In the summer of 2017, a number of companies made announcements as part of their quarterly statements that put cybersecurity in the headlines. The shipping giant Maersk disclosed to shareholders that an attack of the Petya virus had cost it up to $300 million due to disruptions to its ships and port terminals. FedEx Corp. reported a similar hit and for similar reasons; shipments by its international subsidiary TNT Express were slowed down by the virus.
Petya, WannaCry—the virus that encrypted data worldwide and hobbled Britain’s National Health Service—and other ransomware attacks made 2017 a record year for hackers maliciously tampering with data, sometimes for financial gain, and sometimes simply for the sake of mayhem. The FBI estimates that the incidence of that kind of breach has shot up over 300% since 2015. With the continued growth of Internet of Things (IoT) devices and cloud services, most experts agree that ransomware attacks can only increase in 2018.
Demands for money in exchange for sparing data—and the losses from disruptions caused by corrupted data, as well as possible damage to brand reputation—has helped focus attention to another side of hacking that gets lost in the furor over stolen personal records. Such eye-popping numbers should highlight the importance of protecting data not only from outright theft, but to ensure its integrity, according to experts.
If data integrity is compromised in a critical system, such as healthcare, the results can be catastrophic, including perhaps loss of life, said Avi Rubin, professor of computer science at Johns Hopkins University and technical director of its Information Security Institute. “It is important for system designers to consider ways of protecting information such that integrity attacks are either impossible or detectable.”
“Without dramatizing or sensationalising an attack like this: What’s the worst-case scenario? That’s what could happen,” said Sean Duca, VP and regional chief security officer-APAC at Palo Alto Networks. “Cyber risk is like any other business risk.”
“The biggest danger is the possibility of the rapid spread of the compromised data across the organization and the fear of ‘lack of security controls’ to mitigate that scenario,” said Sai Balabhadrapatruni, senior product marketing manager, Palo Alto Networks.
Businesses haven’t exactly been blind to the issue of data integrity, but it lags other concerns in the cybersecurity area. A recent Hiscox report noted that businesses reported more incidences of virus infestations and ransomware than denial of service attacks in 2017, but it also found businesses globally were sadly unprepared for attacks in general.
Ransomware serves as a good proxy for integrity attacks. All told, it is estimated to have cost $4 billion to $5 billion in 2017, and costs are expected to continue growing; some estimates indicate that costs will double by 2019. The actual amount and their rate of success is hard to quantify, since many victims pay quietly. But as more businesses rely on cloud services and IoT devices keep cropping up, vigilance will need to increase.
“The growth of insecure IoT devices has fueled an increase in the vulnerable attack surface on the Internet,” explained Rubin. “Many IoT manufacturers are putting out devices before they are truly ready, and often these devices are easy to compromise. We’ve already seen a large botnet attack that was based on an insecure webcam, and I’m sure we will see more.”
The growth in cloud services—Gartner estimates it will pass $300 billion this year—adds another layer of difficulty. Many organizations make the mistake of assuming that their data vendor is responsible for taking care of data and, therefore, don’t apply their own security measures, leaving data vulnerable. According to a study by the Ponemon Institute, only 21% of IT professionals say their security team is involved all or most of the time in the selection of apps and platforms for the cloud.
Organizations are “enamored with the claims that cloud vendors’ [data centers] are indeed secure…and forget the fact that they are still responsible for the security of their own apps and data,” said Matt Keil, product marketing manager at Palo Alto Networks. The services are open by default and the drivers of the cloud are typically groups that might not be as attuned to security as an information security staff would be, so human error can come into play, he explained.
“There is the automatic assumption of responsibility and accountability are interconnected, and it’s not until a breach occurs that they realize that they need to have some form of visibility, governance, and control over what they put where,” said Duca. “The cloud should not be feared, but rather requires a business to think there is a new way in which your information must be protected, and that’s now a mandatory requirement.”
Risk and value
The process can be complicated by difficulties in restricting access to data and ensuring compliance, say experts. “When you strip it right back to its core, a business should see this as a risk and work out what is the value of their data, who has access to it, and how is it protected,” said Duca.
Protecting data integrity takes many of the same steps as any kind of data protection, said Justin Cappos, associate professor at the Tandon School of Engineering at New York University. “No matter where the data is—whether it’s local or in the cloud—the folks who are managing it and dealing with it have to be responsible,” he said.
“Security in the cloud needs to be as strong as the security on your network,” said Palo Alto Networks’ Keil. Organizations should follow best practices for cloud service configuration, control access, inspect and prevent threats, and look for and block data exfiltration, he said.
The first step to take is to sort out who needs the data and limit access to only those people. Compartmentalize data, said Cappos: “Don’t put all your eggs in one basket if you can avoid it.”
Second, decide what data needs to be accessed most often and what data is most sensitive. Data that is sensitive and rarely used does not need to be in the cloud, suggested Cappos. If the business only needs data from the last month, the rest can be backed up in a secure location. Very sensitive data that is rarely used doesn’t need to sit on servers for years at a time, he said: “Save it and stick it in a filing cabinet…. Hackers have a hard time getting to data that way.”
Hiring an expert to review procedures is a good third step, said Cappos. Organizations “really need to have some sane outsider do a security audit of the way things are done,” he said. “It’s easy to convince yourself that you have a good setup.”
“Security doesn’t need to be the choke point. There are a variety of security tools and frameworks that help organizations realize the benefits of cloud without worrying about a breach that can undermine the brand impact bottom line,” said Balabhadrapatruni. “Organizations need to choose a security vendor that offers a platform approach.”
“Security can be viewed as a roadblock,” Keil added, but quickly noting that “the loss of one user record is far more costly and detrimental.”
Security in the cloud will need to be frictionless and transparent as much as possible, said Duca. The more layers that are added, the more likely users will try to find ways around it, he said. It’s important to listen to how users will use the data, and apply the right security policy according to the sensitivity and risk appetite of the business, he said.
“Cloud brings so much value to a business,” said Duca. “We need to harness it in a secure way.”