Organizations that oversee sensitive information remain woefully unprepared to fend off increasingly clever and sophisticated data raiders, according to a sobering new study.
Nearly 70 per cent of those hit by data breaches in 2014 found out about the infractions from outsiders such as police or customers, according to a report issued Tuesday by Silicon Valley security software firm FireEye Inc. Data breach victims took a median of 205 days – almost seven months – to realize they had had been hit, giving "attackers … a free rein in breached environments far too long before being detected," the report said, while "run-of-the-mill cyber criminals" out to steal credit-card data are becoming harder to distinguish from state-sponsored attackers due to advanced camouflaging tools and tactics.
Despite increasing awareness of cyberthreats and investments to protect sensitive data, including personal customer information and corporate secrets, corporations appear to be falling behind in their efforts to counter hackers. Many companies are better prepared for fires, floods and ice storms than data breaches, which "are more likely, and likelier to have a more significant business impact" than other emergencies, said John Proctor, vice-president of global cybersecurity with Montreal information technology services firm CGI Group Inc.
At the same time, corporations increasingly realize there is little they can do to stop data raiders from penetrating their firewalls and getting past their anti-virus software. Leading cybersecurity providers are more focused on containing malicious software programs that have already entered corporate servers and constantly monitoring networks to prevent the invaders from uploading data to anonymous cybercriminals located around the world.
Catherine Beagan Flood, a litigation partner with Blake, Cassels & Graydon LLP in Toronto specializing in privacy and cybersecurity issues, said cyberthreats are becoming a "high-priority issue" for senior Canadian executives, though she added, "I think at the moment [they have] almost a sense of resignation that this is what the world is like now … and with the recognition that sooner or later it will happen to their company."
Last year, high-profile hack attacks on Home Depot, JPMorgan and Sony Pictures, among others, compromised tens of millions of customer accounts and led to the leak of confidential information, such as credit-card data and embarrassing internal e-mails. According to cybersecurity firm Risk Based Security, five of the biggest 10 hacks ever happened in 2014, while 1.1 billion records were compromised in 3,014 data breach incidents around the world, up from the previous record of 822 million exposed records in 2013. At least, that's the amount of known breaches; experts say that data breaches remain underreported, and legislation now before the Canadian Parliament would make data-breach reporting mandatory.
The FireEye report found many organizations are vulnerable to mistakes by their own people. More than three-quarters of "phishing" e-mails – messages meant to fool recipients into sharing passwords and login information to access protected servers – came from hackers impersonating the company's information technology department or suppliers of anti-virus software in 2014, almost double the level the previous year, the report said.
But IT professionals are also falling short in how they build protective layers around their stores of data. In some cases, "even minor configuration mistakes" in the systems architecture can leave gaps allowing hackers to enter and roam freely around their systems.
Furthermore, almost every hack attack investigated by FireEye subsidiary Mandiant was found to contain "the same primary security gap": that employees required only a user name and password to remotely access corporate servers and not an extra authentication tool, such as a random code sent to a secondary device like a smartphone that can give added protection.