Cyber Investigator Chronicles – a guide to the villains



If you’ve been following the news recently, you’ll know that cybersecurity is becoming increasingly important. It’s crucial that company executives take the threat of a cyber-attack seriously, as a data breach has the potential to inflict long-lasting, perhaps irreversible, damage on an organization. Fortunately, as you’ll see in our brand new comic story, Gemalto’s Cyber Investigator Chronicles, enterprises can protect themselves if they take the threat seriously. To defeat your enemy, you must understand their motives and techniques.

Here’s a guide to the villains of our Cyber Investigators comic. While they may be fictional, there are many, many people exactly like them across the world, ready to attack your organization. That’s why you must be prepared.

And don’t worry, before you ask, there aren’t any spoilers.

The hacktivists

As you’ll find out in our comic, not all hackers are driven by money. Some seek to destabilize governments and organizations in pursuit of political ambitions. A recent example was the cyber-attack on the Democratic National Committee, which was probably politically motivated. Often these hackers seek to acquire emails or documents that could cause embarrassment for an organization or state institution. Alternatively, they might try to shut down a company’s networks, preventing the enterprise from functioning and inflicting long-term damage.

The mercenaries


A lot of hackers are just in it for the money. As our comic villain says, “we’re going to make a fortune”. Cyber-attackers who fall into this description use lots of devious techniques. Some use malware to exploit a vulnerability in security systems, accessing customer data, which they then sell on the dark web (if you’re unsure what we mean by ‘dark web’, check out our JustAskGemalto website). Others might block access to data on individual machines or servers, using malicious software called ransomware, and demand large sums of money to restore access. This type of attack has become increasingly common, affecting several hospitals in the United States.

The malicious insider


Sometimes hackers act in conjunction with a malicious insider at an organization or government body. These people can have different motivations – as we promised no spoilers, we won’t reveal anything here about our comic book villain’s intentions. These insiders might provide their username and password to a devious cyber-attacker, or deliberately leak confidential information to embarrass their employers, or give privileged access to an attacker through some other means.

There are other players in the cyber attacker landscape; anarchists after chaos and disorder, opportunists, egotists trying to demonstrate their cleverness and nation states or corporations engaging in (corporate) espionage.

As you can see, hackers can have a variety of motives, and can be extremely devious in achieving them. You may not think yourself a target, but if your customer is one, or you’re a supplier to another, you may fall into the crosshairs. By securing the breach, taking steps to deploy effective authentication, encryption and key management systems, it’s possible to reduce the impact of any cyber-attack.

To find out more about the different types of hackers – and, crucially, how to stop them – make sure you read our comic and follow the Cyber Investigators as they fight some dangerous enemies. Plus, you can join our CrowdChat, where I will be taking part in a discussion on issues raised in our story.

Network World: 2017 breach predictions

In 2017, we’ll see more intricate, complex and undetected data integrity attacks and for two main reasons: financial gain and/or political manipulation



We’ve reached that time of year where everyone in the security industry is pulling together predictions for what we expect to see over the next year, and/or slowly backing away from any imperfect predictions we might have put forth the year before.

Last year, I offered up a number of predictions, but the one continuing to make huge waves in 2017 is around data integrity attacks. Quite simply, I expect that we’ll see more intricate, complex and undetected data integrity attacks and for two main reasons: financial gain and/or political manipulation.

Data integrity attacks are, of course, not entirely new. Data integrity is a promise or assurance that information can be accessed or modified only by authorised users. Data integrity attacks compromise that promise with the aim of gaining unauthorised access to modify data for a number of ulterior motives. It is the ultimate weaponisation of data.

A few classic examples include the 2008 case of Brazilian logging companies that accessed government systems to inflate logging quotas and the famous 2010 story on how the Stuxnet worm used very minor changes to attempt to destroy Iran’s nuclear program. In 2013, a Syrian group hacked into the Associated Press’ Twitter account and tweeted that President Obama had been injured in explosions at the White House. (That single tweet caused a 147-point drop in the Dow.)

