IMGCAP(1)]On Oct. 2, JPMorgan Chase disclosed in a securities filing that a recent data breach to the bank impacts 76 million U.S. households. The scope of the attack on the nation’s largest bank had many shaking heads and wondering how something like this could happen to a corporation with such vast resources and (presumably) strong security controls. Unfortunately, it appears that the current climate of frequent high-profile data breaches has become the “new normal.”
JPMorgan Chase Breach
Few details on the JPMorgan Chase breach are available. The SEC filing simply states that 76 million households and 7 million small businesses were impacted, and that the attackers stole name, address, phone number and email address information. The disclosure went on to say that the bank has not seen “any unusual customer fraud related to this incident”.
News outlets are reporting that the bank is working with the FBI and Secret Service to investigate the incident. A recent New York Times
The Bigger Picture
The past 12 months are unprecedented in terms of high-profile data breach announcements. Target kicked things off in late 2013 with their announcement of a massive breach which had a major financial impact and ultimately resulted in the ouster of Target’s CEO. In 2014, data breaches have been reported at eBay, P.F. Chang’s, and Home Depot, just to name a few. The constant stream of breach announcements has resulted in “breach fatigue” for many in the technology industry.
October is National Cyber Security Awareness month, and at a recent conference to kickoff that campaign, the Department of Homeland Security’s Dr. Phyllis Schneck, one of the nation’s leading cyber security officials, gave some insight on what we can expect in terms of data breaches going forward. “We will get attacked,” said Schneck. “You will turn on the news every morning and see probably another big name that says they’ve had a breach. The point is, can we continue to run while under attack, [and] can we minimize the harm that it does to us?”
What Actions Should I Take to Protect my Organization?
If your organization is to succeed in this “new normal”, where the threat of a cyber attack looms constantly, you’ll need to take a few steps to ensure you are adequately prepared.
1. Data Inventory. First, companies need to understand WHAT types of sensitive data they maintain and WHERE they are located. You can accomplish this by creating and working with a cross-functional team to identify the types of data your company creates, stores and processes. Once you understand what data you have, the next step is to work with your technology and business process experts to determine where the data lives.
2. Risk Assessment. Once you have completed the data inventory, you’ll need to determine the risks to your data. A risk assessment will help you understand the controls currently in place to provide protection. It also evaluates the likelihood and potential impact of various scenarios (e.g. a major data breach). Completing the risk assessment will help you understand how and where to direct your resources.
3. Technical Assessments, such as network vulnerability assessments and penetration testing, provide validation that your technical controls are working as designed to prevent cyber attacks. These assessments should be performed periodically and after major changes in technology or business processes.
4. Security Monitoring. Monitoring network traffic and system log files for known attacks and anomalous activity can help to detect attacks that may have made it through your defenses. With the sophistication of cyber attacks constantly increasing, it’s important to have a monitoring capability in place rather than relying completely on your preventive controls.
5. Response Plan. Finally, you need to make sure you have a solid plan of action for responding to cyber security incidents. In our new climate of frequent data breaches, we need to be prepared to respond properly, and in an organized manner when bad things do eventually happen. A thoughtful, well-coordinated response can have a huge impact on how the general public (and the marketplace) perceives a data breach.
The JPMorgan Chase case points out that even the nation’s largest, best-funded companies struggle to defend themselves from data breaches. In order to be effective in this new environment, companies need to view data breaches as something that is largely inevitable, and work to ensure they have proper controls in place to prevent, detect, and respond to events when they happen. Developing this type of security process maturity will help set companies apart from their peers when the inevitable occurs.
Jason Riddle is practice leader for LBMC Managed Security Services, where he helps clients defend their networks.
