Treat Your Data Like Cash

How annoyed are you when you find out you lost some cash?  Whether it is a few bucks in your jeans pocket or that “emergency stash” under the mattress, losing that “cold hard cash” is a feeling that always twists your stomach.  Sometimes you blame yourself.  Sometimes you blame others.  Depending on the amount lost, your emotions could range from the standard “how could I be so stupid?” to a profanity-laced tirade that is not suitable for print here.

Question: do you feel the same way when you experience credit card fraud?  My instinct is that while you would feel some sort of violation and negative feelings, it’s just not “the same” as losing cash.

I say this because sometimes you have ways of getting back your money with credit card fraud.  There’s hope.  It’s painful and takes up a lot of your time.

But there’s a chance.  Also, you haven’t lost anything really “tangible” if you have just lost some purchasing power on your credit card until the fraudulent charges get reversed (yes, I accept that for some this is a bigger problem than others).

But you really begin to feel the hurt if you can’t get these charges reversed and you do have to pony up the cash to cover it.  So, it comes back to cold hard cash again.  And usually the only way we get our cash back is because of a Good Samaritan or divine intervention.

With that thought in mind, here’s my first 2018 cyber comment to you: treat your data like cash.  My feeling is that most of us are treating our data like credit card fraud, hoping that we can get it back somehow.

I’m going to tell you that once your data is out in the wild, you should treat it as gone for good.  Sure, you may come across some cyber Good Samaritan or get some much needed divine intervention, but really, your data is gone.

I find myself both chuckling and smacking my forehead when I hear “if you just pay  the ransom, we’ll give you back your data and destroy all copies we have.”  Okay, if you really want to believe the person that just ripped you off and extorted you (which by the way, you’ll probably never see in the flesh), fine, but that’s a personal problem I can’t really help you with.

That’s why I’m keeping this post short and simple, hoping that 2018 brings about a sea change on how we treat our data.  Information is just another form of currency (arguably, the most valuable), which is why if you believe in the old saying “cash is king” then we should really start thinking “data is king” also.

Just start believing that once your data is compromised, it’s gone for good.  This is the case of course unless you can verify that you have gotten all of it back and also verify no copies have been made and also verify that your data has not been tampered with.  I believe we have enough evidence to show this is no easy task, so let me make this easy for you: just assume you lost some “cold hard data” in the process.

Let me wrap up with these last few words.  There has been a shift in the last 18 months from the belief that cybersecurity is more about tech issues.  This is a good step, even if it’s late to the game by a few years in my opinion.  I also like that there have been some more frequent calls for a “cybersecurity culture change” in order to stop the data loss.  Regrettably though, there has been little in terms of easy-to-explain-and-execute culture change.

That’s why I’m calling for data to be treated like cold hard cash.  If we can burn that mentality into our minds, I think we’ll take a giant leap forward in protecting our data.  Have a Happy 2018 full of good health, happiness, prosperity, and meaningful cybersecurity!

 

By George Platsis, SDI Cyber Risk Practice

January 9, 2018

Staying aLIVE: The Versatility of Live Video Streaming

One press of a button and you’re live. Live for everyone to see. With worldwide reach and minimal to no cost of production, social media live videos are suddenly everywhere. Easy to see why it’s caught on with individuals. But why are companies interested in this social phenomenon?

Live streaming video began in 2013 when Snapchat first launched video sharing through its 24-hour stories feature. Users could record and post content up to ten seconds long for their Snapchat friends to view.

Three years later, Instagram developed its own version of 24-hour video sharing, along with a new feature, “Go Live.” With this feature, Instagram sends a notification to the screen of a user’s followers that a video is playing live. The video is accessible during its broadcast and for 24 hours afterwards. Then it’s gone. Controls allow the user to configure who can see the video and interact with the user while it’s playing. That’s the objective, to engage with immediacy.

Since the launch of 24-hour video sharing and “Go Live,” more businesses have found ways to harness this dynamic medium to showcase thought leaders, brainstorm business concepts, communicate with remote personnel, and promote a sense of unity among disparate business units, among other purposes. Video posts and live video streaming has grown into the new “in” thing. The reasoning boils down pretty simply. Here’s why.

  1. Cost-Efficiency

Video stories and live video streaming have low to no cost of production. For example, there is no need to have a production, editing or set crew to capture company events for individuals unable to attend in person, or for audiences who may have a stake in a company event.

