Breach in the Hull: What We Can Learn from Anthem

On February 5, 2015, news broke that hackers had struck Anthem, Inc., the second largest health insurance provider in the United States. The breach was catastrophic, exposing the names, addresses, phone numbers, and social security numbers of nearly 80 million Anthem customers. According to the company’s official statement, the hack was the result of “a very sophisticated external cyber attack.”

The company is now in triage mode, working with the FBI and turning to a cybersecurity firm to reassess its IT systems. What is perhaps most troubling, though, is new evidence indicating that the breach may have begun as early as April 2014 — meaning Anthem’s systems were compromised for nearly nine months before anyone at the company realized what was happening.

Breaches on the Rise

Anthem’s breach is just the latest and most high-profile in a long and ongoing list of security slip-ups. A recent study on data breach preparedness showed that 43% of companies have experienced a data breach within the last year, a 10% increase from a year before. And while many breaches are the result of concentrated efforts by a select group of hackers or cyber terrorists, the same study demonstrated that 80% of recorded breaches have their root cause in company or employee negligence. In other words: Companies aren’t doing enough to protect their customers’ data.

The potential destructive impact of a security breach on the customer is staggering. According to the Better Business Bureau, every victim of identity theft loses an average of $6,300 in addition to 40 hours on the phone dealing with creditors and credit bureaus in an effort to set things right. The impact is also huge for businesses; it is estimated that businesses lose around $50 million a year collectively as a direct result of data breaches. That’s not even including the massive hit to brand value, reputation, and productivity.

The 2014 IBM Security Services Cyber Security Intelligence Index recorded 1.5 million cyber attacks in the United States in 2013. Companies failing to prepare for these attacks are putting themselves and their customers at risk.

Proactive Security

Protecting a business from data breaches requires a proactive, informed approach. Businesses should be conducting regular risk analyses to determine the threats they face and should be deploying security solutions that are up to the task, but must also test those solutions. The first sign of security failure shouldn’t be a real-life data breach. Instead, businesses should rely on a reputable team of security experts to put their systems to the test.

Security audits are systematic, measurable assessments of how a business deploys its security policy and how that security policy holds up under pressure. Audits are designed to find the flaws in a security system before a malicious party can, giving the business time to reassess its threat levels and develop better solutions. Note that a full security audit is different from a penetration test in that penetration tests are usually focused on one specific area of security policy — audits are more comprehensive in their scope and design.

Security audits answer key questions about an organization’s security protocols and offer recommendations on how to do things better. They also spot weaknesses before they become problems. Think of it this way: If Anthem was conducting regular security audits, would it have taken nine months to discover a breach? Is there a possibility that the breach could have been stopped earlier or even prevented with better security testing protocols?

These are questions Anthem is surely asking itself as it goes about fixing the damage its faulty security practices caused 80 million paying customers.