Recently discovered breaches of critical business and government infrastructure laid bare the inherent vulnerability of connected networks. In two separate incidents, hackers tied to Russia and China exploited the network monitoring software of the company SolarWinds to break into the computers of several U.S. government agencies and businesses.
The breaches serve as a reminder of the inevitability of cybercrime. As stunning as the hacks were, more will undoubtedly come. Just consider the past: More than three billion people had their personal data stolen in just two of the top 15 biggest breaches of the 21st century, while the smallest incident since 2000 involved the data of a mere 134 million people, according to CSO.
No one is safe, not even in the workplace, where hackers hope human error or inattention opens a door to networks and files. A Dell survey in 2020 showed that 63 percent of businesses had suffered a breach within the past year. Endpoint misconfigurations of security policies caused a third of all recent security incidents, according to Bitdefender, and poor remote-management policies account for hundreds of thousands of vulnerable systems. And cybercriminals know their mark: Bitdefender found employees defy even the most vigilant security policies, with 93 percent of surveyed workers admitting to recycling old passwords.
Cybercrime pays off for the bad guys, while businesses are left with a staggering bill: The average total cost of a breach in 2020 was $3.86 million, according to IBM. It’s too soon to estimate fiscal damage from the massive hack of U.S. government agencies and businesses, or whether there will be significant damage at all. Some security experts believe Russia simply wants to have a look at systems—much as the U.S. observes Russian cyber assets—to send a signal that they have a foothold, which, in turn, serves as a deterrent from future attacks. There’s no official word yet on what the Chinese hackers’ intentions were.
Still, the enormous breaches sent shudders through government and corporate America. The surreptitious nature of the hack and how long it took to surface alarmed many cybersecurity experts. Even more, the thought that nation-states and dime-store hackers will continue to gain access to critical infrastructure and data has prompted many experts to call for new ways to approach cybersecurity.
In December, the cybersecurity firm FireEye announced hackers had swiped copies of security testing tools, leading to a broader examination that found the company had been compromised by spyware through an IT-management and security platform sold by the software company SolarWinds.
The spyware slipped past the notice of thousands of SolarWinds’ customers, including the departments of Commerce, Defense, Homeland Security, Justice, and Treasury. Post-breach analysis revealed the government and businesses—a list that includes Microsoft and cybersecurity companies such as CrowdStrike and Mimecast—had been under the eye of Russia, as U.S. intelligence officials believe, since at least September 2019.
Private investigators and the Cybersecurity and Infrastructure Security Agency recently said about 30 percent of victims had no ties to SolarWinds, illustrating the wide breadth of the breach. For example, the security company Malwarebytes said hackers broke into its Microsoft Office 365 accounts by taking advantage of a software configuration. Also, just as the reality of Russian hackers allegedly taking advantage of SolarWinds software had sunk in, news broke in early February that Chinese hackers had apparently done the same, this time infiltrating a federal payroll agency inside the U.S. Department of Agriculture, stoking fears that data on thousands of government employees may have been compromised.
The breach prompted many cybersecurity experts to rethink how businesses and governments protect data and infrastructure.
Microsoft President Brad Smith called for governments and the tech sector to unite. “Digital technology has created a world where governments cannot take effective action alone,” Smith wrote. “The defense of democracy requires that governments and technology companies work together in new and important ways.”
At least one government cybersecurity expert welcomes an expanded partnership with the private sector. In the meantime, William Evanina, director of the National Counterintelligence and Security Center, also advised businesses and government agencies to adopt a “zero-trust” stance and better understand “who provides your services, where they get them from and actually how they get them, and how (that fits) in the ecosystem of the food chain for IT services.”
It’s difficult for many businesses to move beyond the decades-long approach of focusing security mostly on perimeter targets such applications, endpoints, and networks. That strategy is still necessary, but it’s not the only one. The many different ways in which organizations create products and offer services and the many different ways in which customers and employees create and analyze data and use applications require a different approach.
Technology is fluid and untethered, mobile and cloud-dependent. Data, particularly, moves between on-premises infrastructure and cloud-based applications managed by different vendors. That’s why organizations need to look at the entire picture of computing when protecting their assets, including data—perhaps their most valuable asset. Effective data security requires end-to-end protection to not only safeguard the data itself but to honor privacy expectations of customers and the governments that require it via regulations.
As businesses increasingly shift more workloads to the cloud and embrace AI, analytics, machine learning, and other cloud-driven applications, they should assume a zero-trust posture. Such vigilance will ensure organizations dive deeper into how their data is safeguarded and lead them to recognize that technology exists to provide fine-grained protection of data—an ability to protect data in ways that align with regulations and internal policies.
Zero-trust protection allows organizations to see that one size does not fit all in data protection. Security must be tailored to meet an individual organization’s data-security expectations and specific regulatory needs. When organizations can set policy rules to determine who sees and doesn’t see sensitive data and maintain control over who can and can’t access the data—no matter if it’s in use, in motion, or at rest—they’re free to then make the most of their data.
Freedom engenders confidence, kicking open the door to data-driven innovation. In a world always turned upside down by cybercrime, businesses need the assurance that their data is always protected so they can use it as they please. In the end, if data is encrypted or otherwise de-identified, even if bad actors get their hands on it, what they find will be useless.