All the big breaches thus far have had one thing in common: The initial malware infections or network intrusions that gave attackers a point of entry into the network “all hark back to 2013,” Rothrock says. “A lot of bad stuff got unleashed into the world then, which found its way into corporate and government networks.”
Ghosts in the machine
Organizations just started hearing about APTs (advanced persistent threats) and understanding the prevalence of zero-day attacks three or at most four years ago. This gave attackers a window of time in which they could infect systems with sophisticated malware or embed themselves deep in the network without setting off alarms. It would be naïve to assume that all the major data exfiltrations have been found already.
“There is an executive awareness that the fox is in the henhouse and we have to do something about it, to solve the problem they know they have,” Rothrock says.
In other words, the breaches occurred years ago, but the IT teams haven’t gotten around to detecting them. They may eventually be discovered thanks to mistakes the bad guys made, improved detection systems, and so on. But we may never know the extent of the damage, because the vast majority of incidents are never reported.
Organizations are required to report stolen or exposed data if they include personally identifiable information or personal health information, but the majority of organizations don’t deal with either. Due to the lack of regulatory requirements to report stolen intellectual property or other types of sensitive corporate data, industrial organizations, manufacturing companies, consulting firms, and legal entities typically keep quiet.
Sensitive data isn’t just financial. “A lot of intellectual property matters. For a company that builds or designs nuclear plants, it’s one thing for attackers to attack their plants, and another if the attackers have the actual drawings telling them how to attack,” Rothrock says.
No one would have ever known about the Panama Papers stolen from law firm Mossack Fonseca last year if the files had not been leaked to journalists. The 2015 ABA Legal Technology Survey Report found that 23 percent of respondents at firms with more than 100 attorneys reported a security breach, but the names of the affected firms are not public. If plans for new airplanes from aerospace companies or research on new drugs are stolen, details of the breaches are known only to the affected organization, the consultants hired to assess and remediate, and possibly law enforcement—if they were called.
“We [Red Seal] have seen a lot of business as a result of exfiltration that [companies] don’t have to report. We get the call and we go in to address the problem. And I am sure we are not alone,” Rothrock says.
Online security and privacy non-profit Online Trust Alliance looked at preliminary year-end data and estimated there were approximately 82,000 cybersecurity incidents impacting more than 225 organizations worldwide. “As the majority of incidents are never reported to executives, law enforcement or regulators, the actual number of incidents causing harm combining all vectors including DDoS attacks could exceed 250,000,” OTA said.
Tallying the costs
Data breaches are expensive—and there’s more to the bill than the immediate costs of notifying the victims and hiring consultants and forensics investigators to find and fix the problem.
Other costs include downtime, lost productivity, customer churn, and lost revenue. When organizations discover breaches years after the fact, as Yahoo recently did, they must also pay for what Rothrock calls “engineering services” as part of recovery and remediation costs.
If a breach took a long time to be found, then something about the existing infrastructure made it hard to discover the weakness sooner. That calls for re-architecting the infrastructure, typically an expensive and time-consuming project. But that imperative is not always heeded. “Most people don’t try to figure out what they have and keep adding more stuff,” Rothrock says.
Restructuring our defenses
The growing complexity of networks—