Looking back on 2016 with the benefit of 20/20 hindsight, it was a watershed year in cybersecurity. But did we learn anything?
It’s human nature to change our behaviors and rules in response to incidents (or the public’s reaction to them). In government circles, that’s called “legislating by anecdote.” Take a look at just a few of the major security events over the past ten or so years to see how data security and privacy protections has changed as a result.
Data provider ChoicePoint issues breach notifications to 160,000 consumers whose data may have been accessed in a physical security breach. The resulting global media coverage prompts 46 states, three US territories, the District of Columbia, the European Union and 90 countries to adopt or strengthen mandatory breach notification laws.
Heartland Payment Systems is breached by hackers who use a SQL injection to gain access to 100+ million debit and credit cards. Heartland pays $140 million in fines and penalties and becomes the first payment processor to adopt end-to-end encryption and to offer a Breach Warranty to cover the costs of an exploit for merchants.
An employee of Saudi Aramco clicks on a spam email link and sends the company back to the 1970s, the technology equivalent of the Stone Age. The data on 35,000 computers is partially or totally erased and the company is disconnected from the internet for five months. Aramco becomes the poster child for why heavy industry, not just consumer-facing businesses, needs robust cyber protections.
Years after Europeans abandon mag stripes and a massive breach, US-retailer Target unilaterally announces they will only accept “chip and PIN” payment cards. Soon, other major retailers, card issuers, payment processors and the PCI Council fall in line to permanently replace mag stripe cards in the US.
The US Office of Personnel Management is breached in a state-sponsored attack through an insecure computer and password. The personal data of every person holding a security clearance issued by the US government is exposed, leading to a government-wide change in access control.
And then there is 2016.
Ransomware, DDoS attacks using a massive botnet of consumer IoT devices, and the world’s first billion record breach were all “highlights” of the year, but what will be the long-term impacts of these attacks?
There are already new technologies that can mitigate many attacks and render others useless. Want to block a deserialization attack like the ransomware exploit against the San Francisco Muni? Have known and unknown vulnerabilities in the apps used to run your business or connect IoT devices to your network? What about running older, vulnerable applications on legacy platforms? The evaluation pipelines of leading companies are already filled with pilot projects of these new solutions, but 2016 reinforces the need for new approaches to continuing problems.
If past performance is a predictor of future actions, we will see significant changes in cybersecurity policies and procedures in the next 12-24 months. Here’s hoping we put the recent lessons learned to prevent 2017 from being another record breaking year.