  1. Increased Connectivity

Live streaming video amplifies a company’s ability to connect and engage with followers. Yes, followers can leave likes and comments on articles, pictures and posted video content, but with live video the connection is immediate. And viewers can leave comments and feedback for prompt attention. It’s a more intimate experience that can help build stronger relationships with stakeholders, and engender credibility if managed well.

  1. Transparency

The most important aspect of live video sharing is its transparency.  Since the video content is in real time, there is no editing, manipulating, fast forwarding or rewinding. It’s completely transparent and organic in contrast to conventional videos which can be manipulated through editing. It demonstrates the company is willing to engage directly and authentically with its audiences, which may engender greater trust.

When live streaming first came out, I was hesitant to use it. The pressure of producing live video that allows for followers to see deeper into my life made me a little cautious.  After using it a couple times, I now better understand the usefulness of the feature both personally and for the businesses I interact with. For example, live video has allowed me to see how some of my favorite clothing brands design and produce the clothes I am wearing, allowing me to become more knowledgable about the clothing industry and the products I choose to purchase. Other friends of mine who host YouTube pages find live video further connects them with their fan base, and makes them appear more “human,” versus making and editing videos online.

In my current position as an intern with Susan Davis International, I have learned how live videos are shaping events in the public relations and social media fields. At SDI, we use live video streaming to help promote events and increase our audiences. We also use it to connect out-of-state reporters with local client events by providing a live-stream link, which gives them a birds-eye view without leaving their desks.

SDI has also used live streaming to build audiences for clients such as the World War I Centennial Commission, Army Historical Foundation, and Museum of the Bible. For example, the centennial commemoration ceremony of the U.S. entry into World War I welcomed thousands of attendees to Kansas City. In addition to those thousands who watched in-person, the live stream video added an additional thousand guests who would not have otherwise been witness to the historic occasion.

While still new, the usage of live streaming is gaining ground quickly. There are over two billion Facebook users and over 700 million Instagram users worldwide. Sharing content through live video on these platforms is an amazing technology that businesses and individuals are finding more creative uses for. Whether you’re a social connector, blogger, small business owner or worldwide corporation, live video streaming may help you stay current and aLive with your hungry audiences.

By Arielle Berger, SDI intern

December 21, 2017

Warm Holiday Wishes

As the holiday season gathers steam, we traditionally pause to take stock of our many blessings. This year we can find one in the just released U.S. National Security Strategy.  It appears we’ve won the war on climate change, and climate change is no longer a national security threat, so a long winter’s nap should be marginally easier to come by.  However, the strategy does recognize the growing threat from cyber weapons, and the evidence of that threat is abundant.

CSO online just issued its security predictions for 2018, and predictably, it forecasts ever increasing state sponsored cyber attacks.  As the article notes, “The usual suspects for state-sponsored attacks — North Korea, Iran, and Russia — don’t have much to lose by continuing their attempts to extort, steal, spy and disrupt by infiltrating information systems. All are already heavily sanctioned, and the consequences — at least those we know about — in response to state-sponsored attacks have been minimal.” Their forecast is consistent with the outlook of Experian, which pointed to critical infrastructure as a sector where breach activity by nation states is likely to rise.

How timely then that FireEye just announced that Schneider Electric SC had just received a lump of coal in its business stocking. Schneider provides safety technology, and one of its products, Triconex, is widely used in the energy industry, including at nuclear facilities, and oil and gas plants. The breach victim is said to be in the Middle East, and some cyber experts suggest Iran had sponsored an attack on Saudi Arabia, which, if true, would hardly be shocking news. More importantly, this seems to be the first report of a safety system cyber breach at an industrial plant. This offers a new front in cyber warfare, because by compromising a safety system, hackers could destroy the ability of an industrial plant to identify an attack or limit the damage.

This comes as security experts are closely watching developments in the Ukraine, where the holiday season in recent years has been marked by significant attacks on their power grid. Officials from other nations have been studying the attacks on the Ukraine to determine what additional safety measures need to be employed to lessen the vulnerability of power grids around the world. It’s fair to say that if Ukraine is again victimized the repercussions will ripple widely. When we say we hope your holiday season is warm and bright this year, we really mean it.

