It’s budget season. As the current fiscal year comes to a close, business leaders everywhere will convene to discuss business strategy, opportunities and return on investment (ROI) while prioritizing next year’s budget spend. Amidst the planning and prioritization, it is a safe bet that IT organizations will renew their annual request for an increased budget allocation for security. After all, increasing cybersecurity spend will stop the attackers from compromising their infrastructure next year, right?
Cybersecurity Ventures recently predicted that global cybersecurity spending will increase steadily to exceed $1 trillion from 2017 to 2021. But the news site also claimed that the cost of cybercrimearound the world will rise to $6 trillion annually by 2021. Something seems wrong with any prediction that correlates increased spending on prevention with increased damages from successful penetration of those same defenses. That’s not because I disbelieve the numbers but because they show how truly broken the legacy approach to cybersecurity is. The industry has literally gone decades with no real improvement. How is this acceptable?
It is time we shined a light on the industry’s worst kept secret: Throwing more money at the problem simply does not keep attackers out or breaches from happening. It is a good bet both things will continue to happen. What’s more disconcerting to consider is that they have already happened and you just simply don’t know it yet.
Why The Math Doesn’t Add Up
The problem isn’t solely centered on technology, there have been many significant innovations in the cybersecurity industry in recent years. For many companies, the elephant in the room is treating security as only a technology problem. Just look at Facebook’s current situation. Modern-day CISOs have increasingly found themselves helpless to effect real change to secure an organization’s data and infrastructure because they lack the insight of the conditions that give rise to bad or risky behavior.
For instance, traditional IT security assumes everyone is a potentially malicious actor and therefore works to prove the guilt of someone who clicks suspicious links, visits dangerous websites or inappropriately accesses sensitive data. Not everyone is intentionally bad, but their behavior is a continuum that can change in an instant, especially when their identity is stolen. Even more basic, employees can make honest mistakes in today’s 24/7 culture. Pushing work-life balance to meet compressed deadlines, they may be too tired to recognize a phishing email compromising their credentials until after they clicked on it. What’s potentially more damaging, they could simply become disgruntled with their employer and decide to steal company data.
Behind Every AI Strategy Is A Data Strategy
Investments focused on securing a constantly changing IT infrastructure do not address the unpredictability of human behavior. Instead, organizations need to make a fundamental change in their approach to cybersecurity and reprioritize budgets to align with this newly defined reality of our modern society.
Rethink Operations Budgets To Focus On Behavior
The first step is to stop thinking about security as solely a technical problem with technical solutions. Today’s sophisticated threat landscape is a rich, multifaceted organizational challenge that requires insight on how data is used across myriad business functions. Shifting the focus to understanding the behavior patterns of people and their interactions with technology provides clarity in regard to who is using sensitive data, why and from where.
Having a baseline for behavior, a digital rhythm or routine, can help security and business leaders better manage risk. If an employee is working normally on the job, IT can get out of the way. But if the behavior is inconsistent with the organization’s mission, IT can recognize the risk and quickly respond with coaching or stronger enforcement policies. Context matters. Security teams that only focus on securing computers and servers will miss the broader perspective and the signs of an incident or data breach until months after it happened.
The cybersecurity skills gap has been another area where the security industry is struggling. With more seats to fill than there are educated and experienced people to fill them under the traditional model of cybersecurity, many cyber issues have arisen from simply lacking the time and manpower to find and resolve threats before they impact businesses. Businesses will always need skilled workers, but they can leverage automation and behavior analytics to help lighten the load.
Security leaders will also be more effective if they establish functional partnerships and strategic programs with human resources and legal teams. The HR and legal departments share the mission to secure the organization’s data and people. These business functions have a vested interest in user and data protection, from preventing confidential information from falling into the wrong hands to protecting the workforce by ensuring compliance, employee privacy, and safety.
It is no real surprise that the cybersecurity industry has been so resistant to changing its approach. Continuing reports of breaches are good for budget increases. But it’s clear this model is not good for global business, as breaches cost economies billions of dollars each year. It is time for a paradigm shift in the cybersecurity industry. When we understand people and their interaction with data, then we have the tools to mitigate cybersecurity risks before any real damage can be done.
Cybercrime, DDoS, IoT – what should you pay attention to next year?
