Mind the gap: three actions to take today based on AT&T’s latest Cybersecurity Insights report

ByKayne

AT&T recently released volume 6 of their Cybersecurity Insights report, titled “Mind the Gap: Cybersecurity’s Big Disconnect.” You can download a copy of the report here.

The report helps to explain some of the reasons underlying the massive breaches we have seen this year. As Robert F. Kennedy once said, “Like it or not, we live in interesting times.”

To put this interesting year in context:

  • Half of the U.S. population became victims of identity theft due to malfeasance by Equifax.
  • All three billion Yahoo! users lost their passwords in the biggest hack ever.
  • Deloitte, one of the Big Four professional services firms that offer cybersecurity consulting, had their email hacked.
  • The NSA’s hacking tools were stolen twice in the same year and put to immediate use by criminals building cyberweapons like Petya/NotPetya and WannaCry.

Here are three things that organizations should do immediately based on the report’s findings:

1. Friends don’t let friends confuse cyber liability insurance with cybersecurity.

The most alarming revelation in the report was that more than a quarter of organizations appear to view cyber insurance as a substitute for cyber defense investment, rather than as one component of a multi-layered cybersecurity strategy. This pessimistic strategy cedes ground to criminals, has the potential to lower workplace productivity, and risks raising cyber liability insurance rates for everyone. Although cyber insurance policies often include funds for credit monitoring or identity-theft monitoring for affected individuals, they don’t compensate for the time that those victims will wait on hold with financial institutions, trying to clean up someone else’s mess when they’d otherwise be working productively at their offices.

Worse, Lloyd’s 2017 Emerging Risks Report, “Counting the Cost – Cyber Exposure Decoded,” found that losses from a cyberattack can be as large as those from a hurricane. The cyber liability insurance market is not generally standardized, and buyers often have trouble understanding what they’re buying, which can lead to underinsurance. Insurance companies are not charitable institutions. If firms choose a willfully negligent cybersecurity strategy in favor of large insurance payouts, cyber liability insurance rates will rise across the board, and we’ll see an increased number of demonstrable controls and requirements added to those policies. This is a short-term strategy.

Companies should hold cyber liability insurance with insurers that have a minimum A- credit rating from Standard and Poors (or an equivalent rating agency) and should hold a minimum coverage of $10 million. To reduce the risk of third-party breaches, companies should also request written copies of cyber insurance certificates from business partners and subcontractors on an annual basis at a minimum. Ideally, this would be coupled with an annual attestation report to confirm that third parties with access to company data or systems are still appropriate. As we learned with the Target breach, it takes just one contractor with privileged access to cause a serious breach.

 

2. Invest in consulting firms that have done this before.

The report found that at least half of all organizations surveyed admit they face skills gaps in three key areas: threat prevention, threat detection, and threat analysis. Just 56% of the U.S. respondents professed confidence in their ability to address cybersecurity challenges internally. Although most companies plan to increase hiring, there are not enough people to hire, and the International Information System Security Certification Consortium, or (ISC)², predicts that there will be a shortfall of 1.8 million cybersecurity workers by 2022.

Most organizations’ staff likely has limited market exposure to cybersecurity best practices. External consulting firms that work across industry verticals gain a unique perspective on what security practices to adopt and which ones to avoid. They can also provide trusted advice on where to invest limited budgetary dollars for the maximum increase in cybersecurity. The best consulting firms have hard ethical boundaries between advisory and implementation practice areas for their clients.

It’s important to differentiate between staffing firms and vendors’ professional services organizations. A staffing firm allows an organization to contract one or more people with some degree of cybersecurity expertise. However, as they have possibly not worked together before, have no external guidance or oversight, and are billing on an hourly basis, they’ll likely be waiting on your organization’s project manager to tell them what to do next. This is not a proactive or a consultative approach — it’s a hiring stop-gap. Vendors’ professional services organizations (PSOs) associated with a product or products should be treated with skepticism, as the primary function of a vendor PSO is generally to get the products deployed rapidly so that clients have an incentive to pay their maintenance or subscription fees next year. There are exceptions for both staffing firms and PSOs, but it’s important to have a general understanding of these types of organizations.