By Tom Davis, SDI Cyber Risk Practice

December 19, 2017

 

An Eye on GDPR

There is a lot of talk about the European Union’s General Data Protection Regulation (Regulation (EU) 2016/679).  And rightly so, because it will impact a great many organizations, many of which reside in the U.S.  Set to come fully into effect May 25, 2018, the GDPR has understandably caused a lot of headaches because it is wide-sweeping and costly regulation, especially if you are in violation.

Clearly, the first question to ask is if the GDPR applies to you. If it doesn’t, you are in the clear (but that is not an excuse to relax your data protection measures).  If it does, well, you have work to do if you haven’t been on top of your GDPR compliance. This is especially true if you are a big organization, are not based in the EU, and have a lot of EU customers and clients.

I would like to take a step back here for a moment and perhaps calm some of the GDPR hysteria out there. Yes, some commenters and compliance professionals are rightly having heartburn over the GDPR. And some others have said not to freak out, like Elizabeth Denham, the UK Privacy Commissioner, stating that the GDPR should just be looked at as an “evolution” in data protection and not a revolution.

My humble opinion is that if the GDPR applies to you and you are a non-EU country, your worry should be greater than zero.  Here is why: the EU needs money. And who do you think they will fine first?  EU-based organizations or non-EU-based organizations?  Option 1 seems like it could be detrimental to the EU economy (something about hurting your own) but Option 2 seems like a nice windfall being extracted from a competitor.  If I’m the EU, I know who I am fining first.

But the fines can’t be that bad, can they?  Yes, they can be that bad. Violators of the GDPR can be fined up to 4 percent of annual global turnover or €20 Million, whichever is greater. That sounds like some industrial strength motivation to take the GDPR seriously, especially if you could end up near the top of the pecking order.

Apart from all your usual data protection and cybersecurity grief, the real shift of power of the GDPR comes in the form of individual rights, specifically in terms of privacy. This nuance is important culturally, because Europeans have generally had more constitutional protections that relate to privacy than say freedom of speech.  And from a business perspective, what that means is that individual consumers will have incredible leverage over organizations.

The GDPR will give individual consumers the following powers:

– The right to be informed

– The right of access

– The right of rectification

– The right of erasure

– The right to restrict processing

– The right to data portability

– The right to object

– Rights related to automated decision making and profiling

All of this sounds pretty straightforward, but think of all the resources required to implement and comply.  To begin, anything that could be considered “personal data” is swallowed up by the GDPR. This could be a name, a credit card number, IP address, and preferences.  As you can imagine, the list can go on and on. This begs the question: have you identified all possible pieces of “personal data” within your organization?  By the way, charities are not exempt from the GDPR, so if your thought is that your well-meaning good-cause not-for-profit will be given a pass, I wouldn’t bet the farm on that sort of wishful thinking.

Of course, each of the rights presents its own set of headaches for the organization, but I will pick the first “the right to be informed” as an example. Think Equifax. Think Uber. Now think about how to notify those tens and hundreds of millions within 72 hours. That is the sort of headache you are going to have to deal with.

A single blog post is not going to give you all the answers you need regarding GDPR, but I will close with this: the Data Protection Officer (DPO), could end up making or breaking you. The comparison to the Chief Compliance Officer is not right, because the DPO has some incredible powers that other C-Suite officers may not have.  For example, the DPO must:

– Act “independently”

– Not take instructions from their employer regarding the exercise of their tasks

– Have expert knowledge of data protection law

– Be provided with sufficient resources

– Not be dismissed merely for performing their tasks

– Report directly to the “highest management level”

And guess what?  You could be fined for not allowing your DPO to do their job!  If this GDPR thing is starting to give you some unexpected heartburn, it would be completely expected.

While I would like to believe the intent of the GDPR is to instill some good data protection and cybersecurity habits into all of us, remember what is driving it: a focus on privacy and a very big stick (with no apparent carrot in sight).  The coffers in Brussels need to be refilled, so don’t be surprised if the bureaucrats are looking across the pond for a way to do just that.

In closing, a very Merry Christmas and Season’s Greetings!  May the Holiday Season and the New Year be full of health, happiness, and success for you and yours!  See you in 2018!

By George Platsis, SDI Cyber Risk Practice

December 5, 2017

 

Susan Davis International Wins Prestigious Stevie Awards!

SDI Executive Vice President Judy Whittlesey accepts Gold Stevie Award. Photo credit: Stevie Awards.