1. Increase in crime, espionage and sabotage by rogue nation-states
With the ongoing failure of significant national, international or UN level response and repercussion, nation-state sponsored espionage, cyber-crime and sabotage will continue to expand. Clearly, most organisations are simply not structured to defend against such attacks, which will succeed in penetrating defences. Cybersecurity teams will need to rely on breach detection techniques.
2. GDPR – The pain still to come
The 25th of May, 2018 has come and gone, with many organizations breathing a sigh of relief that it was fairly painless. They’ve put security processes in progress and can say that they are en route to a secure situation – so everything is OK?
We are still awaiting the first big GDPR penalty. When it arrives, organizations are suddenly going to start looking seriously at what they really need to do. Facebook, BA, Cathay Pacific, etc. have suffered breaches recently, and will have different levels of corporate cost as a result, depending on which side of the May 25th deadline they sit. So GDPR will still have a big impact in 2019
3. Cloud insecurity – it’s your head on the block
Cloud insecurity grew in 2018 and, unfortunately, it will carry on growing even more in 2019. Increasing amounts of data are being deployed from disparate parts of organizations, with more and more of that data ending up unsecured.
Despite the continual publicity around repeated breaches, the majority of organizations do not have good housekeeping deployed and enforced across their whole data estate in the cloud. To give an idea of the scale, Skyhigh Networks research indicated that 7 percent of S3 buckets are publicly accessible and 35 percent are unencrypted.
4. Single factor password – the dark ages
As if we need the repetition, single-factor passwords are one of the simplest possible keys to the kingdom (helped by failure to manage network privileges once breached). Simple passwords are the key tool for attack vectors, from novice hackers right the way up to nation-state players. And yet they still remain the go-to security protection for the majority of organizations, despite the low cost and ease of deployment of multi-factor authentication solutions. Sadly, password theft and password-based breaches will persist as a daily occurrence in 2019.
5. Malware – protect or fail
Ransomware, crypto mining, banking Trojans and VPN filters are some of the key malware challenges that continue to threaten businesses and consumers. Live monitoring by Malwarebytes, Kaspersky and others, has shown that the mix of threats varies during the year, but the end result of malware threats will be a bad 2019.
Increasing sophistication will be seen in some areas such as ransomware, alongside new malware approaches and increased volumes of malware in other areas. Traditional AV will not provide sufficient protection. Solutions that have a direct malware focus are essential for organizations, alongside tracking of network activity (in and out of the network). With Cybersecurity Ventures predicting that ransomware damage costs will exceed $11.5 billion by 2019, it certainly won’t be going away. Oh yes, and make sure that your backup plan is working and tested.
6. Shift in attack vectors will drive cyber hygiene growth
The ongoing shift of attack vectors, from the network to the user, is causing a reappraisal of how to manage security. Driven partly by the shift in boardroom awareness, and partly by GDPR, many organizations are recognizing, perhaps belatedly, that their users are their weakest link.
Not only is there a greater awareness of the insider threat from malicious current and ex-staff, but there is also a growing recognition that staff cyber awareness and training is a crucial step in securing this vulnerable area. The response from organzations will take the form of cyber education, coupled with testing, measuring, and monitoring staff cyber behavior. Increasingly, Entity and User Behaviour Analytics (EUBA) systems will be adopted, alongside training programs and automated testing, such as simulated phishing and social engineering attacks.
7. IoT – the challenge will only increase
We’ve already seen some of the security challenges raised by IoT, but 2019 will significantly demonstrate the upward trend in this area. Driven by the convenience and benefits that IoT can deliver, the technology is being increasingly deployed by many organizations, with minimal thought by many as to the security risks and potential consequences.
Because some IoT deployments are well away from the main network areas, they have slipped in under the radar. In the absence of a standard, or indeed a perceived need for security, IoT will continue to be deployed, creating insecurity in areas that were previously secure. For the greatest percentage of IoT deployments, it is incredibly difficult or impossible to backfit security. This means that the failure to segment on the network will further exacerbate the challenges IoT will create in 2019 and beyond.
8. Increasing risks with shadow IT systems and bad housekeeping
Shadow IT systems continue to proliferate, as do the number of applications and access points into systems, including legacy applications. In the case of shadow IT systems, these are indefensible as they are; and in the case of increasing applications and access points, if they relate to old or abandoned applications, they are difficult to identify and defend.
