A Lesson in Cybersecurity Simplicity from the Capital One Breach
The lesson from the recent Capital One data breach can be summed up with the KISS principle. Simplicity is hard to beat, even in cybersecurity. Let’s look at why this breach happened and what organizations can do to shore up their cybersecurity defenses with seemingly simple solutions.
Peeking behind the Capital One headlines
The headlines about the Capital One data breach emphasize impact: more than six million Canadians were compromised in this data breach. Over a million Social Insurance Numbers (SIN) were exposed. Victims can receive free credit monitoring and identity theft insurance to reduce the sting of their private information being stolen from their trusted provider.
This is scary stuff, but the most chilling part of the story isn’t even covered in some of these reports: The data was breached due to a vulnerability caused by a misconfigured server. Those two words—misconfigured server—left chief technology officers and chief information security officers around the globe trembling. Server configuration is part of the basic line of defense in cybersecurity.
The lesson from Capital One is about simplicity. Good cybersecurity hygiene matters and it’s the first and best defense against data security breaches. To manage this ongoing and increasing threat, enterprise-level organizations must get serious about mastering the basics.
Getting back to basics: 5 simple ways to boost cybersecurity in your organization
- Resource your IT department appropriately – According to the EY Global Information Security Survey,[i] 87 per cent of organizations don’t have enough money in their IT budgets to fund the cybersecurity and resiliency programs they want to implement. And, as we saw with Capital One, missing a basic security protocol can lead to costly and embarrassing outcomes. Dr. Ann Cavoukian, Executive Director of the Privacy by Design Centre for Excellence, told the CBC, “Companies are simply under-resourced. They’re not devoting the resources required for strong security.” Having enough properly trained IT resources means your team can dedicate time to testing and uncovering vulnerabilities and mistakes before it’s too late.
- Encrypt your data – Encryption protects private data in transit (such as in email and other communications) and at rest (on your network). It’s important to have a scalable encryption solution that offers multiple delivery options, is easy for employees and clients to use, lets users recall encrypted messages even after they’re opened and is easily integrated with solutions you already use, such as Office 365. In a recent Echoworx survey, 53 per cent of the IT professionals and decision-makers surveyed said encryption technology was very important or critical to their organizations. And yet, only 40 per cent of respondents said their organizations are using data privacy technology extensively. Again, here’s where simplicity triumphs: an encryption solution can only be effective when it’s used.
There are also financial incentives for using encryption. A recent Forrester Total Economic Impact™ study, revealed that a typical enterprise-level organization using Echoworx’s OneWorld encryption platform can expect an ROI of 155 per cent—with upwards of $2.7M in cost-mitigating benefits.
- Know your risks and assets – Cybersecurity efforts are more effective when they’re based on a strategic framework, instead of piecemeal solutions. It’s important to identify (and address) risks such as outdated security protocols, data protection, careless employee behaviour, identity and access management, etc. Identifying key assets and data—and increasing security around them—is another essential part of a strategic cybersecurity infrastructure. Increase support for cybersecurity initiatives by helping your board of directors understand the real risks companies face with inadequate cybersecurity programs and resources.
- Use a privacy by design approach – With so many organizations pursuing digital transformation, there’s a perceived need for speed. What’s even more essential is building privacy and data protection into new digital programs and processes. Frédéric Virmont, a cybersecurity industry expert, says, “Security is like quality; it must be from the beginning to the end of the life cycle. If you wait until the end of the product, it’s too late. Once the house is built, it’s too late to add emergency exits.”
- Train your staff on cybersecurity – A recent PwC reportfound that 32 per cent of respondents consider insider threats more costly and damaging than external incidents. Insider threats can be accidental or intentional, so education and proper security protocols are the first line of defense against them. Educate employees about the importance of using security programs and processes and how to identify and report suspicious incidents. And by choosing effective cybersecurity platforms –encryption for example—that are also easy to use, you make data protection the path of least resistance. Cybercrime, including social engineering and spear phishing, is more sophisticated than ever; wise companies create informed workforces capable of identifying these cyber threats.
With the average cost of data breaches at $141 per breached record (and more than double that for healthcare organizations),[ii] isn’t it time for organizations to keep it simple and master the basics of cybersecurity?
By: Brian Au, IT Specialist, Echoworx