During the annual Stevie Awards for Women in Business ceremony in New York City, SDI received the Gold Stevie Award for Communications or PR Campaign of the Year for the Elizabeth Dole Foundation Hidden Heroes Campaign and a Silver Stevie Award for Women-Run Workplace of the Year – More Than 10 Employees – Advertising, Marketing, Public Relations and Business Services.

The Gold Stevie Award, celebrating businesses, organizations, and individual achievements in more than 60 nations, recognizes SDI’s role in the 2016 launch of the Hidden Heroes campaign for the Elizabeth Dole Foundation (EDF). EDF, founded by Senator Elizabeth Dole in 2012, is a non-profit organization strengthening and empowering America’s military caregivers and their families by raising public awareness, driving research, championing policy, and leading collaborations that make a significant impact on their lives.

SDI’s Judy Whittlesey and Dan Gregory joined the Army Historical Foundation, National Museum of the United States Army and Clark Construction to sign the Museum’s final steel beam. Photo credit: Frank Ruggles.

The Silver Stevie Award for a Women-Run Workplace of the Year – More Than 10 Employees – Advertising, Marketing, Public Relations and Business Services was awarded to SDI for the firm’s work with diverse clients ranging from nonprofits to corporations and government agencies. Competition for both Stevie awards was global.

The Stevie® Awards are the world’s premier business awards.  They were created in 2002 to honor and generate public recognition of the achievements and positive contributions of organizations and working professionals worldwide.

Susan Davis; Donald Cardinal Wuerl, Archbishop of Washington; Roma Downey and Mark Burnett celebrating the dedication of the Museum of the Bible.

Winning the Stevie Awards capped a banner month for SDI. During November SDI spearheaded the grand opening of Museum of the Bible; the topping out ceremony for the National Museum of the United States Army, and the Elizabeth Dole Foundation and U.S. Department of Veterans Affairs’ 2nd National Convening: The Military Caregiver Journey.  SDI also supported the 20th anniversary of the Women’s Memorial and the groundbreaking of the WWI Memorial.

SDI salutes the team members whose outstanding work contributed to such an extraordinary month.

Senator Elizabeth Dole, Former First Lady Laura Bush, and U.S. Secretary of Veterans Affairs David Shulkin meet with caregivers at the Elizabeth Dole Foundation and VA’s 2nd Annual National Convening, managed by SDI. Photo credit: Lisa Nipp.

Prepare to Defend Your Reputation

“Lose money and I will forgive you. Lose even a shred of reputation and I will be ruthless. …Wealth can always be recreated, but reputation takes a lifetime to build and often only a moment to destroy.”

Warren Buffet

There is widespread acknowledgement that corporate reputation has significant value.  Calculating that value with any precision is a bit more dicey. Many have attempted to quantify reputational value, and estimates vary from 20 percent on the low end to 70 percent to 80 percent on the high end. One can accept that there is value, and the value represents an asset that must be protected, and ideally, enhanced. An article in the Harvard Business Review sought to assess reputational risk.  It posited there were three determinants of reputational risk, saying “Three things determine the extent to which a company is exposed to reputational risk. The first is whether its reputation exceeds its true character. The second is how much external beliefs and expectations change, which can widen or (less likely) narrow this gap. The third is the quality of internal coordination, which also can affect the gap.”

Today I want to focus on the second of those determinants. A recent article by Dan Kiely in Entrepreneur looked at how reputation of smaller firms can be adversely affected by cyber breaches.  “…don’t be fooled into thinking that you have to be a Fortune 500 corporation to be a target. Cybercrime is an equal opportunity menace. Larger mature companies are hit most often, but smaller scale-ups are hit the hardest, and it takes longer for them to recover. Only 14 percent of small businesses rate their ability to mitigate cyber risks, vulnerabilities and attacks as highly effective. In today’s digital economy, winning and maintaining the trust of your customers is central to business growth, and nothing erodes trust quite like a cyber breach.”

The many people who have a trust relationship with a business, customers, clients, shareholders, investors, employees alike, expect that certain standards will be met with regard to cybersecurity. They do not expect perfection, and may even have some tolerance for breaches, if the business can show that it has engaged in a rigorous process to defend itself against being breached, and communicates effectively before, during and after a breach. However, if analysis of the breach exposes unexpected shortcomings in preparation and/or response, beliefs and expectations about the company will change for the worse, and reputation will suffer.

