Capital One and its customers are the latest victims of a high-profile data breach impacting more than 100 million current/prospective credit card customers. The data compromised involved personally identifiable information such as name, address, email, social security number, credit score and bank account information. The breach occurred when a former software engineer discovered unencrypted sensitive data that belonged to Capital One Bank that was stored improperly on Amazon Web Service and copied it to GitHub, a popular web-based platform for software code version control used by many developers. Capital One's breach is the third largest data breach of a financial services company. In 2017, Equifax had more than 145 million records stolen. Heartland Payment Systems had more than 130 million records stolen in 2009.
Ten years have elapsed since the Heartland incident and large data breaches continue to occur. A closer look at recent history may offer three interesting lessons to learn about cybersecurity maturity.
- Cybersecurity capability is immature for many companies, regardless of size, due to organizational inertia. Capability is the intersection of people, process, and technology. Despite cybersecurity being acknowledged as a top business risk, the level of meaningful change for most small and medium sized businesses is woefully inadequate. Our workforce is aging. So much of the aging IT workforce supports legacy processes and maintains legacy technology. Adopting new technology is powerful but also challenging if processes don't change. That challenge is compounded by hiring and training constraints which deteriorates capabilities. When the velocity of external change overwhelms internal change, the modern answer is to adopt cloud solutions but the inherent risk remains.
- Cloud solutions are built upon new and legacy technologies, and infrastructure that leverage shared resources which afford businesses economic and temporal savings in the near term. They work at a much larger scale capable of transporting, processing, and storing vast data volumes. Inevitably, as these systems age, the cybersecurity community discovers new vulnerabilities and attempts to exploit them too. New technology is not immune to hacking activities but when they are successful, the payoff is large. These solutions are built and staffed by people who face similar workforce constraints which leads to increasing third-party risk. Companies are relying on them to properly configure and patch hardware and software, monitor and investigate incidences, and notify affected customers.
- Third-party risk is accumulating. Businesses rely more and more on third parties. These relationships provide varying degrees of assurance which allows operational risk transfer to the third party. There is still some residual risk. The reality is competitive markets make hiring and retaining talent difficult. As a result, service or product quality may suffer for a myriad of reasons. In particular, economic or social conditions may compel insiders at these providers to rationalize abusing their access and knowledge of sensitive data being handled. This is precisely what happened with Capital One Bank which relied on Amazon Web Services as part of their chain of cybersecurity.
What should companies learn from this latest breach?
- Focus on holistic cybersecurity capability that balances human resources retention, updated processes, and right size security technologies. Too often the cybersecurity budget is spent on protection tools for the data, assets, and systems a company identifies as critical. The NIST Cybersecurity Framework guides maturity to address detecting when protections fail, responding to incidents, and restoring to normal operations.
- Ensure cloud solutions are vetted for the security controls important to your company. Ask for an independent assurance report like a SOC 1® or SOC 2®. Update contracts to ensure terms and conditions are specified and acknowledged for cyber related risks including insurance coverage. Review and/or purchase cybersecurity insurance coverage that is aligned with your organization's risk.
- Establish a third-party risk management program that annually reviews cyber risks that may result from a third-party breach. This should include notifications of significant security incidents affecting company data.