Obama’s 30-Day Breach Warning Is Just the Beginning
2014 was a tough year for global computer security. New advanced threats, like spear-phishing, have been grabbing the headlines. Barely a week went by without news of a breach, and few companies are starting the year without a nagging sense of vulnerability.
It’s no surprise, therefore, that this week President Obama unveiled plans for three new laws aimed at better protecting citizens’ data. The ‘Personal Data Notification & Protection Act’ proposal establishes a 30-day notification requirement from the discovery of a breach.
But much like similar proposals that have been hotly debated in Europe over recent years, this law is not enough to combat the growing threat on its own. The legislation may help ‘bring peace of mind’ to consumers but it’s just closing the door after the horse has galloped away with your data. Yes, consumers should be warned to change their passwords and check bank statements quickly in light of a breach, but of most importance should be the opportunity for affected companies and law enforcement to work together to identify and shut down the hackers for good. In short, this legislation will do little to tackle this and help prevent the breaches in the first place.
The danger from advanced threats and data breaches just got less digital and more real. In December, the German government revealed details of a sophisticated social engineering and phishing attack that reports say caused “massive damage” to a steelworks’ blast furnace. According to Wired magazine, we've not seen confirmed physical damage from a cyber-weapon since Stuxnet, the virus revealed in 2010 that ravaged centrifuges in Iran's nuclear facilities.
So, if Target, Home Depot and ICANN taught us anything, it’s that security needs to be a top priority – and IT teams should be even more cautious. With their elevated administrative privileges, IT often becomes the primary target for attacks, as they allow an easy pivot point to gain access inside the network.
These phishing attacks could have been prevented with greater pre-emption of human nature. The bottom line is: without the right protection in place, it's inevitable that one of your employees (even someone in your supply chain) will, sooner or later, receive a seemingly innocent email and click on a dangerous link. For companies without appropriate security and employee education in place, this year will likely be a repeat of the last.
Expert Webcast and Live Q&A - Forrester Research analyst Rick Holland and Mimecast’s Steve Malone share essential advice to protect your business against spear-phishing and targeted attacks. Join us on Wednesday, January 21 at 11am Eastern (1600 UK, 1800 RSA). Register Free Here. Webinar now complete.