Target, AshleyMadison, and the IRS all made news this week for being hacked and information being stolen. The difference between these? 2 years. The lesson? A hack to your system may happen over a few seconds or a few months but the effects can linger for years on your brand reputation and your bottom line. Today I want to talk about the real and lasting effects of a data breach and what it could mean for your organization.
Brand Reputation: Confession. I am a fan of Target. As in, I will drive out of my way to go there over another store that might be closer to my house,and I’m ok with knowing that I might pay more there because I believe in their quality and customer service. However, even I was worried when they announced the massive hack in 2013. Was I shopping at Target on that date? Please re-read the first line and make your own assumptions there. But was I hacked? And how would I know? Would Target tell me that my information was stolen and out in the open for anyone to see, use, and exploit? I was worried and, I'll admit, it took me a while to go back.
Did I go back? Of course I did, and so did millions of other customers. However, their brand reputation suffered in the short term with even avid fans like myself backing away and it continues to suffer in the long term. We all saw that Target’s brand reputation dropped dramatically after the hack. However, what you may not have seen is that every time a major hack happens, most likely, Target is mentioned. Imagine what it does to their brand reputation each time by reminding customers what happened. If you’re imagining more dips than peaks; you’re right. Just this week, Target settled with Visa with a $67 Million claim. Another reminder means another dip in the graph. Source: Huffington Post
Bottom line: Recently the FBI apprehended a group of hackers that were using press releases to get inside trading information. When banks are hacked, often they watch the money they control go into another account, another bank, another country that they can't get back. But what about when the hackers aren't targeting your money? What about when they go for your seemingly innocuous information?
The possibilities are still endless and are just as damaging to your bottom line. We mentioned that the decline in brand reputation causes decreased sales/business for the organization but what about the other costs to your organization? Such as:
Cost of Settlement:
As mentioned earlier, Target just settled with Visa for a cool $67 Million resulting from the 2013 hack. That was two years ago and they are still paying for the breach. Oh and they still haven’t settled with MasterCard. More to come on that I’m sure.
Cost of Fines:
Are you a hospital? Then you have even more rules and regulations to worry about. If HIPAA deems you non-compliant then you are at risk for a fine. Recently a Mass. Hospital was fined $218,000 for being non-compliant. Probably not something they planned in the yearly budget.
Cost of Monitoring/Customer Support:
Home Depot, another major retailer, another massive hack. However, when Home Depot announced to its consumers that they could be in danger, they offered to pay for one year of credit monitoring to make sure they were protected. While this did a great deal of damage control, it cost them dearly.
Looking for ways to mitigate these effects? Our infographic below includes suggestions from our own security executives. If you want to know know, contact us at firstname.lastname@example.org or leave a comment below.
The past week has been bad news for drug pumps. The FDA issued its first warning about them, and a video has been making its way around the blogosphere showing a drug pump hack. While these issues have been spotlighted this week, they are not the only devices at risk. In the past year we have seen the rise of Electronic Health Record (EHR) systems flourish along with the ease of housing them on mobile devices which we all know have a not so solid record when it comes to being breached.
So the question is, why are we still using these devices if we know they are so vulnerable? Simply put, the same reason we allow smart thermostats and refrigerators in our home - convenience.
Drug pumps are easily accessed by nurses and doctors who can give doses to patients from the nurse’s station rather than having to walk to their room. Medical records can be pulled up on a tablet in radiology and billing at the same time without having to manually walk them from one place to the other. These are all highly convenient and keep the costs, not to mention the time spent by each employee, to a minimum.
Medical devices are convenient and are improving the way we do business and the way we treat our patients. They aren't going anywhere, so rather than look to replace them, we need to learn how to secure them.
Differentiated Networks: Just like you keep your valuables out of reach of your three year old, you have to keep your devices out of reach of the public. This week in his blog, Dr. John Halamka expounded on this topic, and it was so simple and so logical it’s no wonder it often gets overlooked. He suggested setting up three different networks:
- Public: This Wi-Fi network would be accessible by patients and families and would be open and free. While you would put up firewalls and ensure some measure of security you would not need to monitor this system as you wouldn't be sharing any data over it.
