Chipotle is the most recent big-name consumer brand to be hacked, but you’re right in thinking that what was once “unthinkable” now occurs more often than ever before among businesses and public personalities.
The government seems to get it: today Washington announced plans to launch The Cyber Threat Intelligence Integration Center, a new agency dedicated entirely to cybersecurity.
But what does it mean? We spoke to SecurityScoreCard founder/CEO Aleksandr Yampolskiy and the company’s Chief Research Officer Alex Heid to get a fresh take on the topic from someone on the inside.
Yampolskiy assisted with data security for a major e-commerce retailer and companies like Goldman Sachs, IBM, and Oracle before starting his own business, and he says it’s “too pessimistic” to describe hacks as the new normal:
“The reality is that this is just a convenient story for companies to tell the news in order to avoid liability for being sloppy.”
In the case of Sony Pictures and others, security reviews revealed that “there were many basic things that these companies weren’t doing…they’re still leaving their front doors open for ‘the bad guys.'”
Yampolskiy thinks it’s too easy for a company to say that it will try to “trap” successful hackers rather than defend against them: “Before we say ‘this is inevitable,’ let’s get our stuff together and review.”
The problem isn’t a lack of data. Yampolskiy says, “we have too many signals, too much data, and too many false positives for security teams…the answer is to better analyze what you already have.”
In the recent case of Anthem, for example: “They immediately had their officer go on record and mention a sophisticated breach, but…there were shortcomings you could discover through Google search. All it takes is a few keywords.”
Hied adds, in speaking about his company’s own security reviews: “the worst-ranked retailers were Home Depot and Staples, which both got hacked. The ‘bad guys’ will go for easy targets because they’re lazy, just like the rest of us.”
Here, then, are three ways for companies to respond when they suspect a hack via Yampolskiy.
1. Immediate transparency
“Going public and admitting it by being upfront with customers and others is the right thing to do. Hackers talk extensively on forums, and we saw chatter boasting about selling personal data from Anthem customers.
The ‘good guys’ need to get better at communicating with each other.”
2. Hire a security “forensics” firm
“These companies need to work with a security firm to figure out how the hacker got in and how they can learn from the experience…so they can use it as a weapon in the future.”
3. Notify all vendors and business partners ASAP
“We live in a hyper-connected world, and you could be doing a great job protecting your company but you also rely on vendors and partners, and a failure for one of them could create a domino effect.
Many use the scorecards like ours to monitor their partners and make sure all parties are insulated from a potential breach.”
Will the new federal agency make a difference? Hied is skeptical:
“It seems like a rebranding of pre-existing agencies like InfraGard, which is a collaboration between the FBI and the private sector.
We’d be curious to see if it actually changes the way we address these problems: how much can yet another agency with a tiny budget really do?
Something else is needed, but this story just makes for good publicity.”