Orlando Scott-Cowley, director of technology marketing at Mimecast, looks back on the Target and Home Depot cyber attacks, and asks what the future cost of cybercrime will be
It’s now been a year since the Target data breach that affected tens of millions of customers at the height of the Christmas shopping season and it appears that little has changed in the world of corporate IT security.
While Target can delight in being back on track, having just announced its first profitable quarter since the attack, it’s clear that security has still not made its way to the forefront of many other companies’ priorities.
Addresses and bank cards at risk
Only in November, the hardware emporium, Home Depot, disclosed that the breach it suffered back in September actually resulted in the loss of 53 million e-mail addresses and put 56 million payment cards at risk; exposed using similar malware to that used in the Target attack.
The US Postal Service (USPS) is also being scolded by members of a congressional subcommittee in a hearing over its response to the recent data breach that impacted both its network and employees. Despite learning of the breach on September 11, the USPS employees affected weren’t notified of the incident until November, nearly two months after it was first discovered, and after the news had made headlines around the US.
Examples such as these clearly highlight that IT security is far from an urgent concern in many companies, despite monthly if not weekly accounts of new weaknesses, viruses and hacks and the increasingly staggering cost they incur. A study by the Ponemon Institute earlier this year found that the average cost of a corporate data breach increased 15 per cent in the last year to $3.5 million, while the cost suffered for each lost or stolen record now averages at $145.
The truth of the matter is that these costs are only set to rise as the arms-race between vendors, their customers and the attackers, continues to pick up pace. Standing still or not evolving to meet the speed of your adversary is not an option.
One example of a new battleground is device malware. So far we’ve been left largely unscathed, with the biggest risk being purely from malware-laden apps. With the rapid proliferation of smartphones, however, it is inevitable that in 2015 and beyond we will start to see increasingly advanced malware targeting Android, iOS and Windows users as a mechanism to gain access to the corporate networks they connect to. We’re also likely to see malware specifically targeted at mobile via email and web browsing – this old tactic will circumvent the security checks that are applied to apps in vendor stores – as attackers look to collect more enterprise grade user credentials that sit, unprotected, behind gateway security services.
The IoT risk
Beyond the problem of smartphones and tablets, the rise of the Internet of Things and wearable devices is sure to present another problem for the security industry. Gartner recently forecast that connected devices (not including PCs, tablets and smartphones), will grow from 0.9 billion in 2009 to 26 billion units in 2020. This phenomenal rise of connected technologies will undoubtedly be a clear target for cybercriminals looking to capitalise on their new-found access to consumers, businesses and governments.
As cyber criminals focus their efforts on these consumer products, it’s highly likely that we will also see a move towards attacks on consumer-grade cloud services. As cloud use grows, we can expect to hear about more holes and exploits that have already been manipulated in cloud services, similar to those reported in the past six months in consumer tools such as iCloud, Dropbox, LastPass and in social offerings such as Snapchat.
In addition, recent high-profile security breaches, such as the recent eBay leak, have revealed that a worrying number of attacks can potentially go undetected for months or even years at a time. It is highly possible that over the next few years this will be a regular occurrence, with attacks reported on target networks that have been resident for years before being discovered. These attacks will exfiltrate data in new and ingenious ways and are designed hide in plain sight on the host’s system – in email and web traffic, for example – so as to effectively avoid all manner of network scanning and malware detection. They will be increasingly difficult to defend against or detect, even after the fact.
Fortunately, while the war with hackers may never be won once and for all, making security a priority can make all the difference. The Ponemon study is not alone in suggesting that companies that have a strong security system in place are able to reduce the cost of leaks by as much as $14 per record. The appointment of a Chief Information Security Officer (CISO) to lead the data breach incident response team can further reduce the cost of a breach by more than $6.
This may seem like small change but when you consider the tens of millions of records that are often affected at one time, this can add up to a huge saving to the business and make for a more financially secure company.
Ultimately no one can say for certain exactly where and how tomorrow’s cyber-attacks will be carried out but it is certain that they will happen. IT security experts today have to contend with more diverse threats than ever before and it is only decisive action and a re-focus on security that may enable us to stay one step ahead.
How much do you know about the world’s most famous hackers? Take our quiz!