Cybersecurity

Lessons Learned From the New Court Ruling on the Capital One Breach

Brian Thomas | June 19, 2020

Last year’s Capital One data breach ranks as one of the largest confirmed breaches ever, exposing the personal data of more than 100 million Capital One customer accounts stored in the cloud.

Almost a year later, the story hasn’t gone away. Last month, a U.S. magistrate judge ruled that Capital One must provide forensic details about the hack to attorneys representing a group of customers suing the bank.

As fallout from the breach continues, here are key lessons security and business leaders can learn to protect their organizations from a similar fate.

Implement a robust third-party risk management program

The court decision in the Capital One case sets a new precedent that could require organizations to disclose incident response reports detailing the circumstances around a breach. This requirement could expose companies to greater public scrutiny of their security programs, and open them up to financial and reputational damage.

A key takeaway from the ruling is that the onus is very much on security teams to demonstrate an unparalleled standard of care as they conduct business with vendors. To do this, they must provide evidence that they have a robust third-party risk management program in place — one that continuously monitors for cyber risk within their supply chain.

With such a program, security teams can identify potential vulnerabilities within their third-party networks, and accelerate vendor onboarding processes without sacrificing their security postures. They can also work alongside their vendors to help them understand where risk exists in easily understood terms so that informed decisions can be made about where to prioritize remediation efforts — before those vulnerabilities are exploited.

Reduce liability by understanding the shared responsibility model 

The Capital One breach allegedly occurred when a former Amazon Web Services (AWS) employee exploited a misconfigured web application firewall to gain unauthorized access to a cloud-based server.

This had significant liability ramifications for Capital One. Under the AWS shared responsibility model, Capital One was responsible for implementing security on that server and was therefore held accountable for the breach.

To be fair, much confusion still exists surrounding the shared responsibility model. When surveyed, only 10% of CISOs reported that they fully understood the model, while 82% claimed to have experienced security events due to confusion in the model. 

In order to mitigate cyber risk effectively, organizations must understand the shared responsibility model for every cloud vendor they work with — and ensure each cloud instance is configured securely. 

Visualize and assess risk across the attack surface

As an organization’s digital ecosystem expands, so does its attack surface. This makes it increasingly difficult for security teams to understand where all their digital assets live — and any inherent risk present there.

BitSight Attack Surface Analytics addresses this challenge by providing organizations with continuous, broad visibility into their expanding digital ecosystems — on-premise, in the cloud, and across remote office environments. 

This context empowers teams to shine a light on unknown vulnerabilities, infections, and misconfigurations that could lead to a breach or other security incident. With this insight, they can quickly assess the inherent risk of cloud-hosted assets — and bring them into line with corporate security policies. 

Get one step ahead of accountability

As pressure mounts for organizations to be more transparent about their security practices (and potential failings), it’s critical that security teams find ways to continuously monitor their third parties so that they can gain visibility into key areas of cyber risk within their networks. Furthermore, as the digital ecosystem expands into the cloud, organizations need a strategy to discover risk across this increasingly complex attack surface. After all, they can’t secure what they can’t see.

Only then can companies demonstrate to customers that they take proactive measures to achieve a standard of care in their security performance management and third-party risk management programs.

New call-to-action

Suggested Posts

More Security Tools Hinder Response Efforts: Better Planning Pays Off

The global cybersecurity market is currently worth $173 billion and expected to grow to $270 billion by 2026. Yet as organizations invest more in security technology, a new global survey by IBM Security and the Ponemon Institute suggests...

READ MORE »

Protecting Sensitive Data: 4 Things To Keep In Mind

The content in this piece was originally published by BitSight in April of 2017. This updated version includes current information about BitSight, our security rating and third-party monitoring software, and the cybersecurity space.

Given...

READ MORE »

Russian Hackers Validate BitSight WFH Data

This week the New York Times released a report warning that a group of Russian hackers going by the name “Evil Corp” has been attempting to exploit the rampant vulnerabilities presented by the US workforce shifting to working from home at...

READ MORE »

Subscribe to get security news and updates in your inbox.