Data breaches, whether they involve leaked data on medical marijuana patients, an unknown source gaining access to an east coast city’s parking payment system, or the nefarious encrypting of contact, credit card, passport and travel information of 500 million hotel guests, all have one thing in common.
“All data breaches have a human element – every single one of them,” said Manish Khera (pictured), EY Canada’s cyber security incident response and investigations leader. “Is an end user making a mistake, is it a nefarious insider, or is it an IT administrator misconfiguring a server so that an adversary has access to it? There’s a human element to all of those. If you look at the basic data breach and what it entails, an adversary needs access to that device they’re compromising and they need credentials to log into that device, so users are deeply involved in that process because they’re the ones that own those credentials.”
Many companies are putting training programs in place to help their employees identify phishing emails that can open the doors to hackers, and while Khera has seen click-through rates that were initially in the 30% range that then dropped down to 15% or even 10% with training, the issue is that even one click-through can expose a company.
“Even with a 2% click-through rate, an adversary can get access to a very important person,” he told Insurance Business, highlighting one investigation where two people in a company clicked on an email and they happened to be the gift card administrator and IT administrator. The cyber attacker then had tons of access – they could change accounts, they could read emails, they could access gift card administration tools, and they could monetize that environment for $250,000 a week for a significant period of time. “Even lowering click-through rate does not mitigate the risk completely. It just minimizes the low hanging fruit.”
To address these people problems, the experience of the end user and the security controls they have to go through need to change.
“There’s a lot of risk around the way we allow our users to authenticate through our systems. We try to make it very easy, [and] I liken it to us living in the 90s,” explained Khera. “We had a certain cyber threat landscape, which is less sophisticated than it is today, and that landscape has changed greatly, but that end user experience hasn’t changed. We’ve not made it harder for end users to log on, and we’ve accepted the fact that they’re used to that.”
It’s no longer a question of when a company will be breached, but when they’ll find out about a breach, and, in that kind of environment, it has to be more onerous for the user to log into systems, which will in turn make it harder for adversaries to log in and wreak havoc.
Moreover, many companies ingrain in their employees that they should be clicking on links in emails.
“We teach our users to click on links. We send them their benefits packages via email, their T4 forms or W2 forms by email. We force them to click on links,” said Khera. “‘Click on these, but don’t click on these!’ That process is not going to work. We have to teach our users from day one, don’t click on any links. We’re never going to send you an email with a link in it.”
In preparation for the inevitability of a breach, companies should ensure they have an incident response plan in place. An effective plan involves escalating the issue of cyber security to key executives.
“Cyber security is not an IT problem, it’s a business problem, so that escalation process should include the business data owners, the CEO perhaps, the chief legal officer, your chief coordinator with the insurance firms,” said Khera. “It has to be well thought out and broad, not just ‘I’m going to call the CISO and ask them what to do.’”
As for his predictions on how the cyber breach and mitigation landscape will develop into the coming years, Khera sees maturity on the part of businesses in becoming aware of and preparing for the risk, though there’s still room to run.
“People are getting smarter about how they build their programs out, how they govern their programs, who’s involved, and broadening that reach of the cybersecurity program outside of IT. I see a lot of CISOs no longer reporting to IT – they’re reporting to legal or risk, so that’s a great step forward and it broadens that view and impact. I think companies are recognizing that we can no longer block adversaries from our environments – we can’t just turn off a firewall rule to make it stop an attack occurring because adversaries are good enough to jump from place to place – so they’re getting better at monitoring the response or learning how to find incidents quickly, minimizing the amount of time that an adversary dwells or sits on a system,” said Khera.
“They’re doing those things proactively now that they weren’t doing five years ago, so I’ve definitely seen a maturity and growth forward. Now, are we where we need to be? I don’t think we’re at an inflection point yet because I still haven’t seen great grasp of the idea that we’re going to make it more onerous for end users to log into systems. It’s still quite simple [and] a lot of companies have single-factor authentication versus a more rigorous process where you might use a token of some sort on your phone to log on.”