- Private: This network would be for employees only. While it would be more secure it, would still be an open network, accessible to anyone with a password and would need to be monitored and governed. Only approved and secure messaging should be used on any device when sharing medical information, even if it is directly with a patient.
In the most recent Spok survey on BYOD devices, it is noted that—on average—48% of mobile devices used in hospitals are personal and not issued by the organization. With such a high percentage, your BYOD policies and security policies should be even higher to keep the risk of network penetration at a minimum.
- Device-Only: This network would not be hooked to any other systems or personal devices and would have no access to the outside internet. The only access to this network would be through a key provided by the security team or through an authorized device.
Firewalls: Build a gate and dig a moat. You need to make sure that you have a firewall in place to catch anything that is coming in or going out on any of your networks. While no one
has ever laid down their weapons when approaching a gate, they do have to try a lot harder and you want to put every barrier possible in their way.
Provisioning: You're a hospital administrator with 400 nurses, 200 doctors, and another 500 people making up your maintenance, billing, support, and other staff. Quick: what access does Bob Smith, RN need? Ok that was a hard one, because we don't know what area he works in. What about Sally in HR? Do you know what access she has? What she actually needs?
Hospitals are huge organizations and between the thousands of employees, both full-time and contract, and just like each patient needs a different diagnosis they all need different access to get their job done. With a proper provisioning tool you can automate access for specific roles, properly approve excess requests, and ensure that only the right people have the right access and that you aren't rubber stamping access to people who may not need what they ask for.
Culture of Security: We all know the number one reason for security breaches: user error. The number one reason for this is lack of awareness. This might be one of the cheapest fixes you could ever have. All you need is education. Build a training program that goes into new employee onboarding to discuss the importance of security in your culture. Reinforce this
with articles in your monthly newsletter or tips on how to protect yourself and your information. Improve your password policies and make sure that everyone is changing them on a frequent basis so that the chance of being hacked is reduced. Lastly, build an incident response plan. Make sure that everyone knows what to do, or at least knows where to find the plan, when something goes wrong.
Benjamin Franklin stated that an ounce of preparation is worth a pound of cure. It's time to create a wellness plan to take care of our security systems just like we take care of our patients. Set yourself and your organization up for success with plans, policies, and solutions to keep your medical devices, records, and employees safe.
Welcome to the last installment of our 3-part series exploring how intelligence improves identity and access management, or IAM. In part 1 we looked at how intelligence improves the provisioning portion of IAM. In part 2 we took a look at how intelligence improved the governance portion of IAM. In this segment we look beyond just provisioning and governance to address how intelligent IAM can help to reduce the top 5 most common elements of risk: identity, resources, rights, policy, and activity.
1. Identity: In part 2 of our series, we discussed how human resources were the most dynamic risk facing security teams today. The reason behind this is that you are constantly managing changing identities. Who are you? What is your role? What do you need access to? These are questions constantly being asked by our system and can equate to hundreds or even thousands of access requests a year.
With intelligent IAM, all roles are built into the system along with the basic applications that they need access to. For example, when a marketing manager was hired, they would be led through the system to request access to their email account, marketing file share folder, and marketing automation software because those are typical of their role and inside their peer group. All requests that fall within the boundaries of their peer group they would be automatically approved for. However, if they wanted access to, say the sales folder, they would have to request special access. This solution gives the user guidelines rather than the all too common shopping cart approach where they are requesting items that they don’t really need and creating a backlog of requests while the approver decides if they really need that access.
2.Resources: With so many business applications, servers, mobile devices, etc. do you know which assets are critical and must be protected? Do you know which seemingly innocuous applications tie back to a server that needs to be protected?
Governance certifications exist to monitor access to the most sensitive information, applications, and servers. Intelligent IAM governance will not only monitor your most sensitive data, but will send up a flag, or an alert, when a high risk event takes place. When accounts are created outside of the provisioning system or high risk applications are granted outside of a role or peer group they will be flagged as a "critical risk".
3.Rights: Who really needs access to what? Before intelligent IAM all provisioning and governance had to be audited to make sure that the right people had the right access to the right things. The issue was that those rights were always changing. Some applications are not as high risk and can be audited on an annual or semi-annual basis. However, there are other applications that are highly critical and must be assessed on a monthly or weekly basis. Doing this manually for all employees would be impossible.
