This week I attended an excellent conference on Cyber Security. TakeDownCon run by EC-Council and hosted by the UConn School of Business in Stamford, CT provided great speakers with separate tracks for CISOs and technologists. I highly recommend an EC-Council event if you’re looking to learn more about Cyber Security or obtain certifications.
In 2015 over 169 million personal records were exposed as a result of cyber intrusions; the result of more than 780 publicized breaches across education, healthcare, government and financial sectors. The average cost per stolen record exceeded $150. In the healthcare sector the cost per stolen record was $360. Despite the rising threat posed by foreign governments, hacktivists, and cyber criminals only 38% of global organizations report they are prepared to handle a sophisticated cyber attack.
Here are some key takeaways from the conference:
· Companies are not framing the issues of cyber risk in business terms. This creates a disconnect with senior executives and the Board of Directors. Cyber programs produce volumes of data and dashboards, but do little to describe Cyber Security issues in business terms. As a result many programs remain underfunded and understaffed despite the growing threat landscape.
· An effective cyber program cannot be implemented until a company knows where all of its data is, who would want to access it and why. As computing becomes more distributed (through Cloud and mobile) it becomes harder to identify where all the data is. The growing number of endpoints increases the cyber threat. Many companies cannot identify how many servers they have and where all of their data is located.
· There is an inherent tradeoff between security and convenience. Senior executives are often unwilling to sacrifice convenience for better security. Weak passwords, poorly administered systems, and the proliferation of devices with poor security controls are examples of vulnerabilities that stem from the desire for convenience. Hackers exploit these vulnerabilities with relative ease.
· There are hundreds of vendors selling security products and services. According to the experts most of these are of limited use. Security products are implemented without a properly designed risk management framework; in essence many companies throw technology at the problem only to find that they are still vulnerable to hackers. Products end up providing a false sense of security unless the company has learned how to manage risk.
· The majority of cyber attacks result from exploiting human behavior, e.g. opening email attachments which install malware. Companies are beginning to develop analytics to examine and predict behavior and identify employees who may attempt to steal corporate information. These analytics examine online behavior, badge in/out times, login times, system use, files downloaded/copied, social media activity and other HR related data to profile employees. These behavioral analytics are a new line of defense for companies and may become a Cyber Security best practice as they evolve.
· Effective CISOs can add business value beyond protecting the company. A CISO at a major retailer installed thermal imaging on in-store cameras to analyze the traffic patterns of shoppers. Company executives used this data to tailor product placement based on traffic flow. By placing high margin items in strategic high traffic locations the company increased profit by 4%.
· US law prevents companies from using certain techniques that could help thwart cyber attacks. Federal and State computer crime laws make it illegal to hack (unauthorized access to a computer system). As a result, US companies are unable to deploy probes or take offensive action for fear of being prosecuted. Companies have hired foreign groups to deploy cyber “weapons” hoping to prevent future hacks. There is effort to create legislation to allow companies and civilians to act in their own defense without fear of prosecution.
Despite the amount of investment and innovation in Cyber Security technology, the threat landscape is widening and the risk of a data breach is increasing. Humans are the problem; our lack of understanding about Cyber risk coupled with our desire for convenience create opportunities for bad actors. The expanding role of the CISO is critical to engaging, educating, and helping senior executives effectively address cyber risk. As one speaker put it - there are two kinds of companies; those that have been hacked, and those that don’t yet know they’ve been hacked.
In another blog post I’ll dive into more details about Cyber risk and its ties to resilience.