First it was Equifax with over 140 million accounts compromised. Then it was the SEC whose EDGAR public-company filing system was breached. Then came Deloitte who revealed that hackers may have accessed the sensitive details of several blue-chip clients. Apparently, no one is immune to a cyberattack any longer—not even the regulatory watchdog that’s been telling corporate America to get its cybersecurity act together.
All three attacks are a stark reminder of how little it takes for cyber barriers to be breached. Look at Equifax, for instance. Here’s a company that, according to an investigative report in Bloomberg, had invested millions in state-of-the-art security measures, implemented anti-intrusion software, and established a dedicated team to patch vulnerabilities quickly. But then they failed to notice and fix a flaw in their backend software, leaving the door open for attackers to trigger one of the most staggering cyber heists in recent memory.
Of course, the problems at Equifax run a lot deeper than a simple patch failure. Bloomberg provides a fascinating account of some of the events at Equifax that may have culminated in the data breach, including the departure of key security personnel from the company over the last few years.
What is evident from all of this—from the fact that some of the most reputed giants in the corporate and regulatory world can fall prey to cyber-attacks so easily—is that the problem of cybersecurity is a lot deeper and more complex than we might often think. There are no quick fixes, or easy answers. But certainly, a cultural and foundational shift is required in how we think about security, how we build our software and systems, and how we access and use sensitive data.
Driving some of these shifts are regulators. The New York Financial Authority has already proposed to extend its new cybersecurity rules to credit reporting firms such as Equifax. Meanwhile, the European Commission is moving to widen the role of the EU’s cybersecurity agency, ENISA, in two new areas – cybersecurity crisis management, and the introduction of a cybersecurity certification scheme to ensure that digital products and services are safe to use. Come May 2018, and another regulation—the General Data Protection Regulation (GDPR)—will be enforced with sweeping changes to how companies process and manage sensitive data.
Rules like these matter a great deal. However, they provide only the impetus for cybersecurity, not the tools. If we want to build more secure enterprises, we need to find better ways of protecting data. Perhaps, we need to start segmenting networks more (to limit the impact of a breach), or reworking infrastructure to ensure that multi-factor authentication becomes de rigueur, suggests this article in Wired.
It might also be pertinent to question if we’re are going about cybersecurity the right way. Instead of simply sealing the perimeter from outside threats (because borders can always be breached as threats evolve), should we be focusing more efforts on sensing and mitigating attacks as they occur? Better still, can we get to a point where we’re able to identify the right mitigating actions even if we’ve never seen the attack before? Artificial intelligence might hold the answers.
Contributor : Aruna Mary Zachariah