Fast forward to 2015 when Anonymous began releasing financial reports exposing firms in the U.S. and China trying to cheat the stock market, in one case, damaging the brand reputation of REXLot Holdings, a games developer that had inflated its revenues. The same year, there was the JP Morgan Chase breach and subsequent attempt at market manipulation. Which leads us, of course, to 2016, with the World Anti-Doping Agency and Democratic National Committee breaches, both examples of how hackers are using data integrity attacks to embarrass organisations.

How will cyber attacks get worse?

What’s different now from last year’s prediction? Why will these attacks get worse? The first generation of cyber attacks were about cutting access to data, and then we moved on to data theft. Now, we’re starting to see evidence of that stolen data being altered before transition from one machine to another, effecting all elements of operations.

The proliferation of the Internet of Things (IoT) means hackers have a seemingly infinite number of different attack surfaces and personas that they can manipulate. Use your Fitbit as an example, and look at the number of people who touch it—the user, the manufacturer, the cloud provider hosting the IT infrastructure, the third parties accessing it via an API, etc. This creates a cross-pollination of risk that the security industry has not seen before, and that’s just one person’s “thing.”

Today’s connected world constantly generates mounds of data that businesses, industry pros and analysts use to drive decisions, make projections, issue forecasts and more.

Data integrity attacks have the power to bring down an entire company and beyond. Entire stock markets could be poisoned and collapsed by faulty data. The power grid and other IoT systems from traffic lights to the water supply could be severely disrupted if the data they run on were to be altered. And perhaps the greatest danger is that many of these could go undetected for years before the true damage reveals itself. What’s at stake is trust. Decision-making by senior government officials, corporate executives, investors and average consumers will be impacted if they cannot trust the information they receive.

What you can do to protect data

At this point, you’re probably terrified—or morbidly depressed. Is there anything we can do? And the answer to that is yes. When I talk to the businesses we work with, one of the first questions I ask is, “What are you trying to protect?” If you don’t know what data you’re trying to protect, there is no point in spending money to protect it. It’s a straightforward enough question perhaps, but it isn’t very easy to answer. Despite this, working out an answer is one of the most fundamental things an organisation can do towards making itself secure. Last month’s blog, Securing the breach trumps breach prevention, detailed some additional tangible steps you can take.

Breaches will continue to happen—to expect otherwise would be unrealistic. But as their scale and complexity grows, focusing on them first would take up all of an organisation’s IT security bandwidth. A better starting point is to know what you are trying to protect.

This blog post also appears here in my regular blog for Network World.

Network World – Securing the Breach Trumps Breach Prevention

Data breaches aren’t going away, and the costs of a breach are becoming more tangible. By implementing a three-step approach, organizations can prepare for a data breach.

In my prior posts, I discussed both the changing face of data breaches and the reality distortion field surrounding today’s IT security professionals when they talk about effective ways to combat data breaches. Three things we know for certain, though, is that data breaches are not going away, our adversaries are continuing to innovate and attack, and the costs of a breach are becoming more tangible.

Just this month, Verizon claimed the massive hack on Yahoo caused irreparable harm to the tech company in terms of customer trust, possibly allowing the wireless provider to withdraw from or renegotiate the terms of its $4.83 billion acquisition agreement. Also, in October, the U.K. Information Commissioner’s Office hit TalkTalk with more than $400,000 in fines for its 2015 cyber attack.

Breaches are going to happen. Not only is there a need to move from a breach prevention to a breach acceptance mindset, but we need to invest security dollars into the technologies that help us prepare for these occurrences and protect our most sensitive information. To do this, each organization needs to address a number of key questions and issues, including the following:

  1.  How do you define sensitive data?

More focus needs to be placed on understanding what constitutes sensitive data and setting parameters for defining it. For example, a company’s customer service and IT departments may have very different ideas on sensitive data. Every organization should have an enterprise-wide security policy that clearly lays out information classification guidelines (public, confidential, regulatory, etc.), what happens at each classification (public information can be shared by anyone, confidential information must be encrypted), as well as measures to ensure compliance with external regulations such as PCI-DSS and HIPAA, among others.

