June 29, 2017
Ed Snodgrass, CISO, Secure Digital Solutions

On Friday, June 23, Anthem Healthcare agreed to settle a series of lawsuits related to the company’s 2015 data breach, which impacted 78.8 million individuals. The settlement includes a payment of $115 million and three years of additional security protections. This represents the largest amount thus far in a steadily growing list of big-dollar, security incidents.

On the surface, this trend has the appearance of a growing regulator intolerance backed up by similarly increasing penalties. But, there’s more to this story than meets the eye.

Every major data breach has resulted in settling the case without a single admittance of liability. Settlements are negotiated between the respective legal teams and various payments between parties are agreed to.

The results of these cases, without admission of liability, leaves us wondering where the accountability lies and why such breaches, and the settlements that follow, continue to happen, even though security is now viewed as a critical component of doing business. The accountability aspect is complex and likely a topic for another day. This post will focus on some reasons breaches continue to occur.

Secure Digital Solutions has been privileged to be involved in some of the largest data breach cases over the last decade. This challenging and sensitive work gives us a unique perspective on the process, the causes and the results. While I’m not able to talk specifics, I can provide some of the following insights into the high-level, recurring patterns that we see in almost every case related to these breach incidents:

  • Lack of visibility – The identified critical, core systems are known and generally well- protected. Other systems that are known, but may not have been assessed and designated as critical, are not well-protected.
  • Lack of ownership – Taking direct responsibility for company-owned and managed systems isn’t enough. Identification and ownership of the connectivity to those systems, (vendors and suppliers, for example), is mandatory as well. Reliance on 3rd party attestation doesn’t cut it.
  • Having it but not doing it – It’s one thing to have policies and standards written and communicated. They’re nothing but ‘shelf-ware’ unless they’re monitored and enforced.
  • Lack of basic blocking and tackling – The technical requirements of a solid, secure enterprise are known as are the processes to support the requirements. Implementation of those requirements is hard, but it must be done.

The key takeaway is that nothing on the above list is new or unforeseen. No undiscovered symptom exists that leads to compromise. Nor is there a silver bullet that prevents compromise. Knowing your enterprise and getting back to security basics in terms of objectives, requirements, process and appropriate supporting technology – is the most effective means of preventing a significant incident. And when an incident does occur, having the above components addressed allows for rapid and effective detection, containment and response that should minimize the long and complex process that follows a breach.