By using intelligence, your IAM system can review rights as needed and ask for re-certification for sensitive applications. For example: an email account can be automatically re-certified each month as long as the employee isn't terminated. However, the payroll system may need a monthly manual re-certification to make sure that only the right people have access.
4.Policy: What business rules must be enforced in your company? What segregation of duties do you rely on? This is another risk taken care of, somewhat automatically, by the assignment of roles within the organization. Segregation of Duties is an easy addition, especially when set initially. Managers should not be able to both post and approve their own time cards, nor should they be able to place and approve a purchase order. Governance certification and approvals as well as segregation of duty assignments will help to mitigate this risk rather easily.
5. Activity: Who is doing what? And when? Visibility into all of your applications and systems is an extremely difficult task and without an automated system is basically impossible. Much like with the alerts sent by your high risk resources, you can use intelligent IAM to see what your users are doing with real time monitoring and be alerted to any inconsistencies. This real time look into your system shows you what is happening with approvals as well as risk assessment and can take away the need for annual or semi-annual auditing. With an automated system you will be able to see sensitive updates monthly, weekly, or as needed instead of having to wait 6 to 12 months for an audit.
While the idea of an Identity and Analytics system is not new, we believe that the use of intelligence in IAM is revolutionizing the industry. With the use of real-time data and information backed automation systems, you are able to have visibility into your system at any time rather than waiting for an audit. Your decisions will be made based on the most accurate and up to date information.
Want to know more about how Intelligent Identity and Access Management can help you mitigate risk in your organization? Download our eBook, Improving Identity and Access with Intelligence, and learn about:
This week we are proud to present a spotlight blog from one of our trusted partners, Mr. Andy Osburn at SecureReset. With over 15 years of experience in network password reset, Andy and his team are an integral part of what makes Courion great. Take it away Andy!
Andy Osburn, Secure Reset
You can’t throw a digital rock in the IT security blogspace without hitting an article concerning the risks and consequences related to password compromise. This attention is well-placed given the numerous high profile cases of data theft and reputational losses that can be traced back to either weak or stolen passwords.
The recognition of the inherent risk in any single-factor authentication method is not new. In 2001, the US Federal Financial Institutions Examination Council (FFIEC) issued guidance on authentication in the electronic banking environment, identified the risks and controls, and concluded that, “single factor authentication alone may not be commercially reasonable or adequate for high risk applications and transactions.”This reality has generated a wider call to move beyond authentication, security’s reliance on passwords, and their ever-increasing complexity and rotation. When employed as a single-factor to verify identity and grant access to critical enterprise resources, the overwhelming conclusion is that the password is simply not good enough.
The FFIEC went further to advocate the use of multi-factor authentication (MFA) where two or more of the three basic factors are used in combination.
Something the user knows (e.g., password, PIN)
Something the user possesses (e.g., ATM card, smart card)
Something the user is (e.g., biometric characteristic, such as a fingerprint or retinal pattern).
So it begs the question: if the risks, consequences, and potential solutions have been known for 15+ years, why has there not been wider adoption and usage of MFA?
Well, the answer lies in the fact that the implementationof additional authentication control methods in the IT Security environment must take into account many considerations, not the least of which is user experience, cost, and convenience.
Early MFA solutions that incorporated smart cards, biometric scanners, and hardware tokens, in addition to knowledge authentication, made significant strides in elevating the security of user authentication. However, the relative complexity and inconvenience of these MFA solutions hampered widespread adoption in the enterprise marketplace. This experience, together with the relatively high lifecycle management costs of the solutions, limited the scope of usage to environments requiring higher-end authentication security.
So what has changed in this intervening period through to today’s reality of enterprise environments and authentication challenges? Two things: the first of which is the acceptance of the high risk inherent in single-factor authentication and the corresponding potential for significant data and reputational losses. The second is the ubiquity of the mobile smart device.
Each of us now carry a mobile device that has tremendous capability to behave as a security token. Not only is there exceptional computing capacity, but perhaps even more importantly, we as users are now completely comfortable with employing these devices for a myriad of daily common routines. It is only natural that we now look to use these devices as part of an enterprise MFA strategy.