  1. Who accesses your data?

Enterprise data lives in more places than ever before. Companies need to protect themselves not only from external threats, but the misuse of data and malicious attacks by insiders as well. After sensitive data has been defined, organizations need to regulate who has access to it and on which devices. Multi-factor authentication (MFA), also known as two-factor or strong authentication, can help by ensuring that users, no matter where they are, are whom they claim to be and are authorized to gain access. MFA also can enable role-based access, ensuring users have the appropriate level of entry for their position and function, and that the organization has a way to provision, manage and report on each group.

  1.  Where is your data?

Whether it’s within physical networks, virtualized environments, the cloud or in motion, data is in more places than ever and enemies are not always obvious. In fact, a recent global study conducted by Gemalto and the Ponemon Institute found that half of all cloud services and data stored in the cloud are not controlled by the IT department.

  • Companies need to first locate where sensitive data resides within their  organizations. Is it stored in databases, file servers, endpoint devices, storage networks? Is it located on premise, virtually or in the cloud? This is important to determine because encryption can be employed in multiple locations and cover both structured and unstructured data.
  • Companies must understand what happens to data while it is being transmitted to another location. From the moment data is in transit, the company is no longer in control of it, and it can be easily and cheaply “tapped” by cyber-criminals for a variety of unauthorized reasons. In addition, human error and technical equipment failings are real risks that can manifest more often than you would think. However, these risks can be eliminated by automatically encrypting the data while it’s in motion.
  1. How do you manage encryption and where are your keys?

Identifying and encrypting all of the sensitive data within an organization is just the first step to securing the breach. This requires encryption keys, and many times the management of these is imprudently overlooked. Without an enterprise-wide key manager, maintaining these disparate encryption systems becomes time consuming and unmanageable.

Since keys are being stored in a variety of places, often on the very systems containing sensitive data, they are vulnerable to theft and misuse. Backed up keys are also not being secured while in transit, leaving another area of exposure. Restricting access to these cryptographic keys is also a best practice. It’s also critical to ensure no single user has rights to everything.

3-step approach to data breach protection

By implementing a three-step approach—1) encrypting all sensitive data at rest and in motion, 2) securely managing and storing all keys, and 3) controlling access and authentication of users—organizations can effectively prepare for a data breach. This allows us to see through cybersecurity’s reality distortion field and transition from an approach optimized for “reality as it was”—breach prevention—to a strategy optimized for “reality as it is”—the secure breach strategy.

This post first appeared in Network World:


Manipulation of the data

“Since the internet was created, data has been at the heart of it. However, as our use of the internet and the value of this data has grown, so too has the risk of it being stolen or lost. In the last four years in the UK, over 74 million data records have been breached, with that number increasing every year. While businesses have focused on protecting their perimeters against data breaches, this has left data open and exposed. In the future, businesses won’t just have to protect against theft, but also manipulation of the data that is so valuable to them. As we celebrate Internet Day, we need to remember that GDPR is fast approaching and businesses operating with or within the EU, don’t have a lot of time to get their house in order before they have to announce any breaches that occur. The internet has created so many opportunities, but with it has also brought the potential for criminals to prosper. In order to stop this, we need to ensure that our focus is always on protecting the most valuable thing, data.”

Data breaches: This time it’s more personal

Data breaches have shifted from stolen credit card data and financial information to the theft of something much more intimate—identities

Summer 2016 was not a good time for data breaches.

First, news broke that the Democratic National Committee was hacked, leading to the resignation of DNC Chair Debbie Wasserman Schultz and driving a wedge between Democratic Party members.

