears to be a malicious attack, but could also be tied to a compromised insider. News like this underscores the risks posed by partners, suppliers, and other parties within the supply chain, as elucidated by SEC chairman Jay Clayton.
Brandon Swafford, CTO of Data Protection and Insider Threat Security at Forcepoint, had this to say about Deloitte:
Deloitte. The SEC. Equifax. Three weeks. Three major breaches. Three unique challenges. One important lesson learned. The industry must quickly focus on the crossroads between people, process and technology to adequately address these unyielding security threats. Today's news of Deloitte's breach, reportedly resulting from a lack of multi-factor authentication that led to access of sensitive data in the cloud, highlights that a focus on any one security risk point is not adequate.
Organizations must start with a focus on their people and how they use and access critical data and systems. The only way to stop these cyber threats is to first understand normal user behavior and normal movement of data in and out of the company. Behavior analytics that flags risky behavior or unorthodox usage of cloud applications can separate the signal from the noise and help security teams quickly identify potential breaches and stop them before they happen. Companies can then complement this human-centric security approach with internal training, policies and processes to help employees and partners understand what’s expected of them. A focus on any one of these only puts more risk in the other.
Last week, Forcepoint chief scientist Dr. Richard Ford shared his thoughts on the SEC breach:
"Companies today aren’t secure. Period. The current security model simply doesn’t work. The new revelations from the Securities and Exchange Commission (SEC) raise deep questions about organizations’ ability to protect highly valuable data, and the ways in which attackers can exploit even small security gaps to gain access to proprietary information. While adversaries ceaselessly search for vulnerabilities, the humans protecting these systems are constantly on the defensive.
In the days ahead, there will be much debate over accountability and potential solutions. Enterprises and government agencies need to take a human-centric approach to security that focuses on the data we are trying to protect and the ways both humans and machines access it. Looking for anomalous behavior and irregular access of the EDGAR data would have helped the security teams respond more effectively. Understanding the intersection of people, data and networks is without question the best path to building effective security and compliance programs. We need no further proof that the existing paradigm has failed.
The idea expressed by Chairman Clayton regarding the importance of resilience and recovery is laudable, and represents important steps for cybersecurity. At the same time, we must redouble our efforts to not just improve security, but to look critically at the role of people and understand how changing the paradigm entirely may have more substantial cybersecurity benefits long-term."
Forcepoint’s senior vice president and general manager of global government security, Tim Solms, spoke to the unique concerns and risks of government suppliers:
"As the SEC chairman explained in his statement on cybersecurity, securing the global supply chain is essential to protecting critical data. Today it is apparent we must view the supplier or contractor as a type of insider – these are people and organizations with legitimate access to a network be it through software, systems or cloud applications. This is the new battlefield by which cyber attacks play out and we can expect these to grow larger and more malicious as companies trusted to protect our most valuable consumer, financial markets and national security data continue to be targets.
The Department of Defense has taken an important step in securing its global supply chain with the new NIST SP 800-171 requirements suppliers must comply with by December 31, 2017. Standardization of security protocols across industries is the next step both public sector and commercial enterprises should partner on to address the reality of today’s threat environment."
And finally, we know that our partners and customers in the financial services industry are watching this news very closely, as they seek to protect their own institutions from cybersecurity risks.
Thomas Frank, system administrator of Simplicity Credit Union said:
“It seems simple, but as we’ve seen with the SEC announcement, it’s more important than ever for financial institutions to protect against employee and user risk. Whether compromised maliciously or accidentally, credentials of users are the keys to the data kingdom. In a highly regulated industry like financial services, we must educate our teams on proper cyber hygiene and consider strategies and technologies that are more intelligent and efficient than the traditional model, which clearly isn’t working, to protect our people and our business.”
Allan Black, President, Internet Content Management (ICM) shared:
“Meeting today's security challenges, especially within the vulnerable supply chain of highly regulated industries is critical. With secure supply chain requirements like NIST SP 800-171 and today’s news related to SEC breach, it’s clear threats to the supply chain are inordinate and escalating. Organizations must ensure their partners and vendors are implementing security systems that focus on the inherent vulnerabilities created by networks and human behavior to combat threats that escalate in scale often due to risks associated with the end user business activities.”
And Brian DiPaolo, Director of Strategic Services, Accudata Systems told us that:
“While unfortunate, the SEC breach is the latest reminder that more effective and efficient security controls are needed. We must shift our cyber strategies and resources, recognizing that people are the most vulnerable point within a business or government entity. Ultimately, organizations have to realize that it’s people looking to exploit people, machines are simply an avenue for access. We must acknowledge that fact, and prioritize direct protection of data, to avoid incidents like this in the future.”