Anthem Breach: 9 Lessons for IndiaBusinesses Must Wake Up to New Threats, Experts Warn
U.S. health insurance giant Anthem warned in February that it had suffered a massive data breach, which led to the compromise of more than 80 million customer records. Reports that the breach may have started nine months prior to the company detecting it illustrate the dangers that such breaches pose not just to U.S. businesses, but also to Indian enterprises, security experts say.
The Anthem breach demonstrates how cybercriminals are increasingly targeting organizations that house large quantities of sensitive data, rather than trying to steal this data piecemeal from end users, says Patrick Nielsen, security researcher with Moscow-based anti-virus vendor Kaspersky Labs.
But while many U.S. businesses are legally compelled to report such breaches, the healthcare sector in India faces no such requirements. Nevertheless, security experts warn that Indian enterprises - and not just in the healthcare sector - must learn from Anthem's breach, if they want to avoid a similar fate.
Here are 9 related recommendations from security experts:
1. Businesses: Wake Up
When it comes to the Anthem breach, the first takeaway is simple: Watch out. "Indian companies - especially in the healthcare, health insurance and clinical research space - should use this as a wakeup call," Dhananjay Rokde former CISO at Mumbai-based travel company, Cox & Kings, and a BFSI/NBFC domain expert in information security and risk management tells Information Security Media Group.
"Being a hub for back-office processing and contact centers, India is definitely a big, blinking target on the attackers' map," Rokde says. Furthermore, were such attacks to occur - and succeed - they might cause foreign firms to rethink their investments in, and outsourcing arrangements with, Indian businesses. Too often, security is seen as a hindrance to growth of Indian businesses, warns Sonit Jain, CEO of Mumbai-based security appliance manufacturer Gajshield. But by compromising on security, Indian enterprises may find themselves easy targets for large-scale fraud campaigns.
2. Regulations May Get Tougher: Expect Increased Scrutiny
Parag Deodhar, CISO and chief risk officer at Bengaluru-based Bharti AXA General Insurance Co., likewise says all Indian information security practitioners must learn from the Anthem hack, even if they don't face such regulations as the U.S. Health Insurance Portability and Accountability Act, which regulates how health information is protected. "While there are no specific acts like HIPAA, India does have data privacy regulations, and companies need to be aware and comply," he says. Furthermore, with the rise in the number of Identity theft attacks and related fraud, he expects Indian regulators to pay increasing attention to these issues, despite India not having a social security system, and widespread public apathy when it comes to privacy.
Currently, however, few Indian laws govern the protection of any type of sensitive information. If an Anthem-style breach did take place here, experts say the results could be catastrophic. "The Indian ecosystem is not there yet; there is a long way to go," Rokde says, arguing that the country needs clearer guidelines that define what constitutes personally identifiable information, as well as how it must be protected, whether it's being stored, processed or transmitted. He also says the country needs restrictions on how long information can be retained, and guidelines for destroying PII in a secure, irreversible manner.
3. Monitor Constantly, Get Second Opinions
It's time for Indian businesses to ensure that they're actively monitoring for attacks and breaches, and responding rapidly when any suspicious activity gets identified, says Bharti AXA's Deodhar. "New risks and vulnerabilities, brought about by changes in systems and processes and [the] introduction of new technologies - like cloud and mobility - need monitoring and mitigation."
Unbiased security reviews are also essential for ensuring that a business's security posture and controls are as good as possible, Rokde says. But he notes that when breaches do occur, it's equally important to learn from them.
For example, he says, despite many commentators criticizing Anthem for its lack of database encryption, no single mistake led to the Anthem breach, and database encryption alone wouldn't have prevented the breach from happening. "I'm absolutely convinced that encryption would not have saved Anthem," he says.
4. Guard Data EverywhereRokde says that organizations tend to encrypt production databases, but ignore their backups. As a result, after production systems, backups are often attackers' second-biggest target. Accordingly, a business's data-protection strategy must encompass data wherever it gets stored, and at every stage - from creation and processing, through to storage, archiving and transmission, he says. Also don't forget to review how data gets shared with partners and outsourced service providers, and to protect it accordingly, he says, for example with Information Rights Management/Digital Rights Management technologies.
5. Compliance: Not Enough
While India lacks the healthcare laws that require data breaches notifications, such regulations are no information-security panacea, Kaspersky's Nielsen says. "While the [U.S.] healthcare industry is heavily regulated, an organization anywhere cannot merely depend on compliance as a defense against security threats." Indeed, he warns that too many companies in heavily regulated environments take a compliance-first approach and mistake this for putting a robust, effective information security program in place.
6. Train Employees, Review Third Parties
Investigators in the Anthem case believe that the compromise may have begun with phishing emails sent to a handful of employees. When it comes to repelling such phishing attacks, many security experts recommend constant user education as a defense. Trained employees are more effective and understand their responsibilities during a crisis, Rokde says. "Do not forget to include contractors in your training and awareness programs, and penalize information security policy violators - be it an employees or contractors."
Another Anthem lesson, Rokde says, is that all data should be classified - as being sensitive, or not - and whenever possible, masked inside databases, in case it's breached by hackers or malicious insiders. Rokde warns that such controls must also be used for all outsourced IT operations, included as a requirement in related contracts, as well as regularly assessed - using third-party reviews - to ensure they are in place.
7. Prepare to Respond
Anthem rapidly disclosed its breach, and that was the right thing to do, Gajshield's Jain says. "In the Indian landscape, most of these breaches go unreported. Security breaches are seen as an embarrassment and always kept under the carpet," he says. But that doesn't mean fraudsters aren't already inside numerous Indian businesses.
Ideally, every Indian business would have a well-documented and well-rehearsed incident response plan in place now, which also specifies how it will notify and work with regulators, law enforcement agencies and government bodies, Deodhar at Bharti AXA says. But few such approaches exist today, he warns.
Many security experts recommend issuing breach-related warnings to computer emergency response teams and law enforcement agencies as quickly as possible. "It is best to own up immediately and educate your customers, to prevent further damage and decrease your liability," Rokde says. In addition, it doesn't hurt to prepare a well-documented and well-rehearsed public relations strategy, he says. For example, when Anthem notified its subscribers about the breach, it created a dedicated www.anthemfacts.com website, which it has continued to update.
8. Hackers Targeting PII
Anthem's attackers did not target credit card information, as one might expect, Rokde says, noting that they instead focused on other personal information. This show that for some attackers, PII is just as prized as payment card information, and thus deserves to be well-defended. "A simple credit card record is worthless after the credit card has been cancelled. However, a Social Security number, home address, health information or date of birth can lead to identities being hijacked," he says. Accordingly, attackers could potentially exploit the PII stolen from Anthem, for years.
9. Invest in Cyber-Insurance
While the uptake of cyber-insurance policies in India has reportedly been very low, Rokde says that Indian organizations and CFOs must explore and adopt cyber-insurance sooner than later, because even with the best information security defenses, some attacks will still succeed. "Yes, cyber-insurance is costly," he says. "But so is your data."