 Later, the World Anti-Doping Agency (WADA) announced that Russian hackers had illegally accessed its Anti-Doping Administration and Management System (ADAMS) database, leaking confidential medical information for U.S. athletes, including Simone Biles and Serena Williams.

Then earlier this month, passwords, usernames, email addresses and other personal information was published for more than 2.2 million people who created accounts with ClixSense, a site that pays users for completing online surveys and viewing advertisements.

These were not the only breaches of the summer, nor were they the largest. However, each is a clear example of the changing face of data breaches and the rise of identity theft.

The rise of identity theft

What we have been seeing over the past two years is that data breaches have shifted from stolen credit card data and financial information to the theft of something much more intimate—identities. As a result, data breaches are becoming much more personal and the universe of risk exposure for people is widening.

In the case of the DNC and WADA breaches, sensitive data was leaked to publicly smear people. Contrast that with the IRS data breach involving more than 700,000 stolen Social Security numbers that resulted in thousands of false tax returns being filed. As companies, governments and other organizations collect ever-increasing amounts of customer information and as our online digital activities become more diverse and prolific, more data about what we do, who we are and what we like is at risk to be stolen from the companies that store our data.

Apathy abounds

So, why isn’t anyone paying attention? The truth is that despite today’s daily headlines about data breaches, the problem with cybersecurity is that there’s a lot of apathy regarding the issues. Consumers know their credit cards will be replaced and they will not be responsible for financial losses. Breached companies know their stock prices will rebound eventually, and government regulations are simply not a good prescription for security.

At this point the daily noise around data breaches is making it more difficult for consumers, government regulatory agencies and companies to distinguish between nuisance data breaches and truly impactful mega breaches. News reports fail to make these distinctions, but they are important to understand because each has different consequences. A breach involving 100 million user names is not as severe as a breach of 1 million accounts with Social Security numbers and other personally identifiable information that are used for financial gain.

In this post I stressed the need for organizations to create a “Secure Breach” environment to safeguard data. In this increasingly digital world where greater and greater amounts of data are being stored, managed and shared via the cloud and multiple (and unsecured) devices, it is clear that data breaches are going to happen. That is why companies need to shift from a total reliance on breach prevention to strategies that help them secure the breach once intruders get past network defenses.

That is why more focus needs to be on understanding what really constitutes sensitive data and where it is stored, and using the best means to defend it. At the end of the day, the best way to protect data is to kill it. That means ensuring sensitive data is protected with encryption so it is useless to the thieves.

Even though encryption is widely known, less than 4 percent of all data breaches this year involved data that was encrypted in part or in full, according to the Breach Level Index. This number has stayed more or less the same for the past several years, and that’s unacceptable.

While credit cards can be easily replaced and fraudulent charges covered, the damage from stolen identities and sensitive personal information is much longer lasting. So, what will that be the tipping point that moves companies to adopt a secure breach strategy? In my next blog, I’ll present some strategies for how companies can better defend data and secure the breach. In the meantime, let me know your thoughts in the comments.

( This post was also published on Network World.)

IT Security Award

IT Security Award

Jason Hart of Gemalto has become a finalist for the “Personal Contribution to IT Security Award.”


IT security’s reality distortion field

 Despite increasing data breaches (a whopping 4.7 billion data records worldwide being lost or stolen since 2013) and mounting regulatory and customer pressures around data protection, IT decision makers worldwide continue to ignore reality and rely on the same breach prevention strategies when it comes to protecting customer data and information. Today’s IT security professional clearly has a “reality distortion field” when it comes to the effectiveness of perimeter security.

According to a recent survey of IT decision makers worldwide, one-third of organizations experienced a data breach in the past 12 months. Yet, while 86 percent of organizations have increased perimeter security spending, 69 percent are not confident their data would be secure if perimeter defenses were breached. This is up from 66 percent in 2015 and 59 percent in 2014. Furthermore, 66 percent believe unauthorized users can access their network, and nearly two in five (16 percent) said unauthorized users could access their entire network.

