It’s estimated that by 2020, the global spend on IT security is predicted to total a staggering $128 billion. However, while companies are spending more and more of their IT budgets on security to safeguard their endpoints, data breaches originating on the endpoint are growing in frequency and severity.
A study by Ponemon found that two-thirds of companies were compromised by attacks that originated on their endpoints in 2018. These attacks can be devastating to an organization in terms of fines, reputational damage, lawsuits, and irreparable damage to customer trust. Separately, the 2019 Cost of a Data Breach study, also from Ponemon, found:
When IT security spending is increasing, why are endpoint attacks still so common? A new primary research study by Absolute discovered that a lot of security spending is done in vain since the efficacy of endpoint security tools diminishes significantly over time — unless those tools are deliberately controlled to improve endpoint resilience.
Endpoint security is endpoint resilience. The spend levels indicate that there is no scarcity of tools and controls to help make these things safe. The problem is that those things are not naturally resilient. On the contrary they are fragile. The door is ajar and the compromise happens not because there are no guards, but because the guards got into a turf battle with one another, got wounded or killed, and then the main goal of keep-the-real-enemy-away was lost. They fight, they conflict, they collide, and where there is friction there is decay. This zero-sum competition reveals how lacking in resilience they are—they can’t stay there.
Results from Forrester’s latest security survey found that 15 percent of breaches are still caused by lost or missing devices. With one laptop stolen every 53 seconds, it is wise to ensure you have measures in place to prevent putting your data at risk. Let’s look at four recent breaches that originated on the endpoint to examine what you could do now to avoid a similar fate.
In August 2018, the data of 37,000 customers of Ireland’s largest telecom provider, Eir, was compromised when an unencrypted device was stolen from outside an office building. The laptop contained personally identifiable information (PII) including names, email addresses, phone numbers, and Eir account numbers. The laptop had been decrypted by a faulty security update the previous working day.
Because of the nature of the breach, the company was forced to report the incident to the police as well as the Data Protection Commissioner. Under new European GDPR rules, companies face higher fines and punitive action for losing or misusing customer information.
In September 2018, Raley’s experienced a data breach affecting 10,000 pharmacy customers. The data on the laptop included patients’ first and last names, gender, date of birth, medical conditions, healthcare plans, and identification numbers, prescription drug records, and Raley’s Pharmacy visit dates and locations. Raley’s could not confirm whether the data had been accessed or misused, nor could they confirm if encryption was in place.
The company responded quickly to notify authorities, the press, and the people affected and has since put encryption in place added encryption to all laptops.
In February 2018, a laptop stolen from an employee's car may have contained PHI records of the city’s staff, including names, addresses, dates of birth, social security numbers, and medical information. The organization couldn't tell if data was accessed or if encryption was in place, so they had no choice but to treat the incident as a data breach.
It took 21 days for the City to notify police. Generally speaking, any delay in notifying authorities about a breach is not looked on favorably by the regulators who reward quick, decisive action.
In May 2018, a laptop was stolen from a locked vehicle in Ottawa, Ontario containing protected health information (PHI) of 33,661 residents of Canada’s Northwest Territories. The data included names of patients’ names, their birth dates, home communities, healthcare numbers, and, in some cases, medical conditions. The stolen laptop was a new device so the encryption process either failed or was missed.
Officials waited over a month before disclosing the breach publicly, and the department now faces stricter rules around remote workers and removing devices from the confines of the physical office location.
These examples show how easy an unnecessary breach can occur. There is a common thread across all of these cases — a lack of endpoint visibility and an inability to prove that:
If you don’t have visibility into your devices, you must presume that the data on that device was breached and follow the relevant breach notification processes in your industry or region.
According to the 2019 Endpoint Security Trends report, when it comes to endpoint security, less may, in fact, be more. This is reflected in wider industry trends as IT and security and risk professionals focus on streamlining and simplifying when it comes to securing their organizations’ data.
We need to get back to the basics of cybersecurity and hone in on the three ingredients for ensuring data protection at scale — people, process, and technology.
To learn more about the inevitable decay of endpoint security tools and what to do about it, read the full 2019 Endpoint Security Trends Report.