There's a lot we can learn from 2017's 'big four' breaches
There's a lot we can learn from 2017's 'big four' breaches
What do a consumer ratings agency, a cable network, a transportation company and a web services provider all have in common? To take the most obvious parallel first: they were all impacted by extremely high-profile security breaches that either happened, or came fully to light, last year. 

At Equifax, criminals gained access to the financial data of 143 million people – a massive breach that led to 23 class-action lawsuits, a US$ 4.3 billion (£3 billion) loss in market value and the departure of senior executives. Yahoo took four years to realise that the cyber-attack it suffered in 2013 had compromised every single one of its three billion user accounts – including Yahoo mail, Flickr, Tumblr and Fantasy.

Also targeted in 2017 was HBO, from which hackers claimed to have stolen 1.5 terabytes of proprietary data, while cyber-thieves taxied away with the personal information of 57 million Uber users.

But aside from the most evident parallel, these breaches had three other key commonalities which have valuable lessons to teach us about cyber-security. 

They were all preventable.

No matter how sophisticated the attack, they could all have been avoided. Whether due to a lack of interest, focus, urgency or all three, bad decisions were the key culprit behind them and thousands of others occurring every day. According to IT analyst Forrester, two thirds of all companies were breached an average of five times in 2016, despite spending US$ 80 billion (£58 billion) on security.

Those numbers tell us something: we're not setting priorities effectively. Protecting the data of our organisations and customers must be of paramount importance, every single day. And it's not. Companies take an average of 193 days to patch known vulnerabilities, which is the very reason Equifax was breached in the first place.  

Second, it tells us that most organisations are taking an outdated approach to cyber-security. Instead of stringently following best practices, we're throwing vast amounts of money at the problem. That's expensive and ineffective.

They all had an identity component.

While most media reports focus on how the initial breach occurred, they're missing the most crucial part of the story. The majority of successful breaches leverage compromised identities. 

Access is just the first step. Once inside, cyber-criminals install malware that listens for privileged user credentials. Using those, they can move unfettered throughout the network, gaining access to the most valuable information. It's the credentials – and the privileged access that comes with them – that count. 

According to Verizon, compromised identities were responsible for 80 percent of all data breaches in 2017. Most organisations are failing to make this connection, however. Last year companies spent less than five percent of their total security budgets on identity and access management – the very technology that would help prevent breaches.

It's time to pull the focus off the point of entry and start severely limiting the damage cyber-criminals can do once inside. 

Every one was poorly managed.

After its breach came to light, Equifax turned itself into a case study in poor decision management and hare-brained leadership. Weeks passed before the company announced the breach had even occurred, and what followed was a comedy of errors that would make Shakespeare cringe. 

Yahoo's timing was far worse – it took years to come clean. By doing this, it managed to frustrate millions of users who, had they been told the truth, could have addressed problems with their email accounts before any additional damage was done. It's inexcusable to not adequately protect your data in this day and age, but the response here was beyond reproach. 

The best way to avoid following in the footsteps of Equifax, Yahoo, HBO and Uber in 2018 is by implementing a ‘zero trust' model, which assumes that users inside a network are no more trustworthy than those outside. Everything – users, endpoints and resources – is untrusted, and therefore must be verified. 

Security vendors should implement machine learning for behaviour-based fraud detection that assigns a risk level to each individual transaction and responds accordingly. Companies should demand multi-factor authentication for every single account, or find new vendors that offer it. 

This is something that demands a shared responsibility approach, with all parties working together; and the sooner we get started, the better. 

Contributed by Tom Kemp, co-founder and CEO of Centrify

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.