TAC Talk Episode 2: Cyber Security Insurance

A conversation with TAC President Peter Schay, and TAC Founder Alan Guibord, a frequent speaker on IT leadership, organizational strategy, future trends in IT, and cybersecurity.

Recorded July 16, 2015
A conversation with TAC President Peter Schay, and TAC Founder Alan Guibord, a frequent speaker on IT leadership, organizational strategy, future trends in IT, and cybersecurity.

What to Do When Your Biggest Threat to Security is a Well-Intentioned Employee

Unfortunately, employees tend to forget or disregard policies, especially mobile security policies, so they may engage in risky behavior without thinking about it. They’re generally unaware of the potential risks, and often treat their mobile device like their company PC, assuming it’s secured by IT.

By: Rick Derouin, TAC Executive Consultant

We all make mistakes. Often, we don’t realize the full ramifications of our actions until we have that “oh no” moment after something has already gone wrong. In a business environment, there may be a large number of employees with enterprise access and multiple platforms, and society’s constant impetus to move to the latest device (which may not be an “official” device) poses a constant threat to security; especially from well-intentioned but security-challenged employees.

Unfortunately, employees tend to forget or disregard policies, especially mobile security policies, so they may engage in risky behavior without thinking about it. They’re generally unaware of the potential risks, and often treat their mobile device like their company PC, assuming it’s secured by IT. In an interview with The Wall Street Journal, the chief information security officer of Blackstone Group LP stated, “The No. 1 most significant risk to every organization is your well-intentioned, non malicious insider who is trying to do the right thing for the organization and makes a stupid mistake.”

What Makes Well-Intentioned Employees Dangerous

Employee threats are sometimes hard to spot, but there are a few warning signs you can look out for. Does the employee instantly access information on their device? There’s a good chance they’re not using a passcode. Were they hired recently or do they miss meetings regularly? They may not have been counseled on the mobile security policy. Do they use multiple devices or a different device type than you’re managing? You may have an unsecured device problem.

Most employees aren’t malicious. They aren’t a deliberate security threat; they just don’t understand that what they’re doing is wrong. Here are the top six mistakes well-intentioned employees make that are a threat to security:

  • Accessing unsecured Wi-Fi
  • Using login credentials on shared or unsecured devices
  • Failing to use a passcode on devices
  • Saving company information to personal devices or cloud storage
  • Inadvertently forwarding sensitive information
  • Taking company information or login credentials with them when they leave

Mitigating the Risk Well-Intentioned Employees Represent

From a security perspective, people are hard to manage; they do all sorts of things when you aren’t looking and you can’t watch them every minute of every day. Still, there are some things you can do to educate employees and manage devices for a more secure mobile environment. Here are four steps you should take to mitigate the risks of a well-intentioned employee:

  • Create well-defined policies.
  • Set device limits.
  • Implement a mobile device management solution.

The nice thing about malicious threats to security is that dealing with them is black and white. They don’t have good intentions, and you don’t want them anywhere near your data. Dealing with the threat of well-intentioned employees is more difficult, because you want them to have access to information, but there’s always a chance that they might misuse it. It can be hard for IT personnel to understand why employees do the things they do, but remember that not everyone understands the risk. Try to put yourself in their less-educated shoes, and safeguard against their mistakes before they make them.

Rick Derouin, TAC Executive Consultant, has more than 35 years of experience in the IT and telecommunications industries, with the past 12 years focused on increasing clients’ business benefits from investments in communications technology and services and ensuring clients need what they have and are paying the best possible price. He has designed and implemented innovative approaches to performance measurement, benchmarking, and alignment of technology for increased communications (voice and data) effectiveness. Mr. Derouin began his career with 10 years at IBM, in the last 15 years of his vendor career he was Senior Vice President of TeleGlobe, Vice President of AT&T Public Sector Markets, World Wide Vice President of Steltor, and Global Vice President of Oracle’s SWAT Team.

The Anthem Hack: Sophisticated? Maybe, Maybe Not.

How could Home Depot and Neiman Marcus fall into the same trap that Target did months earlier? Could it be that this is not considered material enough to spend money on both the technology (to prevent & detect data losses) and the human behavioral changes needed to minimize incidents?

by Jim Noble, Director TAC International

The news on Wednesday that Anthem’s systems had been compromised ranks among the largest ever such breach. Simply on the basis of the number of people affected, it is double the size of the Target incident. But therein lies the complexity of this subject. Many companies suffer a breach, but it is not “material” in a business risk context, and so it attracts little publicity. The formula says Materiality = Threat x Vulnerability x Consequence.

