Why are data breaches so common? Find out how to better protect your sensitive information.
The main challenge is that many organizations still rely on an approach that is purely based on keeping the bad guys out, but doing little when they get in.
Consider a typical office building. You have locked doors and windows on the outside, all access is via reception or gates to ensure that only people with badges and keys can get in. There are electronic locks to access each floor and probably a pin code outside office hours etc.
This is also the basic setup for cybersecurity, and it leaves a growing hole for hackers to exploit. If the attacker is able to steal an ID card with the key, usually even the pin code, they have a field day walking around the office and stealing whatever they want.
Fixing this is not rocket science. It requires two improvements.
The first thing is that default access is only given for basic day-to-day needs and all other access needs to be validated. In our office setup, I would be given access to the 3rd floor where I usually work, but if I were to go to the 4th floor, I would get a confirmation request on my phone asking if it is really me trying to get through the door. This confirmation is valid for that day, so I can easily visit my colleagues during the day. But if I were trying to get to a floor with our secure office space, the access would have to be approved by an authorized person and I would have to confirm my identity every time I tried to access the floor.
In IT, this is called the least privilege model. The higher the privilege and the more sensitive the data, the less time my approval is valid, and the more strict approvals are required. By default, I would have password access to common office applications, the intranet, etc. If I wanted to access our CRM, which I use every day in my job, I would receive a multi-factor authentication (MFA) request to my phone once a day for normal access. But if, for example, I wanted to analyze long-term data across the company, that access would need to be approved by my boss once and my MFA session would only be valid for a few hours at a time.
When properly implemented, this is almost non-intrusive to the user, but will massively improve your security. Almost all hacks will be stopped in their tracks, as hackers would need to steal both your password and your phone without you noticing it, as well as the pin to unlock the phone in order to move around.
The second step is to track user behavior using AI. This isn't actually anything fancy or new, but a bunch of machine learning algorithms that have been widely used in the retail industry, for example. With the massive amount of session data collected, companies like Microsoft are able to use these algorithms to form normal usage patterns for a user, and if you step out of those patterns, a simple MFA request is immediately fired off to check if it's still you.
An example of such an algorithm is the shopping basket algorithm in retail. If I'm in the supermarket on a Friday night, it's quite normal for me to have some beer, pizza and ice cream in my basket, and the algorithm knows that and it's used for marketing, logistics and so on. But if I did the same thing on Monday morning, I would hope that someone would check to see if everything was OK. That is what the IT version of algorithms do. The algorithm will notice if a user is systematically copying files from a file share, or accessing an API to retrieve large amounts of personal data - both real-world hacks from recent months. Both hacks would probably have been stopped in their tracks if user sessions had been automatically suspended until a human could verify that the use was legitimate.
Of course, a very skilled hacker with an infinite budget can still get away with it, but almost all hacking is an opportunistic business. They have budgets and all that, just like any other business, and if you restrict movement enough, the hackers will probably move on to more lucrative targets, or at least you will have limited the damage to a minimum.
The costs of implementation and operation are minimal compared to the benefits of digitization.
All of this is what I call Band-Aid. It helps detect and limit an attack, but it does not solve why the attacker got in the first place. Most attacks are caused by simple everyday human mistakes (e.g. leaving a window open) and automating IT work helps to remove these human errors and is by far the best way to reduce what IT pros call the attack surface that can be exploited.
And if the worst happens, and despite your best efforts, a hacker is able to do damage (e.g. ransomware), it boils down to one question. Do you have any data left to recover? Note that normal backups are not enough.
At Tietoevry Tech Services, we are happy to help your organization put the new basics in place. Let's work together to make life a little harder for hackers every day and keep our private data private.
Ready to future-proof your identity management?
Let's connect.