As we round out 2016, looking back on the year, there was a record-breaking number of cyber-attacks. From attacks on huge companies to global banks and U.S. government breaches, no institution is immune whether public or privately run.
With new hacks happening on an almost daily basis, it is clear we are in a security revolution – one where hacking has evolved from being carried out by novices to organized and professional criminals. The sheer number of different tools to carry out an attack, their complex nature and evolving character have made them difficult for institutions to stay protected. There are some regulations in place like HIPAA, PCI DSS and ISO that offer standards for how to conduct security, and there are also industry best practices that have become accepted as proper procedures; however, these serve more as a guideline and there are still many ways for institutions to respond to their security approach. For example, many have adopted firewalls, encryption, multi-factor authentication, data access controls, and security patches as tools to protect against security attacks, but are these standards enough?
Let’s use some of 2016’s top breaches to take a deeper look.
In the wake of two major breaches, Yahoo has maintained that they have invested in security. “Over the course of our more than 20-year history, Yahoo has focused on and invested in security programs and talent to protect our users,” Yahoo said in a statement to Reuters. “We have invested more than $250 million in security initiatives across the company since 2012.” However, despite the fact they invested in security to protect their users, passwords and user information was still stolen.
Banking systems were hit hard this year. Hackers in 2016 stole equivalent to $31 million from accounts that banks keep at Russia’s central bank and hackers stole $101 million from Bangladesh’s central bank. They gained access to SWIFT and the bank robbers made five transfers out of Bangladesh Bank’s account at the Federal Reserve Bank of New York. Though they tried to steal $951 million, the Feds cut them off before completing their hack.
The banking industry has proposed rules regarding cyber risk management standards that go beyond existing requirements and best practices. They have protocols like firewalls and encryption standards in place as regulations required, yet it is clear hackers are still finding ways to penetrate their networks.
Also take the U.S. presidential election. Governments house a lot of sensitive information and we have all heard recently about the email systems, what can and can’t be sent from different servers and industry standard tools that keep them protected. Nevertheless, the U.S. elections and the DNC systems were hacked this year (and we are still figuing out the details around it months later).
All these breaches have one thing in common – they were all using security best practices that are industry accepted.
Cybersecurity protection efforts have largely fallen on private sector institutions, but many government officials and security experts believe not enough is being done and more standard regulations are needed. The current federal regulations in place don’t specify what cybersecurity measures must be implemented and require only a “reasonable” level of security, which leaves room for interpretation. However, as the number of security breaches and threats continue to rise, it is time we start to take a closer look at the standards we are using and re-evaluate what tools are needed to keep information protected from. Cyber hacks have become more complex and it is time we figure out how to flip the switch on them as well.
