Every day. It feels like every day there are yet more headlines of major enterprises or institutions suffering devastating data breaches. It can make any IT director sick to their stomach thinking about how their business might be next—as it very easily could be.
What is causing this current tidal wave of data breaches? And what can enterprises do to keep themselves out of the papers? We asked Maxim Emelianov of HostForWeb, a web-hosting site, 4 questions on the epidemic of data breaches and what might be done to stop them. Here’s our conversation, edited slightly for readability:
1. Data breaches in the U.S. are at an all time high. What is behind this crime wave?
A few factors are at play here. First, there’s the fact that the digital threat surface for your average business has never been higher. The Internet of Things (IoT) is a prime example of this trend. Over the past few years, we’ve seen more devices being brought online than ever before.
Everyone either has connected tech, or is looking at it—everything from fridges and smart TVs to coffee makers and light bulbs. All that stuff is incredibly convenient, but there’s one glaring problem with it—it’s horribly insecure.
We’ve got a ton of vendors—people who are used to making home appliances—and they’re putting out devices that have firmware and an Internet connection. It’s foreign ground to them; they’re consumer companies, not tech companies. Unless someone holds them accountable, they aren’t going to bother with security. Time to market is way more important to them. Where this comes into play in the enterprise is that connected devices can be used as a springboard to gain access to a business’s internal systems, and hackers know that.
I remember a few years back, I saw a presentation where someone demonstrated how an entire network could be compromised through an Internet-connected tea kettle. That’s the sort of thing we’re dealing with here.
It isn’t just IoT devices, either. Smartphones and tablets, cloud apps, contractors and vendors and business partners…the number of ways someone can break into a business are nearly endless. If they can’t get in through you—if they can’t break your security or fool your workers with a phishing scam—they’ll simply target one of the organizations you work with.
Speaking of hackers, they’ve gotten more advanced, too. We’re seeing some pretty disturbing trends in that regard, like rental botnets and Hacking-as-a-Service. And then you’ve got state-sponsored groups like Fancy Bear.
It’s a really bad combination – a perfect storm of security threats that end up being a complete nightmare.
2. Why are these data breaches occurring now as opposed to, say, three years ago?
I think [it is] the fact that businesses have now embraced the digital world with such gusto—which is great. The problem is that a lot of these organizations that have gone headlong into mobility and the cloud and the Internet of Things have done so without understanding the risks. They’ve done so without adjusting their thinking and accounting for the fact that modern security requires a completely different approach.
3. Where are businesses most vulnerable digitally?
Their people. I honestly don’t think that answer is ever going to change. No matter what you do with your security, no matter how much you shore up your firewall or how many layers of authentication you add, your employees are always going to be your weakest link.
Just look at how many data breaches and security incidents we’ve seen in just the past few months whose cause is inarguably human error. It’s telling.
4. What, in your opinion, is the missing piece to enterprise cybersecurity? What should businesses be looking for to prevent data breaches?
In my mind, the most important thing for any business to do is to start bringing people other than the IT department into the conversation. While it’s certainly possible to lock down your data and prevent files from ever leaving your security perimeter, you aren’t going to succeed against your competitors if you do that. IT must endeavor to understand the needs of their users, and meet those needs without sacrificing anything.
There are plenty of tools that I think will prove integral in that regard. Content collaboration tools, for example. And endpoint management platforms. And advanced authentication that uses factors like biometrics or behavioral data. But ultimately it all goes back to a question of culture—to making other people care about cybersecurity by giving them a stake in it.
Thanks again to Maxim Emelianov for his time and expertise!
- Best Books for Defending the Digital Perimeter - September 14, 2021
- Apple Vulnerability Places All of Apple iOS at Risk - September 14, 2021
- CrowdStrike Releases 2021 Threat Hunting Report from Falcon OverWatch - September 13, 2021