Heed Warren Buffet’s words, protect your reputation.

By Tom Davis, SDI Cyber Risk Practice

November 21, 2017

 

Controlling Your Cyber Supply Chain

Back in September, I wrote a piece that questioned whether or not you trust your network. As an extension to that piece, this piece focuses on your cyber supply chain.

Let’s begin with this simple premise: you may never fully know who is a part of your cyber supply chain. Why do I say that?  It is because it is exactly impossible for you to have a watchful eye on all parts of the supply chain. It would be a full time job for you. In my view, the only entity that could have full control of their cyber supply chain is a government (emphasis on could because even for a government full control of the cyber supply chain could be an incredibly difficult and expensive proposition).

If you accept that simple premise, then by extension, you will have no problem accepting this one as well: the probability of you being breached is greater than zero.

If you are with me so far, this is excellent. It means you have not bought a bag of magical beans from vendors or consultants who are already preaching to you that you are on the way to the cyber secure promised land.

My point is this: you don’t know what you don’t know, so when that is the case, ensure that you are taking some extra cautionary steps. And this is why I will reference a very handy tool from NIST that outlines some basic principles regarding the cyber supply chain. I won’t go through the entire tool but just focus on two areas: principles and key risks.

Principles

I’m not going to reinvent the wheel, so will therefore say the majority of what you need to know about cybersecurity is captured within these three principles:

1) Develop your defenses based on the principle that your systems will be breached.

2) Cybersecurity is never just a technology problem, it’s a people, processes and knowledge problem.

3) Security is Security.

I recommend viewing the tool, but here is my brief commentary on each point:

1) If you believe – even for a nanosecond – you have an impenetrable system (or let somebody convince you that one is possible) you may also believe that all is well in the world right now.  Caveat: even if we achieve some incredible technology, like Quantum Key Distribution (QKD) for communications, there will still be other threats, which is a perfect lead in to the next comment.

2) If you are not placing considerable emphasis on the human element, your cybersecurity strategy will always fail.  What has started as a hypothesis of mine has turned into a truism for me over the years: I am so certain of the human element issue that I am willing to personally guarantee your cybersecurity strategy will fail, 100% of the time, if you are not showing significant bias to solve the human element of the problem. Plenty more on this issue can be found in previous SDI posts and on LinkedIn.

3) If your cybersecurity strategy is independent of your security posture, you’re looking for trouble. This is why we say cybersecurity should be viewed through an organization risk management lens. This means if your IT department is not working with your security department and both are not working with all other departments in the organization, the question is not “when will I get breached” but rather “how badly will I be breached when it happens?”  Leadership at the top is crucial and absolutely necessary. The C-suite needs to adopt a risk management mentality and instill a culture of “security smart” within the organization.

You are probably wondering what I mean by “security smart” right now.  It’s simple: make sure everybody has a generally good idea of what the cyber risks are.  Don’t be paranoid.  Just get your staff to understand these threats are real and they can impact your organization and their jobs.  You do not see people freaking out that a fire may spontaneously erupt in the middle of your organization’s lobby, but people are trained enough to know that if they smell something burning or see some smoke, it’s best to warn others, quickly investigate, and if needed, pull a fire alarm or call 911.

We don’t have “hall monitors” walking around our offices checking for fires.  It’s something all persons of the organization have a watch out for (in large part, because of personal safety).  Well, if your company goes bankrupt because all its IP has been stolen, I think that impacts your personal safety.  So, start a program of being “security smart” within your organization (hint: SDI Cyber can help there).

Key Risks

The next section is all straight forward, again from the NIST tool.  All you need to know is that these risks exist and you should be thinking of ways on how to deal with them. These risks include:

  • Third party service providers or vendors – from janitorial services to software engineering with physical or virtual access to information systems, software code, or IP.
  • Poor information security practices by lower–tier suppliers.
  • Compromised software or hardware purchased from suppliers.
  • Software security vulnerabilities in supply chain management or supplier systems.
  • Counterfeit hardware or hardware with embedded malware.
  • Third party data storage or data aggregators.

It’s a bit of a raw deal, but yes, you have to worry about everybody else that’s part of your supply chain. And here’s the real kicker: you may have no control over what you can do except alter your supply chain, which could be an expensive proposition. This is where risk management comes into play: do you accept that risk (and the associated and potential costs) or do you do something about it?  That’s your decision, but it’s something you need to think about.  Otherwise, you’re just setting yourself up for a world of hurt that you may not be able to recover from.

By George Platsis, SDI Cyber Risk Practice

November 7, 2017

Beary Scary

We are slowly easing through the languorous days of fall, reluctantly trading daylight for darkness, feeling the crunch of leaves, inhaling the smoke-tinged air that marks the fullness of the season. Soon it will be All Hallows Eve, a night when witches ride high across cloud-strewn skies and spirits restlessly roam the earth below. They will be joined by millions of children less concerned about the spirits than the potential bounty that awaits behind closed doors. Tiny princesses will race alongside pirates and ballerinas, each eager to ring a doorbell and shout in unison “trick or treat!” Older adolescents and young adults will gorge on horror shows, feasting on the fright inspired by vampires, werewolves, goblins, and countless maladjusted individuals who act out in truly horrific fashion. Those who’ve been around for a while may think of frightening figures such as Nosferatu, Frankenstein’s monster, the Mummy, and more recently Candyman, Pennywise, Leatherface, and Berserk Bear.

Astute readers may have tripped over Berserk Bear, but Berserk Bear may be very scary indeed. The world was introduced to Berserk Bear in CrowdStrike’s 2014 Global Threat Intel Report. “Proactive analysis during 2014 revealed another Russian actor that has not encountered public exposure, yet appears to have been tasked by Russian state interests. BERSERK BEAR has conducted operations from 2004 through to the present day, primarily aimed at collecting intelligence but has also provided capability in support of offensive operations in parallel to the Russia/Georgia conflict in August 2008.”

Since then, the legend of Berserk Bear has grown. In 2016 it was reported to be attacking energy interests in the Middle East. In September of 2017, Symantec said Berserk Bear had penetrated firms in the U.S., Turkey, and Switzerland, and had the ability to cause mass power outages, shutdown electrical grids, and disrupt utilities. That report was confirmed last Friday, when the Department of Homeland Security (DHS) and the FBI issued an alert warning critical infrastructure companies of “advanced persistent threat (APT) actions targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors.”

What we know at this point is that the attacks have been successful, and critical parts of the infrastructure have been breached. DHS has reported the attack is ongoing. There are no reports of damage to this point. We are left to speculate as to motivation, and what might happen next.  Like many scary stories, this one may have a sequel. Stay tuned.

By Tom Davis, SDI Cyber Risk Practice

October 24, 2017

 

Have We Normalized Theft?

When did cyberattacks truly begin to concern us?  Was it the Morris worm of 1988?  One would have wished it was, but clearly this is not the case.  How about the 2008 cyberattack on USCENTCOM?  That worm, likely injected into the DoD system through a single USB key, took about 14 months to clean up by some estimates.  Fast forward nine years, Equifax.  145 million records stolen.  Have we learned yet?  I wish I could say “okay, this time we will do something about it!” but I am not too optimistic.

Why?

Because I feel we have slipped into a dangerous area: we have allowed the normalization of data theft.  And today, data theft means anything from personally identifiable information to R&D/intellectual property to good old fashioned money.  My feeling is that because we don’t “feel” data the same way we would, oh a stack of $20s, we don’t really appreciate what is being lost.

Let’s try to put this into perspective.  If in fact 145 million records were stolen from Equifax, what would that look like in a “smash-and-grab” operation?  For simplicity, let’s assume one record is one page.  The average thickness of paper is 0.1 mm (0.0039 inches).  How high would the paper stack in this case?  Well, those 565,500,000 inches equate to about the distance from New York to Manila (over the Pacific), give or take a few hundred miles.*

To think that somebody could perform a break-and-enter like this (and get away with it) sounds so preposterous, this idea wouldn’t even make into a B-movie script.  But when all these “pieces of information” are digitized into a bunch of zeros and ones, well, you can fit all that information into the palm of your hands.

And that’s what gives me heartburn because we are doing such a poor job understanding what is being stolen.  We spend billions of dollars innovating, labor for years, and all these valuable resources could be gone, poof, like that because somebody missed patching a system or left a terminal unprotected or clicked a link they shouldn’t have.  This is asymmetry of galactic proportions.

