Data breaches and hacks don’t always require a hacker to employ sophisticated feats. Many exploit organizational weaknesses and carelessness, like in the recent case of the Capital One breach.
In order for companies to protect themselves from the consequences of negligence, they must give cybersecurity a seat at the table. The Capital One example shows why a cybersecurity strategy must start at the top, at the C-suite level, and flow through the organization in one streamlined protocol.
To better understand why this is the case, let’s unpack the issues that plagued Capital One leading up to the data breach.
Capital One did not intentionally make itself vulnerable to a data breach, but it did create an environment that compromised security. In a recent Wall Street Journal article, Capital One employees gave a firsthand view of the organizational problems that created the perfect opportunity for bad actors.
- Gaps in Routine Maintenance: According to one Capital One employee, “routine cybersecurity measures to help protect the company sometimes fell by the wayside.” One example was the purchase and installation — or rather failure to do so — of software that was meant to help detect malicious threats. The software was only partially installed over the course of a whole year after its purchase. The company also responded slowly to vulnerabilities in its firewall. Capital One’s cybersecurity team did raise concerns to internal auditors, senior executive leaders, and Human Resources, but it’s unclear if its concerns were formally addressed.
- Leadership Woes: In 2017, Chief Information Security Officer (CISO) Michael Johnson was brought on to oversee the department. A veteran of the federal government, he clashed with his staff as many “felt his leadership style did not match the private sector.” This culture clash precipitated the next problem: turnover.
- Massive Attrition: Capital One’s cybersecurity team became something of a revolving door as a third of the team — including senior leaders and staffers — left in 2018. The hefty drop in staffing and a changing cast did not help matters in routine security. In addition, tech employees of the bank used multiple coding languages and tools, so it became difficult for new employees to deploy a uniform strategy. This allowed the attacker to “exploit a vulnerability in the cloud that security experts have warned about for years.”
There were a myriad of internal issues that lead to the data breach of the fifth largest credit card issuer, and to its slow response. Maybe if turnover wasn’t such a huge issue, it wouldn’t have taken the cybersecurity team 127 days after the hacker’s initial infiltration to discover the breach.
But one thing is clear: Cybersecurity should not be a function siloed in the IT department.
Cybersecurity Starts at the Top
Cybersecurity impacts the entire organization, yet many businesses leave its implementation and responsibility to their CIO or CISO. The trouble with this approach is that data breaches, vulnerabilities, and other cyberattacks affect the entire company, not just IT. The full C-suite has to take ownership of the company’s cybersecurity protocol, or else they’re leaving their organization vulnerable to bad actors. This starts by implementing:
- A companywide cybersecurity policy
- 24/7 monitoring
- Routine C-suite and executive meetings around cybersecurity
- Routine employee data security training and best practices
- Necessary technology and controls to ensure compliance
24/7 or Bust
If you think cybersecurity is a 24/7 venture, you’re correct. With companies falling prey to hackers every day, the C-suite can no longer be in the dark about its responsibility. Of course, building a team, creating a strategy, and rolling out its implementation takes experience, resources, and continuity. As such, partnering with a vendor who thoroughly understands the cybersecurity landscape works best for companies who need to act quickly and efficiently.
Putting your company in the hands of a knowledgeable vendor can be the key to avoiding internal negligence, which can have catastrophic consequences.
Arctic Wolf™ Managed Detection and Response (MDR) gives you the monitoring and peace of mind you need when operating internally and in the cloud (AWS, Azure, O365, GSuite, SFDC, Box, and other cloud services). For more information on 24/7 security, check out our MDR solution.