Archives for April 2017

Exploring the Cybersphere – April 2017

This week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite. Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.

There is an adage, old, like all adages, that goes, “April showers bring May flowers.” One might add that a more particular benefit for those suffering from allergies is they wash the pollen from the air, offering sweet respite for at least short periods. In furtherance of this line of thought, the April cybersecurity news might fall under the heading “Into each life some rain must fall.”

New frontiers in cyber security: locomotives without wheels, moats, deep learning at the edge

Industry analyst Bob Sorensen recently told us something most IT managers already know deep in their apprehensive hearts: cyber security is in a sorry state (see “Be More Afraid,” Enterprise Tech, Nov. 18, 2016). Security at many companies is somewhat marginalized, an unfavored area that lies outside core IT operations and procedures, a focal point at many companies of ineffectuality and denial that can be characterized as: Don’t just do something, sit there! Part of the problem: cyber security is purely defensive in nature. We don’t want it until we need(ed) it. It doesn’t add to the bottom line, it’s a cost center seen as hindering optimal operations. Corporate boards tell senior managers that, yes, of course cyber security is important, but don’t let it interfere with daily business. Yet everyone grasps the bottom line and reputation risks of poor security….Instead of further bemoaning this state of affairs, let’s look at the bright spots, the best-in-class cyber security practices some companies have adopted and the emerging technologies that leverage big data analytics, machine learning and quantum computing.

Cybersecurity remains an elusive business priority

I’ve been remiss by not blogging earlier this year about ESG’s annual IT spending intentions research. The year 2017 continues to follow a pattern: Cybersecurity is a high business and IT priority for most organizations… Allow me to provide a bit of analysis to this data (after all, I am an industry analyst): 1. There is growing demand for cybersecurity technologies, so 2017 should be another banner year for vendor revenue, VC investment, M&A activity and IPOs. 2. Boards are getting more involved in cybersecurity, which is driving more demand for data and metrics. In other words, executives are willing to spend on cybersecurity, but they want to better understand what they get for their money. Executive reporting tools for cybersecurity will grow precipitously….

Why we should let our walls down when it comes to cybersecurity

With digital threats growing more rampant across the country and from around the world, the idea of building “walls” for cyber defense and protection can seem appealing. But even in this age of hackers relentlessly penetrating our networks, in the information technology security industry, we know that walls don’t work. The truth is that surrounding yourself with impenetrable barricades is akin to sticking your head in the sand. Walls by themselves fail to tackle the root cause of threats, meaning any sense of safety created is artificial. Organizations need to have a holistic security posture that spans their internal network and devices. More importantly, they must anticipate malicious external threats. For protection, traditional IT security systems have for a long time relied on perimeter defenses, such as firewalls, intrusion detection systems and intrusion prevention systems. But that paradigm has changed, as cybercriminals have evolved and cyberattacks have increased in volume and sophistication. In 2015, there were 430 million unique pieces of malware, up 36 percent from the prior year. It’s a number only continuing to explode. Singular perimeter defenses are no longer enough.

IT Getting Defensive

Preventing cyber attacks – this time it’s personal

Security professionals are putting pressure on themselves to secure their organization’s systems according to the findings of a new report. The 2017 Security Pressures Report from managed security specialist Trustwave surveyed over 1,600 security decision makers around the world and finds that while 53 percent of respondents report increased pressure in trying to secure their organization, that pressure is becoming more personal as 24 percent say they put the most pressure on themselves, up from 13 percent last year. The findings also show that pressure from the boardroom and from c-level executives has decreased significantly as it’s shifted to IT professionals themselves. The most feared repercussion of a cyber attack or breach is reputation damage to themselves or their company, ahead of financial damage to the company and termination of employment.

