An August T-Mobile data breach affecting more than 53 million people including current, former and prospective customers is one of many recent cyber attacks to flood headlines. The breach led to two class action lawsuits filed by customers and accuses the company of violating both the California Consumer Privacy Act and the Washington State Consumer Protection Act. Sadly enough, industry experts believe that despite the severity of the situation, this breach will soon be forgotten about (if it hasn’t been already) due to the proliferation of extremely large breaches in the past decade.
This begs the question, has the public become numb to large breaches? Our answer is yes. This is bad for many reasons, but one in particular we would like to discuss is breach fatigue. If consumers believe that data breaches are the norm, they are less motivated to do anything to protect themselves. Take passwords for example. If a consumer’s account is breached and they don’t take steps to improve their security, including changing their password, a hacker can potentially breach other accounts or leave the consumer prone to identify theft, financial loss or damaged credit. Pro tip: This is another reason why we recommend using different passwords for every account, coupled with strong multi-factor authentication.
To play devil’s advocate here, it’s true that some consumers can feel helpless in this situation, especially when the breached vendor provides a service or product that can’t easily be replaced. T-Mobile is a perfect example of this type of service. While some customers will take immediate actions, like switching service providers, others may be less inclined to go through the trouble of switching providers.
To prevent breach fatigue from becoming more popular and to better secure personal data, it’s important that citizens and companies, both big and small, beef up their cybersecurity. Here are a few actions enterprise organizations can take to secure their network from a large scale cyberattack.
- Know what types of personal information you have and scale accordingly. Depending on what type of company you are and the types of services you provide, you may collect and store more personal data than another company. For this reason, it’s important that the organization be aware of the types of data being collected and how and where it’s being stored and transmitted. Regardless of the size or nature of your business, you should take inventory of all endpoints, mobile devices, applications, media storage, on-prem and cloud storage (including SaaS applications) that can access or store sensitive information. In the event that sensitive data falls into the wrong hands, this will help you identify where the vulnerability exists.
In terms of scaling and retention, keep only what you need. If you don’t have a legitimate need for data being collected, wave goodbye and keep trucking. Storing this information, or keeping it longer than necessary, increases the chance that it could be stolen or used for fraudulent activity. If your organization doesn’t already have a data retention policy, consider putting one in place. In an ideal world, all data would be classified and tagged appropriately with full lifecycles managed by policy.
- Keep track of who has access to sensitive information. For starters, which of your employees have access? Do they need or require access given their role? This is becoming increasingly important, as the industry moves towards zero trust architectures to meet best practices and various federal government contracting requirements (like DFARS and CMMC). Strong identity and authentication practices should be a standard practice at every organization. Not only for humans, but non-person entities (NPEs) like service accounts should also be tightly managed and monitored.
Data encryption also helps protect data from theft. Organizations deal with large volumes of data each day, most of which is seen as a business-critical asset. The challenge with encryption (as always) is key management, but there are many great tools out there for this problem, most of which integrate directly with on-board hardware based TPM chips as well as integrated (and free) full disk encryption (FDE) tools such as Microsoft’s BitLocker.
- Protect it everywhere! In our current electronic-obsessed world, traditional perimeter-based security is old- fashioned. Say goodbye to the “castle and moat” model and hello to a distributed workforce and distributed cloud-based resources, a combination that demands a new access model. Whether you’re looking for a full zero trust strategy or starting out with point solutions like privileged access management (PAM), secure remote access, or secure access service edge (SASE), look for tools and applications that support the work from anywhere (WFA) model.
And for those uber-sensitive endpoints floating around the world, there are even micro-gateway products that can help protect endpoints from network reconnaissance and attacks.