Unlike the first two cyberthreats discussed in this three-part series, ransomware and phishing, data breaches are somewhat unique in that they are less immediately damaging to an organization. Rather, they operate in a more insidious manner, and they don’t always have a concrete beginning, middle or end.
Consider the example of the Internal Revenue Service data breach that occurred in 2015. Initial reports of the incident suggested that as many as 10,000 taxpayers had personally identifiable information stolen. Soon after, it was discovered that in actuality, more than 300,000 people had been affected. This February, six months after the first reports were released, that number doubled. What was initially believed to be a breach of 10,000 had risen to 600,000.
So while ransomware is the most prolific threat in 2016, and phishing scams are arguably the most expensive, data breaches are the most silent and unpredictable.
The long-term damage of a data breach
The chief reason data breaches can cause so much long-term damage is that once a person’s identity is compromised, guarding against fraud becomes very difficult. So for instance, if an organization has its human resources department breached, resulting in thousands of compromised Social Security numbers, names, addresses and contact information, these individuals could be at risk of having to deal with their PII floating around the dark web for many years to come.
As for the organization that experienced the breach, they may thenceforth be responsible for identity protection, which is expensive on top of mitigating any immediate effects associated with the incident. This has been the case for several organizations, including the Office of Personnel Management (affected more than 21 million people) and Anthem (impacted nearly 80 million customers), just to name a few.
In other cases, the immediate damage of a data breach is loud enough to make international headlines. Take the recent example of a breach that knocked the power grid offline in Ukraine for 100,000 customers, or the Bangladesh Bank hack that resulted in the loss of more than $80 million. Technically, no data was lost or stolen in either of these incidents. They were breaches no less, and serious damages were faced as a result. Furthermore, both of these incidents have one of the defining marks of a data breach: They were highly orchestrated events that took place over a prolonged period of time.
Both the Bangladesh hack and the Ukrainian power grid breach, as well as the Anthem attacks, and almost any other data breach in recent memory, were not one-and-done deals. It’s not quite as simple as hackers punching in some code, saying “we’re in,” punching in more code an then having everything they need in a matter of minutes. More often than not, hackers live in the network that they compromise for quite some time, siphoning information when they think no one is looking. In the cases of Ukraine and Bangladesh Bank, cyberattackers spent most of their time just watching network activity and learning from it, all the while remaining virtually undetected.
“The goal of a data breach is to get in and out quietly.”
Even in cases of overt data theft where information is stolen over time, or even all at once, an organization will rarely catch the event the moment it happens. In fact, Sam McLane, Arctic Wolf Networks’ Head of Security Engineering said in a recently released webinar that the average data breach takes 200 days or more to be discovered. Sometimes, an organization won’t actually be the one to catch the incident, but will be told by the FBI or another law enforcement agency that it occurred. In other cases, a bank will notify a business to inform them that an unusually high number of credit card fraud victims can be traced back to their institution.
The reason that data breaches are so difficult to detect is fairly simple. Unlike ransomware, the goal of a data breach is to get in and out quietly, and to leave no traces behind that might lead back to the perpetrators. The methods for achieving this vary wildly, and may include the use of phishing scams, malware and other malicious tactics.
If there’s a silver lining, it’s that nothing that occurs on a network is invisible. All activity is traceable, and all of it is logged. At the end of the day, everything you need to beat a data breach is right in front of your nose. It’s really just a matter of knowing how to interpret it, and in this case, that entails filtering out the information that matters, so as to detect the signs of malicious network activity before it can harm your business.
This is part three of a three-part blog series about the top three cyberthreats facing modern organizations.