Former White House CIO calls for a cybersecurity reset

The IT community needs a total reset in the way they think about cybersecurity, according to former White House CIO Theresa Payton. “I think back ten years and I realize that we actually haven’t made a single one of your security problems go away, and you need to hold us accountable for that,” Payton said. “Name one. We have reduced risks in the security industry, name a problem we actually made go away for you,” she said. “But I’m really excited because I think we are at a turning point where we’ll have that opportunity.”Payton, who spoke at the Forcepoint Cybersecurity Leadership Forum on Tuesday, described how the government has characterized bringing breach detection times down from over 400 days to a little more than 200 as a win in cybersecurity.“I’ve got to tell you, this does not feel like winning to me,” Payton said.

I’m From the Government and I’m Here to Help

FTC takes over as top cybersecurity enforcer

The Federal Communications Commission’s role as a driver of national cybersecurity policy, promoted by former Chairman Thomas Wheeler, was effectively scrapped last week when Congress passed a measure killing the commission’s 2016 cybersecurity and privacy rules. The move was strongly welcomed by the telecom industry and leaves another alphabet-soup agency — the Federal Trade Commission — as “the cop on the beat” when it comes to cyber. That’s a role the trade commission has long embraced, but it will take a different and perhaps more reactive approach to cybersecurity in comparison with Wheeler’s communications commission. Many telecom industry groups prefer the FTC’s enforcement approach, which is based on guiding principles for cyber best practices, to what they saw as prescriptive rules on cyber spelled out by the recently departed Wheeler team at the FCC.

Congress returns, but the real cybersecurity action is taking place off the Hill

Lawmakers return to Capitol Hill this week with a few cybersecurity items on the agenda for the upcoming legislative work period, while the most significant efforts in the coming months may be taking place at the White House and at the National Institute of Standards and Technology’s campus in suburban Maryland.

By Tom Davis, SDI Cyber Risk Practice

April 25, 2017

And the Answer Is…

The solution to the unending challenge of marshalling sufficient cybersecurity defense measures in any organization lies in (pick one)

  1. Artificial intelligence
  2. Cyber intelligence
  3. Employee education
  4. Endpoint security

The astute reader will disregard the pick one instruction and argue that each of these measures is helpful, assuming this reader is familiar with what each category entails. The first three categories are at least somewhat self-explanatory, the last, perhaps a bit less so.  Endpoint security is rapidly gaining favor as a method of protecting networks from access through remote devices such as laptops or smart phones or other mobile devices. Each of those devices is considered an endpoint, and is a potential entry point for a cyber threat. As work habits have changed and organizations have permitted employees to use personal devices to connect to enterprise networks, the threat has grown.

CNBC just reported on a UK based firm using artificial intelligence to swiftly respond to cyber attacks. In the story, they note “Australian cybersecurity company Nuix put out a report where they surveyed about 70 professional hackers and penetration testers at last year’s Defcon — the global hacking and security conference — to understand their perspective on cybersecurity. In the report, about 88 percent of the respondents said they could break through cybersecurity defenses and into the systems they target within 12 hours, while another 81 percent said they could identify and take valuable data within the same time frame even when the breach may not be detected for nearly 100 days on average.

The respondents said traditional countermeasures such as firewalls and antiviruses very rarely slowed them down, but having endpoint security technologies were more effective in stopping the attacks.”

Employee education, creating a culture of security sensitivity and best practices, arguably offers the best bang for the buck. Cyber intelligence, the committed act of learning about the actual threat universe surrounding an organization can offer an excellent return on investment. But if you accept the word of professional hackers and pen testers, endpoint security is well worth a look.

By Tom Davis, SDI Cyber Risk Practice

April 18, 2017

My House Is My Castle, and It’s About to Get Stormed

Does cybersecurity begin at home? It appears the answer is yes, at least for high net wealth individuals, as seen by insurance giant AIG. AIG just announced that it is offering cyber insurance to its high net worth personal lines insurance clients. The insurance product will be offered to policyholders of AIG’s Private Client Group who are victims of threats including cyber extortion and cyber bullying.