Reality distortion field is a term used to describe the belief that wanting and willing something—even the near-impossible—can make it happen. The term found its inspiration in a two-part episode of Star Trek that aired in 1966, where inhabitants of the planet Talos are able to create new worlds and thoughts in the minds of other people.

According to pop culture legend, Bud Tribble, a software developer on the original Macintosh computer, used the term to describe Steve Jobs, noting, “In [Jobs’s] presence, reality is malleable. He can convince anyone of practically anything. It wears off when he’s not around, but it makes it hard to have realistic schedules.” Charismatic SpaceX and Tesla CEO Elon Musk has also been described as having a reality distortion field.

Jobs and Musk’s contributions to technology advancement are legend because of their ability to push people past their own perceptions of reality. However, a reality distortion field has overtaken today’s data security mindset when it comes to the effectiveness of perimeter security. IT budgets summarize today’s reality in security: perimeter security is consuming an ever-larger share of total IT security spending, but security effectiveness against the data-breach epidemic is not improving at all. Organizations are not investing in security based on reality as it is; they’re investing based on reality as they want it to be. The problem and the solution to the problem just don’t match up.

To be clear, organizations should not stop investing in key breach prevention tools. However, we need to be able to see through cybersecurity’s reality distortion field and place our bets on strategies that align to the problems we face today.

Look at it this way: If it’s impossible to keep intruders out of the network, the logical approach is to build security around the assumption that they are already on the inside. When you do this, you focus on what matters: securing your data.

It then becomes clear that you need to move your security controls as close as possible to the data so attackers can’t use it, even if they have breached the perimeter. In effect, you need to create a “Secure Breach” environment.

Technical specifications will vary depending on IT infrastructure, but with this blog, I hope to highlight the questions organizations need to ask to adjust their security strategies appropriately and how they can realign their investments and tactics to better emphasize data security. Watch this space!

( This post was also published on Network World).

What does the future of cybersecurity look like?

Earlier in the year, we asked young people from all over the world what they thought the future connected society might look like – and in particular, how they envision the future of cybersecurity. As expected, fingerprints and iris scanning were popular, as were voice biometrics and facial recognition. But it was the 30% who thought our DNA could be used to unlock our phones that got us really thinking about what the future of digital security could hold.

DNA cryptography is a fascinating and fledgling field where ideas are only just being put into practice. The hope is that you can store vast amounts of data within DNA. A gram of DNA is the equivalent to 108 terabytes of data. So if you could hide data within the DNA, and then encrypt it, you could open up the possibility of a near impregnable security process.

But moving closer to reality, if there is one thing that consumers hate right now it’s trying to come up with, and remember, a secure password. We’ve covered this on the blog a number of times, and even have developed a guide for you to use. But frankly, we’re getting to the point that with so many websites and services needing a password, you’re likely better off with a password manager. But what if that was hacked?!

For some, the death of the password can’t come soon enough, but there are other ways to authenticate your identity which are vying to gain traction and acceptance.

These include:
The Future of Cybersecurity- Biometrics

  • Fingerprints – the classic identifier that you probably use to unlock your phone. Likely to become more widespread.
  • Behavioral analytics – this would create trusted profiles based on a number of known patterns of each user or customer, including their location, devices, online habits (such as click speed, etc.)
  • Heartbeat – like fingerprints, no two beats are the same, and startup Nymialready has a product that’s shipped.
  • VoiceMasterCard has successfully trialed customers’ voice prints to access services. As speaking to devices becomes more natural, expect to hear a lot more about this
  • Selfiesread more here, but know they are coming
  • Your walk, your nose, and even your ear slightly more intimate!

