Anyone who has watched the news in the past several months has seen the chaos that ensues when a high-profile company has its data breached, leaking sensitive customer data into the hands of cybercriminals. I sympathize with these firms in some ways, since it’s impossible to anticipate every attack or prevent every data breach. At the same time, that isn’t especially reassuring for those who have had their information stolen. What would be a lot more encouraging would be having organizations invest in an integrated threat protection system that protects both company assets and customer data.
Admittedly, I’ve been a pretty lucky consumer. I breathed a quiet sigh of relief when I read about some of the most damaging attacks, because it’s never been my data that was compromised.
Being the Victim of a Breach
Early last month, I received an email from my health insurance provider telling me it had been breached. The email detailed what was leaked, including names, dates of birth, Social Security numbers, health care ID numbers, home addresses, email addresses and employment information such as income data. It also advised me that the company didn’t think credit card or banking information had been hacked.
While I’m thankful for small favors such as my banking information not being swiped, that’s scant comfort. With all that information in the hands of would-be criminals, entire identity theft seems possible. Like a friend of mine whose data was included in a recent breach said, “I can cancel my credit card, but I can’t cancel my Social Security number. Conceivably, someone could open a mortgage in my name a decade from now.”
Another part of the communication told me that cyberattackers engineered a sophisticated attack that had almost a two-month duration from early December to the end of January.
Here’s where it really gets frustrating. Many online reports point to a general “culture of security” in the health care industry, which is ironic, considering a recent Reuters story that claims a health care record is worth 10 times more than a credit card number on the black market.
Stealing Customer Data: Simpler Than You Think
More important is my provider’s claim that it was a sophisticated attack, which might lead you to believe it was so skilled that no one could have prevented it. However, some sources indicate it wasn’t sophisticated at all. Instead, it might have targeted known weaknesses in my provider’s system through a phishing scam. The source also points out that it wasn’t the company’s security system that picked up the hack; instead, it was a human who was simply paying attention.
I tip my hat to the person who discovered this attack. While employees should always be any firm’s first line of defense, employee vigilance should be coupled with a comprehensive threat protection system that enables companies to prevent even the most sophisticated attack, detect security threats across their infrastructure and respond instantly to security incidents that do occur.
Implementing a robust solution that is nimble enough to scale across an organization’s systems often isn’t as easy as opening a box and pushing a button. However, the technology does exist, and it’s certainly more reliable than depending on an alert employee to notice when data has been compromised.
Security expert Scot Terban put it best when he said, “The problems with many corporations stem from a lack of security awareness as well as presence within the org to instill secure practices like patch management and employee awareness on what a phish looks like and how to detect them.”
I hope these companies are listening, because you can bet the next cybercriminal looking to hack their system is.
IBM Films Presents: Hacked! the Movie
Public Information Officer, IBM Security X-Force
Mitch is the Public Information Officer (PIO) for IBM Security X-Force. Mitch is a well-known voice in the cybersecurity realm, and the author of several tho...