The latest issue of McAfee’s data breach and exfiltration report, Grand Theft Data II: The Drivers and State of Data Breaches, noted that while cybersecurity professionals have made progress through improved defensive tools, better integration and education, organizations continue to struggle with poor cyber hygiene issues that needlessly open them up to attacks. Furthermore, intellectual property (IP) theft has emerged as a top data target in U.S. and foreign companies.
McAfee surveyed IT professionals from organizations with more than 1,000 employees, and respondents were evenly split between commercial (1,000 to 5,000 employees) and enterprise (more than 5,000 employees). The resulting global group represented Australia, Canada, France, Germany, India, Singapore, the U.S., the UK, and a wide range of industries.
- The Upside. The top two actions cited for reducing the risk of breaches in the future are integrating the various security technologies into a more cohesive defense and additional education and training for employees on security risks.
- Crime costs us. Nearly three-quarters of all breaches have required public disclosure or have affected financial results, up five points from 2015.
- Top Targets: IP & PII. Intellectual property theft is now tied with personally identifiable information (PII) as the data categories with the highest potential impact to 43 percent of respondents. Notably, PII is of greater concern in Europe (49 percent), most likely due to the recent enforcement date of the General Data Protection Regulation (GDPR). In Asia-Pacific countries, intellectual property theft is of greater concern (51 percent) than PII.
- What’s old is new, still. The top three methods of exfiltrating data are database leaks, cloud applications, and removable USB drives.
- IT blames.. itself. IT is implicated in 52 percent of breaches due to poor cybersecurity hygiene. Business operations is the next most likely to be involved (29 percent of breaches). The most secure internal groups were finance (12 percent) and legal (6 percent).
- Do as I say, not as I do. A full 61 percent say their executives expect more lenient security policies for themselves, and this double standard results in more breaches 65 percent of the time.
A number of these findings align with what I’m hearing from our customers and partners across industries and geographies.
Targeting IP: The Corporate “Crown Jewels”
I know from my conversations with customers that IP theft is increasingly a concern among organizations, particularly those that do business globally.
Today’s organizations obviously operate in very competitive global markets filled with aggressive rivals. There are various players out there in that global space that certainly target intellectual property. But I didn’t expect that IP had moved up to tie with PII as a top target for data theft.
There’s a question of whether regulatory reporting of data breaches in general has driven companies to acknowledge IP theft activity, or whether intellectual property theft truly has increased dramatically. We believe that part of it can be attributed to the increased use of improved tools such as DLP and CASB solutions.
Because organizations aren’t really obliged to report IP theft in the way they are required to acknowledge consumer data theft, there is a fair probability that much of the new IP theft activity can be attributed to the implementation of improved cybersecurity tools. Because many of the tools are being used to hunt for malicious digital squatters they are exposing breaches that previously may not have been discovered.
Intellectual property can also draw a different mix of bad actors. Certainly, some of our more traditional adversaries might find IP interesting, but when it comes to this category of data nation-states are increasingly implicated. That takes the challenge of protecting the data to a whole new level.
The report shows concern around IP loss in Asia, but it shows an increase across all regions and industries.
Cyber Hygiene: Still Careless After All These Years
Whether it was IT’s own role in data breaches, the use of USBs in attacks, executives demanding more lenient security policies (for themselves), or the recurrent mention of lax vulnerability patching priorities, cyber hygiene continues to plague organizations’ IT teams.
Today you can password protect and encrypt data ensuring that it is secure on a USB drive. You can implement DLP policies that prevent confidential data from being moved on the drive in the first place. There are very straightforward tools that address this threat that are not onerous for organizations to implement. They can be managed in ways that limit impact to user productivity while materially mitigating the risk of a breach.
Many of the major breaches we have seen over the past 24 months could have been avoided if applications and operating systems had been patched in a timelier manner.
The vulnerabilities these patches are designed to address can go unpatched for months despite the availability of the fixes. Organizations often delay implementing them because they are concerned that doing so might break something else in their environments, causing downstream business and productivity impact.
But it’s 2019, and the cloud has taught us that you can patch the same day a patch becomes available and the world won’t come to an end. Not patching may result in a breach that makes you wish it would come to an end.
We refer to these kinds of cyber hygiene principles as Cyber 101 for a reason. It’s really very important, we all know it, but we really can’t emphasize the importance of it enough.