What will AIG’s clients get under this insurance? Well, according to an article in Insurance Journal, the insurance will cover expenses related to data restoration, and crisis and reputation management, among other claims. In addition, “AIG’s Private Client Group clients receive supplemental risk mitigation services, including a holistic assessment of devices, home networks, wireless access points and secure online accounts; training services for family members; online monitoring that assesses and tracks the availability of personal information; and a set of cyber assistance tools and resources including assistance from experienced fraud experts, provided by the identity and data defense specialist, CyberScout.”

It would seem that effectively evaluating risk posed to high net wealth individuals would be a bit daunting, but other insurance providers, including Chubb and HSB, are already in the home market, and we can expect that market to grow as smart, connected homes become ever more prevalent. We are introducing risk and becoming both more attractive and potentially vulnerable with each new device we add.

So, should you be looking at cyber insurance for your home? Here are some suggestions courtesy of the Wall Street Journal.

Does a service offer protection beyond what I’m already getting? Individuals who keep most of their money in bank checking or savings accounts and use credit cards generally are at less risk…because banks and credit-card issuers typically offer protection against liability for fraud. People with investment accounts should ask advisers and brokerages whether they offer written guarantees that clients will be made whole after a breach. Just 15% of broker-dealers and 9% of advisers have such written policies, a Securities and Exchange Commission survey found.

How much do I have to lose? For people with several million dollars’ worth of liquid and investible assets, the cost of extra security would be negligible…. But even for those with less money, any loss might feel painful, so people should make sure their funds are protected either by the Federal Deposit Insurance Corp., which protects deposits in checking, savings and money-market accounts, or a written policy from the investment firm.

Do I handle valuable financial data or intellectual property? A company executive or the founder of a startup who accesses financial or other sensitive information on a personal device or home computer may be a target. The concern is that hackers may target these types of individuals for their intellectual property or company details, and then make away with personal information while worming through their networks.

Not unlike insurance offerings aimed at the business market, in the end the best value of the home market offerings might lie in the way they offer the ability to strengthen home security defenses and educate people about cybersecurity realities and best practices. Risk reduction is the name of the game.

By Tom Davis, SDI Cyber Risk Practice

April 11, 2017

Dangerous Things?

While a student at Yale, Cole Porter wrote over 300 songs, including the famous Yale fight song Bulldog!Bulldog! ,which Yalies young and old bark out whenever the Yale football team scores. Legend has it Cole Porter wrote the song to commemorate Handsome Dan, the first Yale bulldog mascot. It is the world’s good fortune that Porter’s musical contributions did not peak with Bulldog! Bulldog!. During his illustrious career he authored such hit songs as Night and Day, Anything Goes, I Get a Kick Out of You, In the Still of the Night, and, of course, I’ve Got You Under My Skin.

I’m reminded of this last song by an article I just read (Cyborgs at work: Employees getting implanted with microchips) that looks at a Swedish company that offers to implant its workers with microchips the size of grains of rice that “function as swipe cards to open doors, operate printers, or buy smoothies with a wave of the hand.” How does it work?  The microchips use Near Field Communication (NFC) technology, the same technology used in contactless credit cards or mobile payments. When activated by a reader a few inches away, a small amount of data flows between the two devices via electromagnetic waves, opening the door (literally as well as figuratively) to a number of possibilities.

It turns out these microchip implants have been around for a couple of decades, and for the moment, serve modest purposes. The way most people have come into contact with the concept is through the microchips that have been implanted in pets. But the spillover to humans is gathering steam. A company called Dangerous Things sells the microchips and an injection kit. As if to help support the company’s brand concept, the chips are not injected in doctors’ offices, but rather in tattoo parlors and piercing shops.

Early adapters of the insertable microchip see the risks as minimal, particularly because of the limited transmission range, and many think the future of the technology is rife with possibility.  Of course, those possibilities could include privacy loss and identify theft, and perhaps far more nefarious cyber crimes. This generation of microchips will yield to the next gen, and where the process stops, well, as Porter lyricized, “I’ve got you deep in the heart of me. So deep in my heart that you’re really a part of me.”

By Tom Davis, SDI Cyber Risk Practice

April 4, 2017