How to Avoid a Snowden-esque Security Breach at Your Company

What would happen to your company’s reputation or market share if its data was hacked?

getty_457065898_116767
CREDIT: Getty Images

This article originally appeared on Inc. Magazine and is reprinted with permission.

The recent release of Snowden, the 2016 film about exiled former cyber-security contractor Edward Snowden, highlights some of the inherent cyber-security risks that organizations face. These concerns have been reinforced by the controversy over hacked emails during the current election cycle. In Snowden’s case, it was the National Security Agency (NSA) that was breached, but the vulnerabilities he exploited exist in many enterprise-level companies as well.

Security Breaches in recent memory

While I worked at Symantec for the Norton brand, as the global digital strategist, we were always monitoring the news for security breaches. And if you look at the past few years there have been some huge ones. For instance, just look at security breaches that have happened to major corporations recently: Target, SONY, Yahoo, Dropbox, eBay, Verizon, and even LastPass, a password protection service, along with many, many others.

These breaches are especially disheartening for business because according to a recent survey of thousands of consumers by Centrify, a leading identity and access management company, 66 percent of respondents said that they’re likely to stop buying from a company that has been breached. Disclaimer, I consult with a lot of MarTech and enterprise companies that use Centrify, which is why I reached out to them for expert commentary on the Snowden security breach.

Clearly, cyber-security has emerged as one of the most compelling issues faced by leaders of enterprise-level entities.

What would happen to your company’s reputation or market share if its data was hacked?

How do breaches happen?

Compromised credentials are one of the main reasons cyber-security breaches occur and that’s the problem with depending just on credentials alone. By themselves, they don’t lend any context about who the person is, what they should be allowed to do, and what they actually do with sensitive data. Verizon said in its 2016 Data Breach Investigation Report that passwords are like salt, wonderful as an addition to something else, but not what you’d want by itself.

Edward Snowden used compromised credentials to steal classified documents from the NSA, many of which he couldn’t access at his security clearance level. He used a fellow admin’s borrowed keycard or “smart card” as well as a stolen password to access the classified documents — including those that were restricted to him.

Snowden also took advantage of the NSA’s culture of personal trust as described by Director of National Intelligence James Clapper during a hearing with the Senate Armed Services Committee. The NSA has since enacted a rule that requires two admins to work together when handling certain documents. However, the possibility of another breach still exists.

Unfortunately, the practice of IT admins and decision makers in corporations sharing their credentials with one another is not uncommon. In fact, in the aforementioned survey, 59 percent of respondents report sharing access credentials with other employees at least somewhat often. It also showed that 53 percent of respondents say it would be at least somewhat easy for a former employee to login and access data still.

What can you do to avoid a cyber-threats and security breaches?

According to Corey Williams, senior director of products at Centrify, the key to protecting against breaches is a privileged identity management system that uses multi-factor authentication (MFA). He says that the lowest hanging fruit offering the most immediate payback is to assure a user’s identity by using MFA everywhere. This will make it more difficult to turn a compromised password against a company.

“As an immediate first step we recommend that every organization enable multi-factor authentication everywhere across their applications, systems and networks. Businesses that are waiting until after they are breached to offer more secure access control than a simple username and password, their judgment and trustworthiness certainly should be called into question,” he said.

Williams describes four main areas to consider when planning and implementing a cyber-security process to protect against breaches in your organization:

1. Establish Identity Assurance

This means making sure that a person is who they say they are. A password alone isn’t sufficient for this purpose. You need to layer on additional factors to verify someone’s identity. For example, in addition to a password, extra information or factors such as a one-time code, a fingerprint or a smart card should be used. Furthermore, you need to take into consideration the user’s circumstances such as geographic location, job role, patterns of past behavior, and time of day to give context about why the person needs access and what they’ll do with it. This is known as adaptive authentication.

2. Limit Lateral Movement of Data

This means preventing people from having more access than they need. Unfortunately, it’s easier to give broad access privileges to people who don’t need that much access. That’s why you want to automate the provisioning or de-provisioning of privileges immediately. You can also restrict access to be on an as-needed basis and for a limited time period.

3. Narrow the Focus and Timing of Access

This means moving beyond broad network and system access to only giving access to a specific systems and specific commands or functions within the system. For example, if an admin needs to restart a web server, then that’s the only command they can give at that time. This way, if someone’s credentials get compromised, there’s a strong limit as to what can be done with them. This is also known as a least-privileged model.

4. Control the Whole Access Process from Start to Finish

This means monitoring everything that’s happening in real time, recording it, and being able to possibly terminate activities, if necessary. There should never be clandestine or unmonitored access to data — regardless of the admin’s clearance level.

“Comprehensive privileged identity management not only provides context-aware authentication, but further limits lateral movement, moves toward a least privilege model and captures all activity done with privilege,” said Williams.

Your company may not have data that is sensitive to the security of the US, as the data that Snowden accessed at the NSA was, however, as we’ve seen in recent years, these hacks can be catastrophic to your organization. It’s best to take the proper measures to secure and narrow access to your business systems.

No one needs access to everything all the time.

Passwords alone just don’t cut it anymore. It may be time to up-level your security before the next breach headline includes your organization’s name.