Of course, the future of cybersecurity will continue to include multi-factor authentication, so companies are looking at ways to fundamentally alter how you log into their services. Google has just announced its Trust API. This platform is in early testing, but it hopes to put various indicators together to confidently predict whether the person logging into a service is the legitimate user.

These indicators could include your location, biometric information such as your face or voice, and even behavioral traits such as how you move, type and swipe the screen. The results would then be tallied up to give you a trust score which, if high enough, would let you automatically log into the service you want to use.

For companies, they are always thinking about the future of enterprise cybersecurity too. We recently covered how Google has done away with perimeter security and BYOD, accepting that perimeter breaches are inevitable. Their focus instead is protecting applications and the data they access. The erosion in the faith of the perimeter to safely protect corporations will shift thinking to how you can secure data at a deeper level. This approach could certainly figure in the future plans of corporations that can’t afford another hack.

It appears that the future of cybersecurity for consumers lies in a combination of biometric data and behavioral analytics (but be cognizant of the risks!), and a concentrated focus on encryption by enterprises to secure sensitive data. What’s certain is that in the future, we’re going to have to very careful with how we store, move, and access data.

The benefits of ethical hacking for IT security

Hacking is getting easier and cheaper, so every enterprise should do it.

Wait… what? Of course, I’m talking about reaping the benefits of ethical hacking as a way of preparing for an actual cyber attack – the odds of which are increasing as hacking services become simpler to obtain.

Just about anything can be bought in the Internet these days, legal or otherwise. Rocket launchers, hard drugs and indeed hacking services have become as easy to purchase as books and music.

While some such services are available on the regular Web, more serious customers turn to the TOR, The Onion Network. Also known as the Dark Web, TOR enables buyers and sellers to transact with full anonymity using cryptocurrencies such as BitCoin.

Through TOR, hacking services have proliferated in recent years. They’ve been used by individuals with an axe to grind, such as Edwin Vargas, an NYPD detective. Driven by jealousy he paid $4000 dollars for over 40 email passwords, half of which belonged to police officers.

Another reason for growth in these services is that they are simpler to deliver. Technology is more straightforward than it used to be — witness how people can create web sites or drive smart phones, for example. By the same token, the barrier to entry for hackers is lower.

As confirms a report from Rand Corporation, “Greater availability of as-a-service models, point-and-click tools, and easy-to-find online tutorials makes it easier for technical novices to use what these markets have to offer.”

Why Hacking Is Becoming Easier

As a result the threat is growing. But isn’t it always? Am I just going to say “be vigilant” and then we all get on with our lives?

Well, no, because there’s an additional factor which means this proliferation can no longer be ignored. It’s about the nature of the attack surface.

In traditional computing models, we could consider this in three parts: first the physical environment; then the computer hardware; then the software. Policies, procedures and protections would be considered for each.

In the virtual world, the physical and hardware layers have been architected to create a reasonably robust underlying platform. Yes, sure, this still needs protecting but to a large extent it already is — the controls are well known and straightforward to check.

On top of this platform we — the global we, of corporations and providers — have created a massively scalable, massively interconnected but massively complex virtual compute environment.

Here’s the point: even as it gets more complex and harder to protect, it is becoming simpler to hack and exploit. We can’t just stand by and hope it isn’t going to happen, because automation will ensure it will.

Continues the Rand report, “Hyperconnectivity will create more points of presence for attack and exploitation, so that crime will increasingly have a networked or cyber component, creating a wider range of opportunities for black markets.”

But Ethical Hacking is Easy, Too

What to do? There’s only one answer really, and that’s to get there first. Penetration testing (ethical hacking) has been around for years; indeed it used to be my job. And just as computers can be programmed, so can exploits — there are libraries of them freely available.

We should not be daunted by kicking off such activities, of running a program of checks for back doors into our own systems. It’s not that hard to do — that’s the point. If it was, the bad guys would be looking for easier ways to make money. The many benefits ethical hacking offer organizations will certainly outweigh the bit of time and effort required to implement it.

