IBM recently released the 2021 Cost of a Data Breach Report, its annual deep dive into data breach costs, as reported by 500+ companies worldwide.
The report delivers a goldmine of data, but the numbers are so big that you could be tempted to ignore them. At $4 million-and-change, the global average data breach cost doesn’t translate well if your entire annual revenue is a fraction of that number. But the report offers a lot more than worldwide averages skewed by enterprise-level breaches. To help you find real-world ways to reduce data breach costs, we combed the data for underlying causes that point to top takeaways for organizations of any size.
Read on for our top insights from the 17th version of Big Blue’s much-anticipated yearly benchmark.
If you’re ready to explore how the solutions identified here can protect your data—and your bottom line—contact Pratum today for a free consultation.
In the right circumstances, a biohacker may only need to wave their hand to break into your building or attack your network. The technology at work isn’t all that new, but its location is. It’s now shockingly easy to implant a microchip in your own body and use it to access (and potentially hack) a wide variety of devices.
During a session at the recent Secure Iowa conference, Pratum Senior Penetration Tester Jason Moulder demonstrated what’s possible in this version of biohacking. With four chips embedded in his own hands, Jason had a lot of data resting on the podium as he spoke.
When Jason asked what comes to mind when you imagine implanted chips, several people shouted, “Terminator!” And they’re not wrong. Technically speaking, putting anything inorganic into your body makes you a cyborg. In simple terms, Jason said, biohacking, “Is just a desire to go beyond what you can normally do.”
But as edgy as they sound, implanted microchips are actually a simple matter of putting technology you already use under your skin instead of in your pocket. The chips use the same RFID (radio frequency ID) technology you’re familiar with in proximity cards such as your office ID or hotel room keys. RFID also pops up throughout your life in credit cards, toll booth tags, key fobs, luggage tracking in airports and more. Millions of pets carry implanted chips in case they get lost. And the medical community already leverages implantable chips with devices such as glucose-monitoring systems for people with diabetes.
The chips, which are typically not powered, communicate over short distances with the reader, and an implanted chip can carry anything a card can. That means you could use a chip to open locked doors at the office, give your boarding pass to an airport agent, buy items from a vending machine, log into a cash machine, tell your smartphone to call up a favorite website and much more.
Your own personal tastes will determine whether handling transactions with your hand sounds wildly convenient or mostly creepy. In some other countries (most famously Sweden), thousands of people have had chips implanted. A couple of years ago, Sweden’s largest chipping company couldn’t keep up with the demand.
The first person known to receive a microchip implant was a British scientist named Kevin “Captain Cyborg” Warwick in 1998. Today, you can join Captain Cyborg’s super friends simply by ordering your own implant kit online. Jason buys his at Dangerous Things, which offers bundles including the Ultimate Implant Bundle with three chips for $260.
If you get even remotely squeamish around needles, chip implants won’t be your jam. Kits come with plungers and large needles so you can inject the chip, which typically comes in a glass tube about the size of a grain of rice. (It’s worth noting that Dangerous Things’ web store includes several pain-management products.) Most users place the chips on the back of their hand beside the thumb for easy access to chip readers.
You can watch the implant process here, along with watching a journalist starting to realize that he may want to keep his new chip even after his experiment is over.
Jason says the chips he’s carrying around are guaranteed to last 50 years. What if you change your mind about the chip or technology makes your implant obsolete? Well, take a deep breath. Dangerous Things offers a scalpel set.
Back in 2015, a security expert was already hacking into smartphones using an implanted chip originally designed for cattle. So without a doubt, a hacker could leverage a chip to breach a building or computer system. Again, they leverage familiar RFID technology. And Jason notes that most RFID access systems are vulnerable because most companies buy the cheapest unit that meets their compliance requirements. “Most businesses have a mentality that they’re just checking the box,” rather than truly looking for a secure solution, Jason says.
To make his point during his presentation, Jason quickly broke into a virtual hotel room by transferring the code from a proximity card onto the chip in his hand. In under five minutes, his chip produced a green light on the card reader he brought along. Then he demonstrated how he can transfer malware from his implanted chip to a phone, creating a foothold to start pivoting through the larger system connected to the phone.
You can also load scripts onto a chip, “which is where it starts becoming dangerous from my perspective,” Jason says. You can use a chip to log into a computer, open the browser and navigate to a certain site.
It’s fairly obvious that implanted chips are a bit of a novelty act at this point. You could accomplish the same things with a card or even a chip tucked into the seam of your shirt cuff, etc. But in an extremely security-conscious facility, you could envision scenarios involving extensive searches of visitors, metal detectors, etc. It’s not often that an implanted chip would represent the only way to circumvent security, but it’s not hard to imagine such a situation.
Realistically, you’re already giving away far more information than you need to worry about with chips. “If anybody really wants to find you,” Jason says, “they can just track you on social media. We use that all the time in our jobs as penetration testers because people are always tagging people, checking in at places, etc. We can build a profile of you with all that.” And, of course, nearly everyone already voluntarily carries a powerful tracking device in the shape of their smartphone.
Implanted microchips may grab attention by scratching a sci-fi itch. But whether someone is attempting to breach your system with a chip or a card, the core principles of good security still apply.
If you need help reviewing the implications of chip implants and other threats for your security, contact Pratum for a free consultation.
Jason Moulder, Senior Penetration Tester, PratumJason is an Offensive Security Certified Professional (OSCP) with over 10 years of technology and security experience. He has extensive experience with network and web application penetration testing, social engineering, secure security architecture, forensics, incident response, governance and compliance. Jason has worked as a consultant for many types of industries to include government (federal/state/local), financial, oil and gas, education and private sectors. Jason currently works as a penetration tester with the Managed Security Services division at Pratum, which includes managed SIEM, vulnerability scanning, and penetration testing services. Jason also holds the following certifications: CASP (CompTIA Advanced Security Practitioner), OSCP (Offensive Security Certified Professional), GREM (GIAC Reverse Engineering Malware), CPTE (Certified Penetration Testing Engineer), CDFE (Certified Digital Forensics Examiner), CDRE (Certified Disaster Recovery Engineer), ITILv3 Certified (Information Technology Infrastructure Library), P2P Marshall, and MAC Marshall.
Whether you’re answering a steady stream of cybersecurity questions or asking your own suppliers to answer them, these documents have probably become a significant part of your job in the last year. The recent flood of cyber attacks has motivated most organizations to elevate third-party risk management to a top priority in 2021.
But even if the concept just appeared on many radar screens, it’s not a new issue. Every business of the past had to decide whether critical partners (from those supplying raw materials to those delivering finished goods) could reliably fulfill their contracts and protect what was entrusted to them. But the challenge has grown massively more complex with increasing integration and sharing of critical data. Government regulations raise the bar even more with breach notification laws and other rules that can make a vendor’s security problem a legal liability for everyone in the chain.
So proactive companies are quickly spinning up ways to get proof that every partner handles data securely. At this year’s Secure Iowa Conference, Julie Gaiaschi, CEO & Co-Founder of the Third Party Risk Association reviewed the latest best practices in this quickly developing area. This post highlights top takeaways from her talk.
Julie Gaiaschi, CEO & Co-Founder, Third Party Risk AssociationJulie Gaiaschi, CISA, CISM, is the CEO & Co-Founder of the Third Party Risk Association (TPRA). She has over 14 years of technology and information security risk experience, with the last 10 years specializing in third party risk. In her role as CEO, she provides strategic direction for the non-profit, whose mission it is to further the third party risk profession through knowledge sharing and networking. She also has a passion for helping others enhance their own third party risk management programs.
Julie highlighted several areas demanding fresh thinking about managing risk:
To effectively keep up with these changes, Julie recommends a third-party risk management program built on these five elements:
As she walked through each of these core areas, Julie provided the following tips:
You can download a copy of Julie’s full presentation here. You’ll get details such as 13 essential inherent risk questions to ask your vendors.
If you need help reviewing your third-party risk or handling questions from your customers, contact Pratum for a free consultation.
Get our blog articles delivered
to your inbox: