This week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite. Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.
“Spring is when you feel like whistling even with a shoe full of slush.”
– Doug Larson
In the northern hemisphere, April marks the first month of spring. It’s a time of rejuvenation, as the great awakening changes the landscape. It is a month that touches the poet’s fancy. From my perspective, any month that starts with a day known as April Fools’ Day is worth recognition. I’ll share the April Fools joke that is number one on many lists. In 1957, the BBC news show Panorama announced that thanks to a very mild winter and the elimination of the devastating spaghetti weevil, Swiss farmers were harvesting a bumper spaghetti crop. It accompanied the announcement with footage of people pulling strands of spaghetti down from trees. Huge numbers of viewers who watched the story called the BBC wanting to know how they could grow their own spaghetti tree, apparently thinking the English climate wasn’t all that different from the Swiss climate.
As we’ve seen in following the ever evolving cybersecurity threat, it’s possible to fool people on other days in April, and cyber threats respect few boundaries. Here are our takeaways from articles this month that further our understanding of cybersecurity concerns and issues.
Well, encryption worked for the Greeks
Encryption we can trust: Are we there yet?
Encryption is arguably the most important single security tool that we have, but it still has some serious growing up to do. The current debate about the pros and cons of ubiquitous encryption and the FBI’s request for Apple to unlock iPhones reinforces the public notion that encryption is unbreakable, even by the nation state, unless artificially weakened by backdoors. Everyone in the industry knows this isn’t true – there is a difference between strong and weak encryption. Perhaps surprisingly those differences have almost nothing to do with encryption itself – or at least the math behind encryption. Encryption relies on secrets, digital keys to lock and unlock the data. Whether those secrets can be guessed or stolen is what makes all the difference.
It’s 2016 and you aren’t using encryption. Why?
Encryption sounds synonymous with complexity. It’s not. It’s very, very simple. There should be no reason why an organization shouldn’t be encrypting its data in 2016. The technology is there. And the rationale for using it is simple: Breach prevention is dead. Encryption sounds synonymous with complexity. It’s not. It’s very, very simple. There should be no reason why an organization shouldn’t be encrypting its data in 2016. The technology is there. And the rationale for using it is simple: Breach prevention is dead.
Week ahead: Encryption fight resumes before Congress
The dispute between Apple and the FBI will be back in the spotlight, with both sides sending representatives to testify before the House Energy and Commerce Committee. But lawmakers will keep the two sides apart at the Tuesday hearing, titled “Deciphering the Encryption Debate.” There will be two separate panels: one made up of law enforcement voices and a second dominated by tech industry members. Amy Hess, executive assistant director for science and technology at the FBI, will speak on the first panel, which also includes the intelligence bureau chief of the New York Police Department and a member of the National Sheriff’s Association. Apple general counsel Bruce Sewell will speak on the second panel, which also features several computer science academics and cybersecurity professionals.
The silver lining of a ransomware infection
Getting infected with ransomware may actually be a good thing for your enterprise. Ponder that statement for a moment. Yes, someone has written that ransomware, which has cost U.S. businesses and consumers approximately $18 million in the past year, may be a good thing for your environment. In case you have been blissfully unaware of the aggressive ransomware campaigns launched by attackers in the past year, ransomware is malware designed to seek out specific file extensions, encrypt them and then request the end user to pay a fee to have the files decrypted. This fee is typically paid in bitcoin or another digital currency. Ransomware has caused many headaches throughout the industry. According a recent IBM CISO assessment, 8 out of 10 security leaders surveyed reported they were concerned about ransomware. …If you need a silver lining, think of a ransomware event as a low-cost security assessment pointing out weaknesses in your environment.
How to avoid becoming the next victim of ransomware
Recently, I traveled to South Carolina to deliver a presentation on advanced threats and mitigation strategies and it wasn’t long before the question-and-answer session turned to a discussion on ransomware. One attendee wanted to know: Should businesses ever pay to recover encrypted files? I stressed that victims should never pay ransoms because it only exacerbates an already out-of-control problem and there are never guarantees that files will be recovered after paying money to criminals. Recommended: Why hospitals have become prime targets for ransomware attacks After the session ended, an IT administrator for a local healthcare outfit approached me and pointedly told me his company was in the midst of paying the ransom after a pretty nasty infection and he wanted me to know that my “never pay” advice was impractical.
Cyber attacks continue to grow and evolve
Cyber criminals continue to prey on websites with unpatched vulnerabilities and ill-protected point of sale (POS) systems to steal credentials such as personal data, credit card numbers and bank account details. Fraudsters are known to use methods most commonly associated with their victim’s normal business practices – wire transfers in most cases, cheques in others. Intrusions are facilitated through a phishing scam in which a victim receives an email from a seemingly legitimate source that contains a malicious link. When the victim clicks on the link, it downloads malware, allowing the criminals unrestricted access to data, including passwords or financial account information. Fraudsters also contact companies by email or phone pretending to be lawyers or representatives of law firms claiming to handle confidential or time-sensitive matters. Organizations and Internet users should be vigilant in strengthening their guard against the anticipated surge in cyber attacks targeting web servers, POS systems and mobile devices. It is predicted that extortion via DDoS (distributed denial-of-service) and Ransomware will also flourish as cyber criminals are increasingly offering paid ransomware services (complete with kits for attacks on different operating systems) and managing ransom payments.
Spring checkup. Out of energy?
Cybercom sounds alarm on infrastructure attacks
The commander of the U.S. Cyber Command warned Congress this week that Russia and China now can launch crippling cyberattacks on the electric grid and other critical infrastructures. “We remain vigilant in preparing for future threats, as cyberattacks could cause catastrophic damage to portions of our power grid, communications networks and vital services,” Adm. Mike Rogers, the Cyber Command chief, told a Senate hearing. “Damaging attacks have already occurred in Europe,” he stated, noting suspected Russian cyberattacks that temporarily turned out the lights in portions of Ukraine. Adm. Rogers said that unlike other areas of military competition, Russia is equal to the United States in terms its cyberwarfare capabilities, with China a close second.
Homeland Security Dept. struggles to hire staff to combat cyberattacks
At a time of increasing threats of cyberattacks on critical infrastructure, the Department of Homeland Security is having trouble recruiting much-needed computer experts because it cannot match the pay of the private sector and does not have the same allure as intelligence agencies. Recent disclosures that Iranian hackers with ties to the government in Tehran had launched a cyberattack against a dam in New York highlighted the need for the department, which is charged with protecting government and private systems from cyber intrusions, to have a staff capable of responding to sophisticated enemies. “We are competing in a tough marketplace against a private sector that is in a position to offer a lot more money,” Jeh Johnson, the Homeland Security secretary, told senators at a hearing last month. “We need more cyber talent without a doubt in D.H.S., in the federal government, and we are not where we should be right now, that is without a doubt.”
Governments must regulate against cyberattacks, says Kaspersky
No nation has enough engineers to protect its infrastructure against cyberattacks, Eugene Kaspersky, founder and CEO of Kaspersky Labs, told a meeting in London yesterday. “We’re living at a time of growing numbers of attacks on infrastructure,” said Kaspersky, ‘ we have seen a case where petrol deliveries were heated above the temperature at which it should be delivered, we’ve seen attacks on coal transportation systems which say that a consignment weighs less than it does so that some can be stolen, ships are hijacked and the containers scanned and opened up to remove the contents, the Ukrainian power grid was hacked and its systems wiped, South Korean financial infrastructure was attacked last year and this year hospitals in Australia, California and Germany were attacked and had all their data wiped.”
Did Big Energy just make us safer from terrorism or cyber attacks on the US electrical grid?
Homeland Security Secretary Janet Napolitano had some words of caution for her successor in her final days in office: A cyber attack on America’s power grid is coming and it’s not a matter of if, but when. Now, thanks to a new private sector cooperative called Grid Assurance, help is on the way. This is an existential issue for America and the free world. The congressional Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack says an EMP attack would wipe out about 90% of the U.S. population within two years of such an event as a result of disease, food scarcity and the complete breakdown of society. The Department of Energy echoes this sentiment, noting the dependence of navigation, telecoms, the Internet and our financial, health care and emergency response systems on the power grid. Lloyds of London says costs of a grid geomagnetic disturbance event could top $2 trillion.
What, me worry? I don’t have to, I’m in charge.
Cybersecurity responsibility: Are execs passing the buck?
Who’s ultimately responsible for cybersecurity? It’s a critical question; according to Bloomberg BNA, 84 percent of businesses polled have adopted some kind of cybersecurity framework, and information security is quickly becoming a high-priority boardroom topic. But there’s a problem: A new survey found that more than 90 percent of executives can’t read a security report, CNBC reported. More worrisome? Forty percent say they “don’t feel responsible” for the repercussions of a hack. Are execs passing the buck on cybersecurity responsibility?
Survey finds accountability gap among execs dealing with cybersecurity
The cybersecurity “accountability gap” is growing as 40 percent of executives admitted they didn’t feel responsible for the impact of a cyberattack and a lack of understanding concerning cybersecurity could be a contributing factor, according to a study commissioned by endpoint security firm Tanium and the NASDAQ. The Accountability Gap: Cybersecurity and Building a Culture of Responsibility asked 1,530 non-executive directors, C-level executives, Chief Information Officers, and Chief Information Security Officers from around the world.“Executives generally don’t feel they have an important role in information security, believing it to be a problem for their IT and security teams.” Tanium Chief Security Officer David Damato said in comments emailed to SCMagazine.com.
Are IT executives blind to cybersecurity events?
Is your company’s cybersecurity keeping you up at night? If you’re an IT professional, the answer to that question is probably yes. If you’re an IT executive, the answer to that question might be no – even if you work at the same company. What we’re seeing, says Jack Danahy, co-founder of Barkly, a Boston-based endpoint security startup company, “is a breakdown in communication.” That’s what Barkly found in its “Cybersecurity Confidence Report.” In it, Barkly surveyed of 350 IT professionals and found that 50 percent are not confident in their current security products or solutions. However, the story is different at the executive level: Nearly 70 percent of IT executives said they have confidence in their current security/solution. There’s a disconnect in measuring return on investment, too: About 70 percent of IT executives said they’re confident that can be determined while less than 50 percent of IT pros said the same thing.
Cybersecurity threats are real: You and your organization could be in danger
Last week I moderated an NACD Boardroom Excellence webinar in partnership with Broadridge Financial Solutions that focused on the issue of cybersecurity. Approximately 200 directors representing various corporations participated. The data shared was unnerving and troubling in its scope and implications. The cybersecurity statistics are jarring. CNBC’s most recent survey in April 2016, indicated that null and are not prepared to handle a major attack. The worst part of the survey results is that 40% said they feel no responsibility for the consequences of being hacked. Leaders of an organization, including CEOs, CIOs, board members and executives are still struggling to define responsibility for customer data. They have transferred this burden to the CISO (Chief Information Security Officer) and the IT department. This trend is problematic.
By Tom Davis, SDI Cyber Risk Practice
SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.
April 26, 2016