If you don’t want to do it yourself, you can engage an (ethical) service to do it for you. As we already know, there are plenty of them around. You don’t have to check all your IT systems and services, just the ones that give access onto the data you have that is worth protecting.

Which raises a final point: If you don’t already know what data you have that is worth exploiting, for heaven’s sake work it out. Then check whether it is accessible.

There will be a cost, but after all, it will be worth your while paying a relatively small sum up front, rather than shelling out to repair the damage later.

10 years of cyber security; what the past decade has taught us

Cyber security

The difference ten years can make can be profound. 1966 looked nothing like 1976, and in each decade since, almost everything has changed. The Internet and globalization has meant that cultural shifts are less stark these days, but in terms of cyber security, 2006 feels like a long time ago.

This was a one year before the iPhone was launched, where 3G was just rolling out, and there was no such thing as apps. Streaming music, photo sharing, social networks were all in their infancy. In 2006, cyber security threats were very different to those today, as what was accessible to attackers was pretty limited.

Now, every aspect of our lives is stored in the cloud – from our banking and health records to our more personal identities – and we are generating significantly more data than ever before.

Evolution of threats

The type of threat has evolved to keep pace with this explosion in valuable data. Back in the early 2000s, most threats and malware were a nuisance, designed to simply disrupt or frustrate users.

Then in 2008, the Zeus Trojan was unleashed, that grabbed banking details via key-logging and form grabbing. Years later, 100 people were arrested for having stolen over $70 million thanks to the software.

This was the start of a much more professional approach to cyber-crime. Viruses, Trojans and worms started to be created to steal money or sensitive corporate information. Variants of the Zeus Trojan still plague computers to this day, and played a part in one of the biggest consumer hacks to date, that of Target in 2013.

It is key to remember, that as soon as something connects to the Internet, it becomes vulnerable. As we add connectivity to new things, everyone involved should be aware of the risks. Take connected cars for example. In car Wi-Fi and streaming video entertainment systems are becoming big selling points, but as demonstrated last year, weak security can let intruders in.

Shifting consumer perception

With such high profile breaches regularly hitting the news over the news, it has been interesting to witness how consumer attitudes have changed. Since 2013, there have been almost four billion records lost, and people are no longer shocked. At this scale, everyone from companies, to employees and everyday consumers now accepts that it’s a case of ‘when, not if’ they’ll be hacked.

Yet all is not doom and gloom. We surveyed millennials’ opinions to data security recently, in our Connected Living 2025 report. Two thirds said they would feel vigilant in the face of threats, well ahead of complacent and paranoid. This suggests people now understand the importance of protecting their data.

Breach prevention is dead (and so is the perimeter)

If the past ten years have taught anything, it is that perimeter defenses will be breached. No matter how tall or big the wall is, the enemy will find a way around it or under it.

Despite the increasing number of data breaches, companies continue to rely on firewalls, threat monitoring and other breach prevention tools as the foundation of their security strategies. Yet most IT professionals readily admit that their corporate and customer data would not be safe if theirperimeter security defenses were compromised.

This is not to say that perimeter security is not important. It just means that it should not be the only thing companies do to keep the bad guys out. Instead, IT professional should accept the fact that breaches are inevitable and work to secure the breach by placing security measures closer to the data and the users with encryption and multi-factor authentication.

Encryption and Multi-Factor Authentication Are King

Two additional developments have also made the dents in the capabilities of cyber criminals. Multi-factor authentication has shown its power in keeping records safe, and encryption is also becoming the norm so if data is lost or stolen, it’s useless.

Cyber security threats will continue to pose a significant problem. But as those born after the Internet hit the mainstream in 1995 approach adulthood, we’re well placed to face these threats head on. It’s a far cry from 2006, when 26.5 million U.S. military records were stolen, and the agency responsible waited three weeks to say anything to those affected.