While the Threat is widely acknowledged, there seems to be widespread denial of the Vulnerability. As in the case of Sony, it is tempting to pardon this sort of lapse as “inevitable and inescapable” because of the sharply focused and sophisticated nature of the attack. But that is a pathetic excuse, and deserves a robust challenge in a lawsuit on the basis of neglect of their fiduciary Duty of Care on behalf of their shareholders. Instead of taking the issue seriously and dealing with basic deficiencies, companies are throwing technology (hardware and software products) at the problem and installing more and more sophisticated equipment, which is often poorly configured and managed. If you look at the root causes of healthcare breaches on HHS.gov you will be amazed at how trivial most are. But companies always say they were the subject of a sophisticated attack. I guess this protects against negligence law suits. Healthcare breaches have continued to increase after HIPAA was implemented.That complacency also extends to Consequences. For companies handling credit card data such as Target, Home Depot & TJ Maxx, the consequences were fraudulent transactions on their customers’ accounts, which can be addressed by the card issuers, or credit watch companies like Equifax. For companies with sensitive intellectual property like Sony Pictures Entertainment, knowing what has been stolen helps them to take steps to mitigate the consequences. In the case of Anthem, the consequences could be much more serious, because the personal data could result in identity theft, which is a more complex situation to recover from.

So how is it that avoidable incidents keep happening? How could Home Depot and Neiman Marcus fall into the same trap that Target did months earlier? Could it be that this is not considered material enough to spend money on both the technology (to prevent & detect data losses) and the human behavioral changes needed to minimize incidents? Maybe it is just the cost of doing business, and we should just buy insurance to cover for the results of incompetence.

Cyber Crime – Why “Prevent, Detect, React” Doesn’t Work

“You don’t know when they were there, when they left, what they took, and what they left behind”. And until you acknowledge that, you will leave gaps in your defenses or your monitoring that the bad guys will easily exploit.

by Jim Noble, Director, TAC International

While I am accustomed to presenting to IT audiences and university students, last week I had a most unusual audience. The occasion was the annual conference of the New York Stock Exchange, and the audience consisted of 450 Directors of the Boards of NYSE member companies.

They are accustomed to thinking of business risk in terms of their familiar frame of reference. So cyber crime is just another business risk, comparable with physical crime. My message was rather stark – thinking in that frame of reference is a serious mistake, and contributes to much of the complacency we see in businesses everywhere. With physical crime, you lose something (e.g. an asset). You know that you have lost it, and you do something about it. So fraud, theft etc. are relatively easy to discover. But businesses are becoming increasingly digital, and with cyber crime nothing goes missing. Your assets (e.g. intellectual property) are still where you left them, and there is no evidence of compromise. Cyber criminals copy the asset, rather than taking it away. This contributes to the phenomenon “Its takes them minutes to break in, and it takes a company weeks or months to discover the incursion”.

Actually, it is worse than that. Most companies never discover that they have been compromised, and it is virtually impossible to block a determined, sophisticated attacker.

So the conventional wisdom in digital security of “Prevent, Detect, React” rarely applies – you can’t prevent, you probably won’t detect, and so how could you possibly react?

I don’t want to spread fear, uncertainty and doubt; but I was determined to shake these Board members out of their complacency! So I tried to balance the bad news with some good news – while it is impossible to defend all your petabytes of digital assets equally, it is possible to defend the crown jewels (the 5% or so that really matters, such as your Board meeting minutes, your M&A plans, your product R&D, your Q2 results due to be published tomorrow…). I asked how many companies had a data classification scheme, allocating (say) Unclassified, Restricted, Confidential and Secret categories to their data. You guessed – almost none of the companies did this. The usual rebuttal is that their company is not a bank, or a military contractor, or the White House… and so it not a target for cyber crime. But of course that is a popular misconception, and even if your company is not the primary target, you might be a supplier to another company that is, and your privileged access is what the bad guy wants.

So I rest my case with the famous quote from the Director of the US National Security Agency – “You don’t know when they were there, when they left, what they took, and what they left behind”. And until you acknowledge that, you will leave gaps in your defenses or your monitoring that the bad guys will easily exploit. The recent case of Edward Snowden was a good example of this. His employers thought that his government clearance of Secret and his exemplary record were sufficient controls for a Systems Administrator with proper access to highly sensitive data, but they could easily have implemented “a separation of duties” to block data access without at least two authorized people. Now that their awareness has been raised, I think security will be better in future.

