2014 provided a huge shift in the way businesses of all sizes look at cyber-security, with several incredibly dangerous vulnerabilities exploited and the devastating Sony Pictures hack. We spoke to Patrick Peterson, CEO of Agari about the impact of 2014's attacks, how businesses can protect themselves, and why cyber criminals are no longer focusing on banks.
With the number of serious IT vulnerabilities found (such as Shellshock, HeartBleed, and Regin) hitting computer systems generating a lot of media hype. Just how damaging can a breach be and how can businesses ensure that they minimise the impacts?
A cyber breach can be very damaging to both companies and consumers. The vulnerabilities witnessed this year have shown that there needs to be a smarter and offensive program for cyber security.
In the case of email, which is a criminal's best friend, companies that send email to consumers need to get serious about deploying DMARC (Domain-based message authentication). Industry leaders in verticals that are particularly vulnerable, like JPMorgan Chase in Financial Services and Facebook and Twitter in Social Media, have already deployed this technology.
In order to ensure that business are protecting themselves and their consumers from malicious cyber attacks they need to:
First, take inventory of your customer data, whether it be order history, post code, email address, and realise the value of that to criminals, which is higher than you think, and realise what that would mean to your business if there was a perception that you had been the vector for that sensitive customer information to be stolen. If there is information you don't need, you should rethink whether you need to be storing it.
Second, make sure that information is as secure as it can be. It should, of course, be out of the reach of hackers. But since no one's data is ever 100 per cent secure, the information should also be properly encrypted, so that it will be of no use to anyone who manages to gain access.
Third, ensure that criminals can't use your brand for their own nefarious purposes. If you are like most companies and use email to reach out to your customers, make sure you are using the industry-standard technologies that guarantee that criminals can't hijack your email addresses, and that your customers will know that when they get an email from your domain, that you have in fact sent it.
With the Internet of Things generating so much data, what will be a Cyber Criminal's focus in 2015?
In 2015, third party risks will continue to accelerate. The CISO does not have control over third parties the way that they do over their own environment. Once information leaves their hands to another company, they cannot ensure that it will be protected.
An example of this can be found with healthcare records. Healthcare is up to ten times more profitable for criminals since they have more valuable information. Medical records are not protected like bank vaults. Due to this, criminals are starting to move away from banks and toward healthcare. A hospital may protect their records adequately, but when they are sent to insurance companies those hospitals cannot be certain that their patients’ information will not fall into the wrong hands.
What was the most effective IT security industry evolution in 2014?
In 2014 we saw the rise of information sharing initiatives. These are fundamentally changing what can be done for companies. Criminals share information in real time and are not regulated, so why shouldn’t security firms also share information? Agari and Palo Alto Networks are an example of these sharing initiatives. Our two companies are banding together in hopes of enhancing threat prevention of malware and advanced persistent threats globally.
Huge thanks to Patrick for chatting to us you, can him on Twitter @Peterson_Agari. If you enjoyed this interview or found it helpful you can vote for Agari in the Tech Trailblazers 2014 security awards here.