I heard a term yesterday that frightened me – Breach Fatigue (being in the Security business can make one paranoid).

As a leader in Security technology solutions for ERP, we’ve talked to thousands of organizations about their Security protocols. Many get it and are fully committed to implementing technology and best practices to protect from internal and external breach.

I said ‘many’….unfortunately, I can’t say ‘most.’

A consistent position we observe at organizations purportedly interested in adopting new technology can be characterized as – complacent. Earlier this year we met with a large higher education institution’s Associate CIO who told us – I’m paraphrasing – “we’re going to get hacked no matter what so why should we spend lots of money when it won’t stop the inevitable.”

Wow! Textbook on how to snatch defeat from the jaws of victory.

While there’s lots of press and gnashing of teeth over well-publicized breaches, we still don’t see widespread adoption of Two-Factor Authentication and/or Logging for ERP, two amazingly simple and cost effective technologies to implement and manage.

Breach fatigue will serve to distract people. The movie ‘The Interview’ was pulled from release. At what cost? Does anybody really care? 500+ million digital identities have been compromised. FBI Director Comey warned there are 2 types of companies in the US – those that have been breached and those that don’t know they’ve been breached.

Breach fatigue. Complacency. Frightening.

Companies, higher education institutions, healthcare organizations are not only fighting organized cybercrime rings (makes the Mafia look like a cottage industry by comparison) but also nation states with virtually unlimited funding.

Data from the UK government’s recently published cybercrime report shows the bad guys are 24×7 omnipresent:

• HMRC (Revenue & Customs) has responded to more than 75,000 phishing reports and taken down more than 4,000 illegal websites
• Worst breaches cost between £65,000 and £115,000 on average and for large organisations between £600,000 and £1.15m

But this is perhaps the scariest: Both of the two top areas for UK cybersecurity spending are a response to an “ongoing hacking epidemic, much of it with either the explicit backing or tacit approval of a nation state”.

Read the article in ZDNet: Cybersecurity Spending: Where the Money Goes

Really? This has us scratching our heads….no editorializing necessary.

An audit by PriceWaterhouseCoopers over the summer warned Sony – “Security incidents impacting these network or infrastructure devices may not be detected or resolved timely.”

The audit, performed by PricewaterhouseCoopers, found one firewall and more than 100 other devices that were not being monitored by the corporate security team charged with oversight of infrastructure, but rather by the studio’s in-house group, which was tracking activity on logs.

Auditors found that since transitioning from a third-party vendor in September 2013, Sony Pictures had failed to notify the corporate security team to monitor newly added devices, such as web servers and routers. Studio management told the auditors its corporate security team is focused on bolstering devices on the perimeter of Sony’s networks and that it hasn’t applied “the same level of rigor” for other, non-security devices such as routers and web servers.

THIS IS PRICELESS….the irony is that the confidential report was among Sony’s General Counsel Leah Weil’s email correspondence,which hackers released to public file-sharing networks earlier this week. It included recommendations for bolstering security.

Data Masking could have helped prevent recent, high-profile destructive cyber attacks.

How?

By scrambling or removing sensitive data from production and non-production systems, Data Masking can prevent compromised privileged user account information from being used to gain access to sensitive data such as Social Security Numbers.

Greg Wendt, GreyHeller’s Executive Director of Security Solutions and Services, said “I’m consistently amazed that more organizations haven’t implemented Data Masking or Two-Factor Authentication.”

Cyber criminals using compromised privileged user account information to access databases would not be able to actually see the data had it been masked. Further, combining Two-Factor Authentication with Data Masking would impose even tighter security on that sensitive data, ensuring that access only occurs once the Two-Factor Authentication challenge was successfully passed, often with an SMS message or secure ID token.

Privileged users are often defined as systems and database administrators in the information technology department who maintain systems and databases that contain sensitive information.

GreyHeller’s software product – ERP Firewall – contains powerful Data Masking and Two-Factor Authentication capabilities and is used by major commercial and higher education institutions to protect their sensitive data from cyber attack.

Additional Resources:

• How to Implement 2FA Video
• GreyHeller Blog

About GreyHeller

San Ramon, California-based GreyHeller serves Oracle® PeopleSoft customers globally across all industries, helping them secure and mobilize their PeopleSoft investment. GreyHeller’s software solutions – PeopleMobile®, ERP Firewall and Single Signon  – are in production at nearly 100 PeopleSoft customers. PeopleMobile® renders PeopleSoft responsive across any mobile device and desktop. ERP Firewall and Single Signon protect PeopleSoft customers from criminal and inadvertent breach. For more information about GreyHeller, please visit www.greyheller.com.

We’re getting closer to a tipping point where organizations are going to have to prove conclusively to their customers, lenders, investors, shareholders that they are doing everything they can to secure their sensitive systems/data.

A federal judge recently rejected Target’s bid to dismiss lawsuits by financial institutions that claim Target had played a “key role” in allowing its computer systems to be compromised.

Apparently, Target had installed a $1.6 million advance breach detection systems from FireEye but failed to heed the alarms until after debit/credit card info of 40 million customers and personal info of 110 million customers was stolen.

What this means is that banks can go after merchants if they can prove the merchant was negligent in securing its systems.In the past, liability for breaches was governed by a complex series of agreements between merchants, payment processors and credit card companies.

Separately, consumers are pursuing class-action suits against Target.

If these bank and consumer class-action lawsuits are adjudicated for the plaintiffs, any organization that has its customers/employees/vendors sensitive data compromised could be subject to costly legal action.

And certainly the cost of that legal action will be far greater than the implementation and proper monitoring of security technology.

GreyHeller’s Executive Director of Security Solutions, Greg Wendt, leads a demo-intensive session showing how organizations can deploy fluid transactions safely using the following techniques:

• Location-based security
• Two Factor Authentication
• Field level masking
• Logging and Analysis
• Utilization of Mobile Device Management solutions