 

3. Get people emotionally invested in cybersecurity training.

AT&T’s report found that technology companies were leading the way in cybersecurity training, with 71% of respondents in this vertical market providing cybersecurity training to all their employees. Unfortunately, that’s only one market segment. As an attendee of multiple customer cybersecurity training classes (a side effect of contractual agreements) in multiple verticals, a lot of the cybersecurity compliance training available in the market is dull, uninspiring, and fails to connect with the audience.

Ask yourself: when was the last time someone was disciplined for subverting or violating your company’s security policy because he or she thought it was an impediment to doing their job? Too often there are minimal or no consequences for employees who break policy. Unfortunately, the Deloitte email breach was caused by a single administrator who disabled multi-factor authentication for his own email account. The Equifax breach was allegedly caused by an administrator who didn’t want to patch the software because it was too hard. There are numerous additional examples, many of which can demonstrably harm both the organization and the general public.

It’s time that employees realize that part of their job is to keep their employer secure. Failure to do so can lead to breaches that affect their own families, children, friends, and neighbors. Additionally, companies should no longer tolerate employees or executives who don’t follow the cybersecurity policy, as they increase the risks to everyone at the organization.

 

Taking these three actions immediately — investing in both cyber liability insurance and cybersecurity, investing in a trusted consulting firm, and getting people emotionally invested in cybersecurity training — will not prevent the next breach. However, these actions make it exponentially more expensive for criminals to breach your organization and are the socially responsible course of action to protect both your organization’s reputation and the public. By making it more difficult and expensive for criminals to breach organizations, we can reduce their profit margins and drive them out of business.

 

 

This post is brought to you by AT&T and IDG.

The views and opinions expressed herein are those of the author and do not necessarily represent the views and opinions of AT&T.

Similar Posts

Moving Compliance From Paperwork To Automation

ByKayne

Understanding the risk to your business requires human intuition. But that doesn’t mean there aren’t a lot of things along the path to understanding risk that can’t be improved with automation. At Black Hat, David Spark spoke to Kayne McGladrey, field CISO, Hyperproof, about how having a security-focused company culture can help CISOs link their known risks to their controls in order to put their budget where it will have the most impact. This can allow organizations to operate within the reality that business risk and cyber risk are not separate things. With changing state regulations and rapidly advancing technology, staying on top of your risk in a simple and understandable way is more imperative than ever.

Opening keynote speech at the Seattle Electrical Conference

ByKayne

“I hope that you want to create safe products that benefit individuals and society, that make life better.

That you want to reverse course, and can advocate for security in face of lean IT, DevOps, and less money and less time and less people.

IEEE code of ethics includes the phrase “disclose promptly factors that might endanger the public or the environment”.

Not as strong as language as the other code of ethics I’m bound to follow as a CISSP, to “protect society, the common good, necessary public trust and confidence, and the infrastructure”

Regardless of which code of ethics you’re following, we have responsibility to society to turn this around.”

A lack of communications enables breaches and helps derail cybersecurity projects

ByKayne

When planning any migration or deployment of new technology, businesses should carefully consider the best way to communicate the intent and need of the new technology to those users affected by it, as well as to those who work in supporting roles. This article will examine the effects of communication (and lack thereof) on two different client projects.

Next-Generation Cybersecurity Defenses Coalesce for Space Systems

ByKayne

“There’s the cybersecurity threat and then there’s the real threat,” explains Kayne McGladrey, field chief information security officer (CISO) of compliance company Hyperproof, and senior member of the Institute of Electrical and Electronics Engineers (IEEE). “A cybersecurity threat is disruption, like when we saw the Russians invade Ukraine as part of their illegal war, they took down Viasat and not by attacking the satellites themselves, instead, they attacked the firmware of satellite modems on the ground.”