Let's Stop Pretending About CybersecurityBy Samuel Greengard | Posted 12-06-2017
It's entirely apparent that hackers, attackers and thieves are winning the battle over cybersecurity. The fact that companies like Equifax and Deloitte can't lock down systems proves that cybersecurity is a total mess.
These recent breaches are completely unacceptable. The Equifax failure affected 143 million Americans. It could lead to massive fraud and identify theft.
Yet, no less disturbing is the fact that senior executives reportedly knew about the breach for a month before disclosing it, at least two executives sold stock before the breach was made public (though the company claims they had no knowledge of the breach), Equifax initially tried to strip those affected by the breach of their right to sue before backing off, and the firm directed consumers to a bogus site for information!
What part of this is even remotely okay?
The Deloitte breach is even more disturbing from an IT perspective. This, after all, is a consulting firm that specializes in cybersecurity -- and one that works with a who's who of the corporate world along with government agencies. Among its key recommendations to clients: Never establish an administrator account without multi-factor authentication.
Yet, that's exactly what Deloitte did with its own IT systems. Thus, intruders appear to have gained unrestricted access to sensitive communications between the firm and at least six clients. "To make matters worse, it appears that no one at Deloitte noticed suspicious account activity for months," says Willis McDonald, threat research manager at Core Security.
Industry statistics are just as disturbing. Breaches spiked by about 40 percent in 2016, according to the Identity Theft Resource Center. A newly released Opus and Ponemon Institute study found that 56 percent of companies experienced a data breach caused by a third party, a 7 percent increase from 2016.
The Ponemon study also found that only 17 percent of respondents believe their organizations are effective in mitigating third-party risk -- down from 22 percent in the 2016 study. In addition, only 35 percent of respondents think that third parties would inform them if they experienced a breach -- a figure that drops to 11 percent for fourth parties and beyond.
The disconnect is profound. And things will only get worse as the Internet of Things takes shape.
However, technology progress and cybersecurity don't have to be a zero-sum game. Unfortunately, enterprise leaders talk a good game but frequently don't deliver on cybersecurity. There's no excuse for the vast majority of breaches that occur. Equifax and Deloitte are just the latest examples of a completely broken mindset and haphazard approach.