Will it take an incident at your company before you take this seriously?

What is your company doing to deal with cyber crime?

You Think Your Data is Secure? – Think Again.

Should the prevalence of cyber security stories worry your company or you personally? You bet it should! The scary thing is that even with all of the media attention, there are thousands of breaches taking place daily that do not show up in the news. In many cases the hacked companies and individuals don’t even know they’ve been compromised!

by Jim Noble, Director, TAC International

It is no secret that over the last few months, there has been a torrent of cyber security stories hitting the press:

  • Syrian Electronic Army takes down New York Times website for 24 hours because the Times ran an article on “US Military Options in Syria”.
  • Booz Allen Hamilton, Edward Snowden’s employer, claimed that he had every right to access the sensitive government data in his role as systems administrator, and they couldn’t possibly have known of his support for WikiLeaks.
  • In a three-year operation, hackers linked to China’s military infiltrated US defense contractor QinetiQ’s computers and compromised most if not all of the company’s research. QinetiQ makes satellites, drones, and software used by U.S. Special Forces in Afghanistan and the Middle East.
  • Hackers routinely access the hard drives of the photocopiers in the airport lounges of Hong Kong airport, using the remote diagnostics port.
  • A hacking gang targets vehicles being returned off-lease by CEOs, and downloads the contents of the on-board hard drive to get synchronized smartphone data.
  • Motorola’s new smartphone Moto X just released this month will have an always-on listening mode. The hacking community responded by saying that they have been doing that routinely with most models of smartphones.
  • Social Network passwords compromised – millions of IDs and passwords offered for sale on the Internet. Experts say that breaking your business password could take days, but that can shorten to seconds if the attacker knows your social network password.

Should the prevalence of cyber security stories worry your company or you personally? You bet it should! The scary thing is that even with all of the media attention, there are thousands of breaches taking place daily that do not show up in the news. In many cases the hacked companies and individuals don’t even know they’ve been compromised! The Director of the US National Security Agency said it best with this quote “You don’t know when they were there, when they left, what they took, and what they left behind.”

Let’s face it – there is no realistic way for you to prevent a determined attacker from stealing your sensitive data, other than stopping using your phones & computers. So get used to it;  the cyber genie is out of the bottle and there is no way of putting it back. The sooner that you (and your company) get out of denial and accept that inevitable fact, the sooner you can start to do something constructive about it.

This awakening has already taken place in The White House, NASA, the Jet Propulsion Labs, Sony (PlayStation), RSA, The Wall Street Journal, Lockheed Martin, and the list goes on and on.  What do they all have in common? They have all suffered numerous hacking attacks and have come to the realization that it would be both impossible and cost prohibitive to even attempt to completely prevent a recurrence, and so they have instituted mechanisms to detect and react to future events. These mechanisms take many forms and companies hold these secrets as highly confidential (if they were obvious, or made public, the bad guys would find a countermeasure quite quickly).

What are you doing to prevent security breaches? And is it enough?

NSA Foils Data Encryption, Hackers Likely to Follow

I’m sure that you’ve heard today’s news about the NSA’s work to break encryption and gain access to corporate and individual data. Not that you have anything to hide, but if the NSA can get to your data, odds are that soon there will be hackers out there that will be able to, and in some cases, depending on your current security protocols, may already have.

I’m sure that you’ve heard today’s news about the NSA’s work to break encryption and gain access to corporate and individual data. Not that you have anything to hide, but if the NSA can get to your data, odds are that soon there will be hackers out there that will be able to, and in some cases, depending on your current security protocols, may already have. With companies storing more and more business data and personal information in the cloud and on internal servers, both of which could be compromised in any number of ways, now more than ever, the issue of cyber security impacts all types of enterprises regardless of size or industry.

TAC has introduced a new concierge service around cyber security, designed to cater to business that do not have the in-house expertise to deal with cyber threats and/or would not normally be able to afford cyber security teams internally.

TAC Expertise-as-a-Service (EaaS) is designed to work with companies and organizations of any size to provide world-class expertise, advice and information in strategic, tactical, operational and functional IT, previously available only to large corporations with deep pockets.

If you’re paranoid (or not paranoid enough) about your cyber security, or your career hinges on you and your team’s ability to keep data out of the hands of the “bad guys”, then you owe it to yourself to find out more about TAC’s Cyber Security Concierge Service.