This new mobile MFA capability is being reflected in the products available to enterprise customers from Courion partners such as QuickFactor and Ping Identity. Both companies are members of the FIDO ("Fast Identity Online") Alliance which is an industry organization created to address the lack of interoperability among strong authentication devices and the problems users face creating and remembering multiple usernames and passwords.
These advances in mobile products and standards means that the new reality of enterprise user authentication strikes a better balance between security and convenience. End users have more flexible authentication choices where the enterprise can now leverage the significant capabilities of mobile authentication with three true factors.
Coming full circle then, it is unlikely that the password will completely go away. However, it is equally unlikely that it will continue to exist in the familiar form as we know it today. What we can expect to see is that the password will play a role as a one-time-use or rotating knowledge-based authentication component of the mobile MFA model. When employed wisely in an MFA structure, the password can still prove to be a valuable authentication factor.
For more information on how Courion works with SecureReset to create the most innovative and industry leading technology, read more on our datasheet or click here for information on SecureReset and our other partners.
By now, you’ve surely seen the signs, the sales, and the sad faces that signal the start of a new school year. While this may mean the end of summer as you know it, it also means the end of hundreds of thousands of summer internships. Did you know that 84% of college students plan on completing an internship before graduating? This means that – more than likely – you will have your fair share of interns coming and going from your organization each year.
Don’t get me wrong; interns are great! They no longer serve just to grab your morning coffee. Interns today are integral members of your team and bring a fresh perspective, not to mention extra brainpower, to your projects. However, just as with all types of employees, they also bring their own set of risks, and you need to be prepared.
It’s hard enough to know, even as a new full-time employee, what applications you need to access. Imagine being an intern and wondering what these applications are, what they do, and which ones you need. The task is daunting to say the least. The key to helping new interns, and all new employees, with understanding what applications they need can be solved by having an IAM solution that will guide them through the provisioning phase.
With an intelligent IAM solution, your new interns will be guided through the system and will be shown applications that they have been pre-approved for based on their role. If these interns need more privileged access based on their projects, they can request that access and a request will be sent to their manager for approval. With an intelligent provisioning solution, you save your interns time by showing them what applications they need while you cut down on the risk of privileged access from interns being granted access to critical applications.
I am not a millennial, but I do understand their attraction to the newest and best of everything. Who doesn’t want to be up-to-date on the newest trends? For example, do you know what kik, snapchat, yikyak, and listicle are? Neither did I, until our newest marketing intern taught us all about these new and innovative social media platforms. While interns are bringing in fresh knowledge and new applications for your company to take advantage of, you need to be aware of the risks they pose. Just like with BYOD risks, opening up your network to new social media sites, content applications, or other software can leave it vulnerable to attacks.
In order to make sure that you’re getting the best of both worlds, new information and a secure connection, make sure that you instill in your newest team members a culture of
security. Through training videos, in-person demonstrations, and/or an ongoing culture of security in your organization you will make them aware of practices such as not downloading anything without prior approval, checking with IT for your BYOD devices, and more. Not only will your organization profit from building your internal security team but you will be imparting a vital career skill into each of your interns.
Hopefully, by the end of their session you have turned your unseasoned interns into experienced professionals. What is the easiest way to make sure your intern’s access is terminated? You guessed it, an intelligent IAM system. The same system that provisions access for your team will make sure to monitor it for orphaned or misused accounts. This way you will receive an alert if your intern is accessing applications outside of their role or after an extended period of being unused. Either of these instances will alert you to either your intern, or a hacker, breaching your system and will alert you to the orphaned or hacked account. experienced professionals. Now as you say goodbye and send them back to school, make sure that you’re saying goodbye to their user accesses as well. Just as with any employee that leaves the company, your interns’ access rights also need to be terminated. Orphaned accounts are a major liability to your system and can be an easy target for hackers. Occasionally, not that any of your interns would do this, some ex-interns log back onto the system after their program is over and steal information. Terminating their access rights before they have a chance to log back in is the safest way to prevent file theft.
Did I scare you away from the possibility of bringing in your fall interns? I hope not. As I said before, interns are great and can be hugely beneficial for your organization. These team members can be an integral part of your organization and should be accepted as such. However, keep in mind that they have their own inherent risks and need to be treated with the same security protocols as any other members of your team. Make sure you are building more than just interns; build strong, security-aware team members that will continue to excel long after they’ve finished their program.