The financial services industry has yet again fallen victim to a near catastrophic data breach. Equifax, a company that ironically offers identity theft protection, saw 143 million customer records released to hackers as a result of a flaw in its web application.
The information exposed included names, social security numbers, birth dates, addresses and driver’s license numbers. Hackers were able to access hundreds of thousands of documents containing personal information, and over 200,000 credit card numbers were also included in the stolen data. The full scope of the breach is still unknown, but is thought to extend to also affect customers of British companies including BT, Capital One, and British Gas. However, as the full details of the attack unravel, the question is what can we learn?
The problem of scope
One of the biggest problems that the organizations affected by data breaches have faced is understanding the extent to which their data has been compromised. Current security models tend to mean that when a hacker has breached the outer perimeter, (s)he is free to roam virtually the entire network. This means that when a cyber attack incident emerges, the organization is not able to say with certainty the extent of the breach. Instead they are left with uncertainty that impacts not only their customers and reputation, but their ability to react effectively.
The cycle of insanity
Equifax might not be the largest breach on record, but it is certainly one of the most high profile, given the sensitivity of the stolen data. This is yet another lesson as to why the industry must change its approach to cyber security, and also begs the question why there is still so much emphasis on application based security, when something as simple as an inadequately patched application was able to release such a huge amount of data, putting millions of customers at risk of identity theft and fraud.
The problem is that rather than looking to innovation as a way to address the problem, the cyber security industry as a whole continues to deploy the same protection methods and technology, yet expects a different result – a cycle of insanity. So, how do we break this?
How to fix it
Cyber attacks on the financial services industry are inevitable as high profile goldmines for hackers. But banks and financial organizations are missing out a crucial step in the current model and putting themselves at risk. The “protect”, “detect”, “react” approach doesn’t include a step to contain the breach, which means incidents such as this can escalate very quickly. By using segmentation to break the infrastructure down into smaller chunks or ‘risk domains’ that are underpinned by policy driven encryption, an organization can stop a hacker roaming freely and unchallenged across the entire network. The result is not only can financial institutions severely limit the impact of a breach, but the moment a breach occcurs, the organization can also already answer two fundemental questions: what the scope of the breach is and yes, the breach has been contained.
Mindset must change before technology. Current solutions are flawed and follow an outdated approach to security. Companies must change to a Zero Trust security posture so that when updating their technology, it follows a new, innovative mindset, rather than continuing the insanity cycle with the next generation of flawed technology.