Picture Credit: xresch

Understanding Cybersecurity Breaches

A sort of technological arms race is underway between hackers and security companies with the increasing value of cryptocurrencies and with the increasing frequency of online transactions in general.

But let’s go back to the roots of cybersecurity breaches for a moment.

Some of the most prominent cybersecurity breaches are surprisingly situated towards more recent times and involve major companies.

One would think that with the level of sophistication in modern encryption technologies and with the sheer amount of resources that large corporations dedicate to the security of their customers’ private information, such businesses would be the least likely target of cybersecurity hacks.

However, the opposite is true. In 2014, J.P. Morgan Chase & Co. announced that the private financial information 76 million households were impacted as a result of a cybersecurity attack on the bank (Wall Street Journal). Similarly, Home Depot reported a security breach which left around “56 million credit and debit card numbers exposed” in 2014 (Forbes).

The losses and damages associated with these security breaches manifests in a multitude of forms such as in legal assistance, credit card fraud, and card re-issuance costs, identity theft repair, regulatory fines, and so forth all of which are linked to the ramifications of leaked bank card details (Forbes).

A report on the costs of data breach by Ponemon Institute estimates that: “…the average consolidated total cost of a data breach grew from $3.8 million to $4 million.

The study also reports that the average cost incurred for each lost or stolen record containing sensitive and confidential information increased from $154 to $158 (IBM).

Extrapolating from this data, the 76 million compromised accounts in the J.P. Morgan Chase breach and the 56 million compromised accounts of the Home Depot breach each would have incurred costs of approximately $12 billion dollars and $8.85 billion dollars respectively.

This is no small amount considering the third quarter (3Q) earnings of J.P. Morgan in 2016 are reported as $24.7 billion in revenue while the 3Q net earnings for Home Depot were $2.0 billion.

So, why were the cybersecurity structures of these large companies such as J.P. Morgan Chase and Home Depot so vulnerable despite their large operating incomes and resources? The pertinent risk factors in these cybersecurity breaches were inadequate experience/training, user error/inattention, and a lack of management oversight.

In short, the vulnerabilities that led to each of these cybersecurity breaches were primarily due to human risk factors: there was no lack of expenditure on the part of cybersecurity professionals hired by each of these corporations in their design and planning of a security systems and the resources available to them. This fact becomes evident if one considers the purported origin of the attack:

Hackers appear to have originally breached J.P. Morgan’s network via an employee’s personal computer… Since mid-August, a couple hundred employees across J.P. Morgan’s technology and cybersecurity teams have worked to examine [the causes] (Wall Street Journal).

The fact that an employee had left their personal computer — a device with sufficient and comprehensive access to bank serves — vulnerable suggests a lack of experience/training, inattention, and a lack of preventative measures against this scenario as a result of management oversight.

Poor organizational structure, communication failure, and design/construction flaws appear to have played a key role Home Depot security breach, as a case study on the issue reports that stolen third-party vendor credentials and RAM scraping malware were key in the success of the data breach (SANS.org).

In addition to human vulnerability, the Home Depot security breach demonstrated the risk factors of poor organization since there was insufficient “network segregation” between third-party vendor credentials and the rest of the Home Depot network, a security issue exacerbated by the lack of Point-to-Point (P2P) encryption, a design/construction flaw (SANS.org). The fact that Home Depot’s security system mixed third party credentials with official Home Depot credential also shows poor communication between those responsible for designing security systems and those overseeing that design.

Moreover, following the discovery of the breaches both J.P Morgan and Home Depot immediately undertook risk mitigation efforts. These efforts appeared in how both of these companies scrambled to check over their existing security systems for vulnerabilities and patch those vulnerabilities such as the inclusion of P2P encryption and separation of third party and official credentials for Home Depot (SANS.org).

Such efforts also took place through increased preventative measures by both companies against social engineering attempts on its employees by mandating additional training of those employees (Wall Street Journal).

A basic chart visualizing risk.

Ultimately, cybersecurity breaches are at a medium risk or “yellow” with an upward arrow. The threat of cybersecurity breaches is still incredibly likely given the large variation between security systems among different corporations, and in lax organizational structures of those companies that are chiefly exploited in social engineering attempts.

The cost and damages associated with the monetary losses through theft and the legal repercussion on these companies are significant and have the potential to dampen future business prospects. This risk assessment is appropriate given the existing potential for cyber attacks, their frequently unexpected and hidden nature, and the extent of the damages incurred to business.

Further Readings and Relevant Sources