Sage has reported a data breach, with the company notching up the column inches since the disclosure of the breach and winning the title of the biggest faller on the FTSE 100 in early trading on Monday. However, this is all to be expected – when a company discloses a data breach the media is going to report, the stocks are going to fall, and the brand and reputation of the company is going to take a public blow.

We do not yet know the particulars of the data breach, with the ICO, police and Sage currently investigating what data was stolen, if anything. What we can glean from the company’s statement on its website is that the breach came from within, with the company pointing to ‘unauthorised access using an internal login.’

The cyber security landscape, we keep on being told, is constantly evolving and shifting, with execs told to adopt a when, not if, attitude to cyber security. With that in mind, are we really that surprised that another big company has been breached? Is it really a shock that the attack may be a result of an insider attack?

CBR talks to the experts about why this breach should not come as a surprise at all.

 

No business is immune

Justin Harvey, chief security officer at Fidelis Cybersecurity, said:

“The crux of the issue is that no organisation is immune from cyber attacks and the worst time to figure out how to respond to an incident is while it’s happening.  I applaud Sage for reporting the incident to the authorities and communicating the breach publicly, but it looks like the company may need to reinforce security precautions and policies. What’s more, it should adopt a continuous response model to help it detect, investigate and stop attacks by ensuring that its prepared from a people, process and technology perspective."

 

Employees are one of the biggest threats to security

James Romer, EMEA Chief Security Architect at SecureAuth, said:

“News of yet another data breach involving the use of legitimate credentials, this time software giant Sage, doesn’t really come as a surprise. In fact, SecureAuth’s research last year found that 54% IT decision makers in the UK believe that employees pose the biggest threat to security, whether intentional or not.

“The problem many businesses face is that once a bad actor has access to legitimate credentials (and therefore access to the corporate network), the attacker will elevate their level of access, and begin using credentials to move from one system to another as a method of recon, as they move towards completing their mission.

Matt Walmsley, EMEA Director at Vectra Networks, said:

“Insider threats continue to pose a serious risk to organisations of all sizes and in all industries. In most cases, cyber attackers want what trusted users already have – network access credentials. In either case, detecting a threat requires security teams to proactively identify when a host behaves abnormally or in a way that could expose data or assets. Anyone with legitimate access to systems – physical or remote, can potentially present an insider threat.

"The simplest way to access unauthorised systems is often through the acquisition and mis-use of legitimate credentials. Other “insiders” may seek to escalate their privileges or broaden the hosts and services they wish to access for their nefarious reasons."

 

Too much trust

Paul German, VP EMEA at Certes Networks, said:

“It must be asked as to how this breach was able to happen in the first place. Why could an internal user’s login permit access to confidential customer data and why wasn’t it stored in an encrypted format? This attack shows the need for organisations to adopt a Zero trust strategy, which assumes that there is no such thing as a trusted network or IT environment. Instead, every user, device, network and application must be treated as untrusted, and all enterprise systems should be considered already compromised.”

Jonathan Sander, VP of Product Strategy at Lieberman Software, said:

"The Sage breach is a reminder that despite all the headlines about bad guys trying to break in there is an ever present danger from within, too. Often firms spend tons of money protecting against outsiders getting in, but fall into the "we trust our people" tap when it comes to insider threat. The trouble with trusting staff is that they're likely worthy of that trust until the moment they become disgruntled – and there's no way to see that moment happen.

"Every organization must shift to a least trust model for inside security, and even make the goal zero trust. Every scrap of sensitive information should be under a least permission model in files, folders, email systems, and inside applications. Very rigorous process must be applied to IT administrators and the privileged access they have because it can bypass all your strong security if you're not careful."

 

Privileged users pose a serious threat

Matthew Ravden, CMO at Balabit, said:

“Sage has been hit by a data breach using an employee's login details. The company hasn't disclosed whether it was an external or an internal attack – but practically it doesn't matter.  The key learning point is clear: privileged users pose a serious threat to every company. If they successfully logged in the system, they can do anything they want. How can you mitigate this threat? 

"While the "least privilege" and "need to know, need to do" approaches aim to reduce the possible harm that can be done if a given user's access rights are abused, you cannot always limit access rights beyond a certain point – they need to perform their jobs. Using such accounts inherently carries more responsibility, and therefore, risk."

 

Traditional authentication does not work

Brian Spector, CEO of MIRACL, said: 

“The breach highlights that traditional authentication methods, in the form of over 40-yeard old username and password convention, are no longer fit for purpose and should be long abandoned. It’s easy enough for hackers to extort log-in information from unsuspecting employees, and in fact, most organisations are well aware that their own employees are the weakest link in their cyber-defence strategies. As such adding a relatively simple but effective layer of security in the form of multi-step authentication can prove a useful barrier in preventing these types of breaches from happening.”

 

Crown Jewels left unguarded

Leo Taddeo, Chief Security Officer of Cryptzone, said:

"Any centralised storage of identity data is an extremely attractive target for cybercriminals.  Most companies fail to deploy adequate safeguards on these "crown jewels" because security measures are costly and can sometimes reduce employee productivity.  The breach reported by Sage is just one more example of why companies need to take the cyber threat more seriously.  

"While it may be impossible to stop all attacks, it is possible to limit the damage from dedicated hackers, including trusted insiders.  Proven countermeasures include fine-grained segmentation, robust user authentication, strict remote access controls, encryption, logging, and active monitoring."

Stephen Love, Security Practise Lead – EMEA at Insight, said: 

"In today’s age of big data, it is crucial that businesses assess exactly what proportion of their data is most valuable and needs closer security attention. For instance, not all data is deemed ‘sensitive.’ Businesses therefore, need to carry out a thorough assessment as to what data is uniquely distinct to the organisation before determining what should and shouldn’t be shared. It is then much easier to put in place relevant DLP measures accordingly."

 

Increasing targeted attacks

Andy Herrington, Head of Cyber Professional Services at Fujitsu UK and Ireland, said:

“This latest data breach at Sage demonstrates the continuing hostile cyber-security landscape businesses are facing today. Large, high-profile attacks are a constant reminder that cyber threats are ever present and evolve, with an increasing trend towards targeted attacks.  

"One of the biggest challenges that organisations face is the ever-changing nature of attacks. As we have seen with this breach from Sage, an internal login was used to gain access to its customers which suggests either a compromised internal account or an insider threat. Successful attacks often target vulnerable systems but in many cases human interaction will also be a participatory component."