What did we learn about cybersecurity in 2015
After the dust settles, however, it’s time to determine what lessons were learned from the experience. Your organization may have escaped 2015 without a data breach. But that’s no guarantee that hackers, cybercriminals and others won’t turn their attention to your business soon.
According to the Identity Theft Resource Center (ITRC), organizations around the world suffered over 700 data breaches in 2015. The attacks covered every sector and records were lost in many sectors. For 2015, the ITRC reports the following findings:
[Related: 27% of all malware variants in history were created in 2015]
Several conclusions can be drawn the ITRC’s reports. First, the total number of attacks continues to hold steady (albeit this data may be influenced by the willingness of organizations to report incidents). Second, the medical sector has been a top category for attacks for several years. Effective security in healthcare impacts all of us, so let’s consider that area first.
Healthcare organizations suffered several high-profile attacks in 2015. The highly sensitive personal records held by these organizations include medication information, medical expenses and personal data such as physical addresses and dates of birth. With health information, fraud is only one possible loss scenario. Lost trust, embarrassment and damaged reputations are other consequences from health attacks.
“In the health sector, we have seen acceptance of the problem at the board level. This sector is continuing to increase in maturity,” says Christos Dimitriadis, president of ISACA, an international cybersecurity professional organization. In the IT industry, ISACA is well-known for the cybersecurity certification and professional development programs it offers to professionals. ISACA also conducts ongoing research projects to understand new threats and support members.
“The United States and Europe are continuing to develop their cybersecurity policies in response to these attacks. I also see increased interest in protecting privacy and that means more support to the health sector,” says Dimitriadis.
Health organizations targeted in 2015 included large organizations that provide services to a large percentage of the American population.
“We are seeing an increasing trend in major cyber security incidents that lie undetected for six months or more,” says Dimitriadis. These long term security threats suggest that hackers and criminals are becoming more patient and willing to launch attacks with greater sophistication and patience.
Security providers face constant pressure to deliver reliable solutions and keep up with attackers. In 2015, security companies and military organizations experienced security incidents. Even organizations that take pride in their security measures are targeted and experience significant repercussions.
In June 2015, Kaspersky Lab, a Russian based cybersecurity company, announced that it was attacked by hackers. The company stated that several new techniques were used by the hackers. Exploiting vulnerabilities in Microsoft software was a key part of the attack. Even worse, the attack targeted software often used by IT staff to install updates on end user machines.
Key findings from the Kaspersky Lab
Over the past decade, IT leaders have used outsourcing and contractors to reduce costs and increase flexibility. Unfortunately, these practices may increase security risks. In 2015, the U.S. Army National Guard (ARNG) suffered an incident where personal data (i.e. names, social security numbers, addresses, dates of birth and pay data) for up to 868,000 current and former members of the ARNG were transferred out of a secure environment by a contractor.
[Related: Top 10 security stories of 2015]
“The specific information was transferred by a government contractor and was used for budget analysis for various federal programs,” says Major Jamie Davis, U.S. Army National Guard. “We believe the specific files containing the personal information was safeguarded and not used to compromise anyone's identity.”
To err on the side of caution, military authorities took action in response to this incident. Notices were sent to each state’s National Guard unit. In addition, a call center was established to address questions and concerns related to the incident and possible identity theft. The military’s response shows that a proactive response may be needed even in cases where the probability of harm is low.
In 2016, IT leaders have a number of options to improve security. The specific mix of options an organization chooses will depend on its resources and current security matters. Dimitriadis’s advice to IT managers looking to improve cybersecurity: