Cybersecurity

Lessons Learned From the New Court Ruling on the Capital One Breach

Brian Thomas | June 19, 2020

Last year’s Capital One data breach ranks as one of the largest confirmed breaches ever, exposing the personal data of more than 100 million Capital One customer accounts stored in the cloud.

Almost a year later, the story hasn’t gone away. Last month, a U.S. magistrate judge ruled that Capital One must provide forensic details about the hack to attorneys representing a group of customers suing the bank.

As fallout from the breach continues, here are key lessons security and business leaders can learn to protect their organizations from a similar fate.

Implement a robust third-party risk management program

The court decision in the Capital One case sets a new precedent that could require organizations to disclose incident response reports detailing the circumstances around a breach. This requirement could expose companies to greater public scrutiny of their security programs, and open them up to financial and reputational damage.

A key takeaway from the ruling is that the onus is very much on security teams to demonstrate an unparalleled standard of care as they conduct business with vendors. To do this, they must provide evidence that they have a robust third-party risk management program in place — one that continuously monitors for cyber risk within their supply chain.

With such a program, security teams can identify potential vulnerabilities within their third-party networks, and accelerate vendor onboarding processes without sacrificing their security postures. They can also work alongside their vendors to help them understand where risk exists in easily understood terms so that informed decisions can be made about where to prioritize remediation efforts — before those vulnerabilities are exploited.

Reduce liability by understanding the shared responsibility model 

The Capital One breach allegedly occurred when a former Amazon Web Services (AWS) employee exploited a misconfigured web application firewall to gain unauthorized access to a cloud-based server.

This had significant liability ramifications for Capital One. Under the AWS shared responsibility model, Capital One was responsible for implementing security on that server and was therefore held accountable for the breach.

To be fair, much confusion still exists surrounding the shared responsibility model. When surveyed, only 10% of CISOs reported that they fully understood the model, while 82% claimed to have experienced security events due to confusion in the model. 

In order to mitigate cyber risk effectively, organizations must understand the shared responsibility model for every cloud vendor they work with — and ensure each cloud instance is configured securely. 

Visualize and assess risk across the attack surface

As an organization’s digital ecosystem expands, so does its attack surface. This makes it increasingly difficult for security teams to understand where all their digital assets live — and any inherent risk present there.

BitSight Attack Surface Analytics addresses this challenge by providing organizations with continuous, broad visibility into their expanding digital ecosystems — on-premise, in the cloud, and across remote office environments. 

This context empowers teams to shine a light on unknown vulnerabilities, infections, and misconfigurations that could lead to a breach or other security incident. With this insight, they can quickly assess the inherent risk of cloud-hosted assets — and bring them into line with corporate security policies. 

Get one step ahead of accountability

As pressure mounts for organizations to be more transparent about their security practices (and potential failings), it’s critical that security teams find ways to continuously monitor their third parties so that they can gain visibility into key areas of cyber risk within their networks. Furthermore, as the digital ecosystem expands into the cloud, organizations need a strategy to discover risk across this increasingly complex attack surface. After all, they can’t secure what they can’t see.

Only then can companies demonstrate to customers that they take proactive measures to achieve a standard of care in their security performance management and third-party risk management programs.

New call-to-action

Suggested Posts

5 Ways to Transform Your Security Program

Between difficulty communicating with boards and executives, decreasing budgets, and difficulty measuring how exactly risk was being reduced, security leaders are under pressure to change the way they do things. The situation for security...

READ MORE »

What Companies Using Cloud Services Need To Know About Their Risk Responsibilities

Cloud computing is not new to the cyber world; it’s here to stay. Web services are common in our everyday lives and workplaces, with things like Facebook, Salesforce, JIRA, Adobe, and GSuite all falling into the cloud-based category. But...

READ MORE »

Lessons Learned From The Garmin Cyberattack

In the cybersecurity industry we deal with news of breaches or potential threats nearly every day, but when you really think about it, it’s bizarrely rare how little these events impact our everyday lives. Yes, they impact the professional...

READ MORE »

Subscribe to get security news and updates in your inbox.