The CEO silently pushed a non-disclosure agreement across the table. Two phrases grabbed her attention: “cyber attack” and “data breach.”
“How many of our customers are affected?” she asked.
“Potentially,” one of the managers said, “all of them”.
On signing the NDA, Karen became a member of an exclusive club of employees who even knew the breach existed. She was issued an “air-gapped” laptop, meaning that it had never been connected to another computer or network, with two instructions on how to use it: never connect it to the company network, and never use company email.
Her NDA also specified the first rule of the breach: you don’t talk about the breach. For three weeks she could not share what she knew with her colleagues, her friends, or even her own family. If the hackers discovered they had been detected, she was told, they would immediately exfiltrate any data they had accessed.
The team worked around the clock in a blacked-out boardroom. It rebuilt the company’s servers and processes one at a time, established the data that had been compromised, and planned the company’s biggest bad-news day, when they would disclose the consequences of the breach. Although her employer executed its crisis-management plan to the letter, business as usual effectively ground to a halt. Confused techs were told to rebuild customer databases with no explanation. Befuddled customers had passwords revoked without warning. Worried colleagues speculated about redundancies. “It was chaos,” Karen remembers, “because we couldn’t tell any of them what we were doing, or why we were doing it.”
“Most attacks are automated, and the attackers only have to get lucky once.”
Only when the company’s system had been secured for a week could it declare that, as far as was known, no confidential records had been stolen. By that time they had also discovered the source of the breach: a single unsuspecting employee had clicked on the attachment to a phishing email.
Increasing numbers of organizations have discovered that this is the reality of the asymmetric cyber threat. Most attacks are automated, and the attackers, who often use a grab bag of exploits that are months or even years old, only have to get lucky once. Once they penetrate, they stay out of sight, gradually upgrading their access. Victims often discover that breaches have taken place over weeks, or even months, as hackers explore company systems undetected.
The asymmetry is amplified because the number of ways to try to get into a network, or get data out of it—known as the “attack surface”—has multiplied. In the past, security was mainly about building a wall around company data. In 2016, the data, and the means to access it, are widely distributed. A secure network must defeat every one of thousands of daily attacks on servers, personal computers, smart phones, electronic tills and other connected devices, meaning that every employee is on the front line of security, everywhere, every day.
Machine-to-machine communication and the internet of things (IoT) mean that mechanical devices are increasingly controlled and optimized by embedded software, receiving instructions from sensors and acting on it autonomously: the modern high-end car now contains around 100 million lines of code, three times as much as a leading computer software program. A 2015 report on cyber security and IoT estimates that 70% of IoT devices contain security vulnerabilities, and that 56% of organizations using them admit they would not be able to detect a sophisticated attack.
The regulatory penalties for allowing employees to breach security are increasing, but not uniformly. On July 6, 2016, the European Parliament approved the Directive on security of network and information systems (NIS Directive), which forces member governments to draft legislation obliging organizations in health, energy, banking, telecom, transportation, as well as some online businesses, to put in place cyber security to ensure continuity of supply.
Also, the General Data Protection Regulation is due to come into force in May 2018, imposing fines for serious breaches of customer data of up to €20 million, or 4% of global annual turnover for the preceding financial year, whichever is the greater.
The U.S. has favored the carrot rather than the stick for cyber-security regulation, although health care, financial services and government organizations all have some obligation to protect their computer systems. The Cybersecurity Act of 2015 created a voluntary scheme for sharing cyber information between businesses. Opponents of stronger regulatory action have complained that it may lead to government-mandated snooping on employees, and inappropriate sharing of personal data. If the regulatory burden is too strong, it may also prevent businesses from striking the appropriate balance between the desire for a risk-free workplace and the need to get on with the job.
Well-meaning security policies that create too much red tape often backfire: employees simply ignore (or even deliberately work around) the rules. Commercial cyber-security experts are therefore not only in the business of making rules, but understanding human behavior and implementing those IT systems that guide employees in not shooting themselves in their feet.
“My advice is don’t have a 500-page policy for your users, have a five-page one that people can actually understand,” says Mieke Kooij, security director at Trainline, a U.K.-based rail ticketing company, who has spent 15 years consulting for government departments and leading security in large global organizations across Europe and North America.
Even for company networks, the types of attack continuously evolve. Bogdan Botezatu, senior e-threat analyst at security vendor Bitdefender, explains that ransomware is his biggest fear for future attacks, because it is almost risk-free for the attackers. The hacker launching a ransomware attack encrypts your data and demands payment to decrypt it. Though not a new weapon, mass ransomware attacks began in September 2013, when CryptoLocker 5 started to infect computers. When it was finally taken down in May 2014, researchers found that it had infected 545,146 computers. Of those, 1.3% had paid ransoms ranging from $100 to $500. The researchers estimated that the attacks yielded $3 million.
“Until 2014 the most common exploit we saw was to find credit card numbers, clone the cards, send them to some bad guys outside the U.S., and use them to obtain cash. But this was risky because someone had to be present to get the money. Ransomware doesn’t demand that. I’m very afraid of the day ransomware is used to target devices like insulin pumps,” Mr. Botezatu says.
The combination of many points of attack, and the potential losses, mean the fight against hackers now increasingly focuses on mitigating the impact of a breach, rather than trying to make one impossible. This means that we must be protected from our own mistakes by raising an alarm when, for example, a user accidentally downloads malware, and isolating it. Mr. Botezatu defines the role of security software as “preventing users from shooting themselves in the foot.”
Even the best regulation cannot secure every organization. A good security officer has to anticipate hacker behavior too, ensuring that when a breach does occur, it’s also important to prevent the intruders from moving around the network, and having a well-drilled crisis team to respond. “Perimeters are what we tried to establish 10 years ago, but they are now largely imagined,” Ms. Kooij of Trainline says. “Instead, we try to ensure that [hackers] are not going to see anything, and that our monitoring will pick them up.
“The ubiquity of the threat has changed, but the threat itself hasn’t,” she concludes.
“Everybody gets breached. Everybody.”
On 12 January 2009, Robert Carr arrived back at his New York hotel room after a day of meetings to find an urgent message to call his head of technology. Carr was founder and CEO of credit-card processor Heartland Payment Systems, Inc., and had built a personal net worth of $330 million in his company’s stock, employed 2,500 people, and had 150,000 merchants, many of them small retailers, that used the company to process credit-card transactions.
When he returned the call, Mr. Carr discovered Heartland had been the victim of hacking “on a devastating scale.” In the next 12 months the hackers would wipe out his personal fortune and threaten to doom the company. Heartland was close to going out of business when it was removed from the list of PCI certified processors by a leading financial services company.
Investigators later discovered that Heartland had been penetrated the day after Christmas 2007 by a global hacker group whose former leader was sentenced to 20 years in prison in 2010 for this and more than 300 additional successful attacks. In May 2008, the hackers had installed 13 pieces of malware in Heartland’s systems. By June, they had penetrated the card-processing system. An estimated 130 million credit-card numbers were exposed, because hackers were able to capture the track data from a credit card’s magnetic strip.
At the time, Heartland had recently passed a security audit. “I couldn’t believe it,” Mr. Carr recalls, “I didn’t know how it could have happened.” After a sleepless night, he launched an investigation into the breach that would involve both the Department of Justice and the Secret Service. It concluded that, in common with many breaches, the problem could be traced back to one senior employee who did not follow established policies.
Against the advice of his lawyers, Mr. Carr resolved to accept the blame publicly and to do whatever could be done to limit the damage and enhance the security of all those who touch credit-card data. On 20 Jan., 2009, he publicly passed on the bad news and began the process of settling with the damaged parties. Those settlements eventually cost the company $150 million in cash, as well as other related costs. Heartland staff communicated with every one of the 150,000 locations of merchants using its payment-processing system to explain what had happened, what the company would do, and to ask them to stay as customers. “It cost us tens of millions of dollars to do that, but it saved the company,” Mr. Carr says.
Nevertheless, in the months after the breach was revealed, Heartland’s stock declined from $15.88 to $3.42, before rebounding as the suits were settled and with few merchants and employees having defected. In April 2016, Global Payments, Inc., acquired Heartland for $103.09 per share.
Its customers also stayed loyal because Heartland was inspired by the breach to pioneer new standards for encryption in its industry, Mr. Carr says. It also introduced stronger internal monitoring and additional controls, so that an employee error or similar breach could not cause the same type of data loss again. “Everybody should assume they have been breached,” he warns. “Everybody. But letting the bad guys get your data—that’s what can destroy you.”