So back to my point about normalizing theft: I think because we can’t “feel” the pain, we don’t give this issue the attention it deserves.  If I was a nefarious actor and I was able to siphon $5 a month from your bank account, would you care?  Before you answer … would you notice?  What if I was able to make this siphoning as some sort of “fee” or common every day purchase?  You may not give it that much thought and let it slide.  Now let me do that to a million people.  And let me do that to a different million people every week.  How does $260 million a year sound to you?

Does this sound like a tenable business model for an economy to survive?  Nope.  But that’s what we are dealing with when we normalize theft.

Sure, some may say “but we have services to protect us.”  Okay, but those services cost money, $10 a month, let’s say.  That’s $120 a year per individual.  To protect the 52 million people that would have gotten ripped off in the earlier scenario, that’s a hit of $6.24 billion dollars annually.  That’s $6.24 billion dollars that could have gone into paying rent, buying a meal, helping a local foundation, or go towards tuition or medication.

Lost in so much of the cybersecurity conversation is that protection rarely offers a return on investment.  Protection is a tax on business and a tax on individuals.  So unless we start “feeling” this theft on a more personal level and take the steps to properly educate ourselves of the human dimension, we are going to run out of money to invest in protection real fast.  People are generally not good at understanding risk and we often have farmed out that risk to somebody else (insurers, public officials, you name it).  But even this model is becoming too expensive.  So it’s time we take a closer look at ourselves and see if we are part of the problem by having allowed data theft to be normalized.  We shouldn’t be so passive about it.  We should be outraged, because this is a slow strategic bleed of national strength and stability.

By George Platsis, SDI Cyber Risk Practice

October 3, 2017

* Correction: “I’m tempted to say what’s a few extra zero’s among friends, but am forced to heed my own counsel…when you make a mistake, own it: it’s actually 565,500 inches, which is closer to 9 miles, more like New York to Hoboken and back…but that’s still a lot!”

A New Shakespearean Tragedy?

Once more unto the breach, dear friends, once more;
Or close the wall up with our English dead.

KING HENRY V

In Shakespeare’s retelling of the life of King Henry V, he has the king urging his brave soldiers forward once more, hurling themselves against the French army in the early stages of what became the decisive battle of Agincourt.  The line has survived to become a common exhortation for giving something another try. One notes that King Henry did offer the alternative of dying in the gap of the wall, but the essential idea is to flow through the breach to victory.

Today we are dealing with a breach in which the flow is outbound, and there is no victory in sight.  The massive date breach suffered by Equifax has exposed the personal identifying information of over 143 million people. The attackers took people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers for about 209,000.  The breach is rightly seen as a monumental failing on the part of Equifax, and the repercussions are mounting rapidly.

Writing on the Gartner Blog Network, John Wheeler calls the breach a game changer for cybersecurity.   Among his predictions, Equifax will cease to exist. “In the last 4 business days since the company disclosed the data breach Equifax has suffered a $5.3 billion loss in market capitalization which represents almost a third of the company’s total value. When considering an estimate of the potential costs associated with the data breach (based on the 2017 IBM/Ponemon Institute Cost of Data Breach Study), Equifax faces a potential loss of $20.2 billion which currently exceeds their total market value by $8.3 billion. Also, the company currently faces more than 23 class actions lawsuits with at least one seeking more than $70 billion in damages. The death spiral will soon take on greater momentum when executives are required to testify before Congress and criminally investigated for potential insider trading related to the delayed disclosure of the data breach. Equifax will ultimately be acquired out of bankruptcy by one of the remaining two credit reporting companies – TransUnion or Experian.”

The “delayed disclosure” noted by Wheeler is extremely problematic. Equifax said it first detected suspicious behavior on July 29. It appears the breach dates back to May of this year, and some reports suggest it may have happened even earlier. Even if one accepts the July 29 date as the first instance in which Equifax became aware of the breach, several weeks went by before customers were made aware. The delay triggered outrage, and credit reporting companies have few friends, so the fury goes on unabated.

The fallout continues. Equifax’s Chief Information Officer and Chief Security Officer “retired,” and its CEO stepped down. More heads will likely roll. Forty states are investigating how Equifax handled the breach. Other regulatory agencies are launching investigations, and there is a real possibility that this breach will lead to significant change in law and regulation.

Once more, out through the breach.

By Tom Davis, SDI Cyber Risk Practice

September 26, 2017

active