It’s the one-year anniversary since the Cambridge Analytica scandal, revealing that 50 million Facebook profiles were harvested in a data breach. Terry Ray, SVP and Imperva Fellow, pictured, looks back at how the scandal has affected the security landscape and whether such a large breach could occur again.
How has the global security landscape changed as a result of the scandal?
Facebook isn’t done with the news yet. In fact, just this week we saw their services off-line for hours in what was considered their most severe outage to date. Regardless, the past year has been a rough one for the company starting with the sharing of user data with Cambridge Analytica and proceeding to a breach affecting 30 million accounts at the last tally. Facebook can only be given partial credit for the changes occurring in data security today. Breaches of varying sizes occur every day. Over the years, we have seen many high-profile data loss breaches like Facebook’s loss of 30 million user records cause corporate executives and boards to ask their security teams, “What are we doing to avoid this?” A significant data security shift began several years ago, in large part, due to these major breaches in the news. The shift is one of responsibility within an organisation.
Why do such breaches occur?
Traditionally, volumes of data reside in a few primary technologies within organisations, the most common of which are e-mail servers, file servers and databases. E-mail server breaches are typically only relevant to corporate property, like what employees say or do. Remember the 2016 elections or the e-mails in a major Hollywood studio breach? Often, somewhat more damaging breaches result from insecurities around files which can hold vast amounts of data in what is called an unstructured method. This means the data could be in just about any format and sometimes makes it harder for the attacker to get to volumes of valuable data quickly. You might recall the Mossack Fonseca or Panama Papers breach.
However, as much as we might remember e-mail and file server breaches, databases are the most common target of attackers since they store vast amounts of data, and by virtue of the need to get from them quickly and efficiently, that data is stored in a structured, easy to find and easy to gather way. There are too many to list, but a simple search online for ‘database breaches’ will yield more than you need to get the picture. Facebook is a large, notable, household name example of this which brings such breaches home for us all.
Going back to the shift, if you go back five years, very few corporate security teams took responsibility for the security of databases. Databases were the responsibility of database administrators and often highly sensitive to possible impacts from security controls utilised in other parts of a corporate infrastructure. The security landscape around data has begun to change, such that many companies have assigned data security responsibility to the Chief Information Security Office, meaning someone and often a team is responsible. However, many of them are still trying to figure out what needs to be done to affect security in the data space.
Has the industry bolstered its security strategies?
Most companies have security strategies, as well as, regulations per industry, country or type of data stored. Security teams commonly operate using various security frameworks in whole or part, like NIST and CIS, designed as best practice guidelines on how to operate a security function before, during and after a breach. These systems and regulations do provide some instruction for data controls, but industry experts are quick to point out that the frameworks and regulations provide the ‘What to do’, but almost none provide the “How to do it”. The result is that there is more activity around data security in organisations, but how companies go about defining what data security means to them and more importantly, how they go about providing this security, varies wildly from company to company.
Is it possible for something of this magnitude to occur again?
Data breaches of the Facebook magnitude are certain to happen again. Data security is not only a new responsibility to security teams; it’s also a new discipline in the world of cybersecurity. There are some of us in the industry who have lived data security for almost two decades, but consider how hard it is to hire a data security expert. A search on LinkedIn for “Data security” yields 170,000 people who claim to have the skill. This is in comparison to a search for “Network security” which yields 1.8 million results. Experts are hard to find for data security, so companies either have to learn as they go, pay for an expert service or more commonly look toward AI and machine learning to supplement their human manual expertise.