In both cases, these are an easy attack surface with significant oversight, internal politics and budget challenges, and were previously seen as a lower priority for resolution. However, there has been both an increased awareness of the opportunity for attack via this route, and an increase in the number of attacks, which will accelerate in 2019.
9. DDoS – usually unseen, but still a nightmare
DDoS is the dirty secret for many organizations and attacks will continue to grow in 2019, alongside the cost of defending against them. Nevertheless, DDoS attacks aren’t generally newsworthy, unless a big name organization is involved, or the site is down for a long time. And, of course, the victim does not want to draw attention to their lack of defence. That’s not good for custom or for share prices.
The cost of launching an attack is comparatively low, often shockingly low, and the rewards are quick – the victim pays for it to go away. Additionally, cryptocurrencies have aided the money transfer in this scenario. Yet the cost for the victim is much higher than the ransom, as it involves system analysis, reconstruction and, naturally, defending against the next attack.
10. Cybersecurity in the boardroom
Advertisement
A decade, perhaps two decades, late for some organisations, cybersecurity is now considered a key business risk by the board. 2019 will see this trend accelerate as boards demand clarity and understanding in an area that was often devolved as a sub-component of the CISO’s role, and was not really a major topic for the boardroom. The financial, reputational and indeed C- Suite employment risks of cyber breach will continue to drive board focus on cybersecurity up the agenda.
Resource challenges and environmental contexts often force those in security to decide which method or methods to include in awareness campaigns – and in which quantities each should be employed.
In this post, we consider the four different types of security awareness training in turn, the pros and cons of each, and an alternative, increasingly favored approach.
1. Am I really a target?
Most cybersecurity awareness training begins by talking about security threats. It seems logical. But doing so may be a mistake – because of the human bias for optimism.
As people, we tend to harbour an inherent bias for optimism. Most of the time, it’s a helpful trait. When it comes to cybersecurity, though, our inherent bias for optimism means most of us struggle to imagine ever really being victims of cybercrime.
A good cybersecurity awareness campaign needs to address this upfront – because discussing threats is largely pointless unless message recipients believe the threats to be relevant and applicable to them. Cybersecurity awareness training should, therefore, begin by overcoming a key reservation to taking training seriously. It should begin by discussing why those taking the training are indeed targets.
2. Preventing identity theft
Identity theft remains the most prevalent form of cybercrime. As such, preventing identity theft is key to any good cybersecurity awareness training campaign. As well as information on preventing identity theft, cover the warning signs and the dangers of oversharing on social media.
It may also be worth demonstrating how simple it now is to steal an identity. Such demonstrations help make training emotional, and behavior change research shows emotions have an unrivalled ability to change the way people behave. Demonstrating how simple it now is to steal an identity can therefore change not just security awareness but security behaviors, too – which should be a key aim of any security awareness training campaign.
3. Passphrases and multi-factor authentication
Today, what constitutes a secure password is becoming increasingly clear. And yet, according to the password manager SplashData, 123456 is the most common password in use today.
Including information on passphrases – ie, secure passwords that are easy to remember – as well as teaching users how to create and remember them, is essential in any cybersecurity awareness training campaign. Be sure to include information on multi-factor authentication and build in time for people to update old passwords during training.
Increasing security awareness is one thing – but changing security behaviors should be the real aim.
4. Public Wi-Fi
The ongoing rise of remote working coupled with an increase in the prevalence of unsecured public Wi-Fi, make training on public Wi-Fi essential.
It’s definitely worth including stories to highlight the personal and professional risks presented by unsecured Wi-Fi. Stories such as that of Howard Mollett, who reportedly lost £67,000 in a conveyancing scam, are unlikely to be forgotten.
However, to really drive training content home, consider demonstrating the additional personal benefits that come from using VPN, such as how to stream your favorite Netflix shows no matter where you are in the world!
5. Social engineering, including phishing and SMShing
The UK government’s 2018 cyber security breaches survey recently polled UK businesses on their experience of breaches. 75% of those that had suffered a breach had done so following “Fraudulent emails or being directed to fraudulent websites” – ie social engineering and/or some form of phishing. Cyber security awareness training should therefore give special focus to both phishing and social engineering as a whole.
It’s worth thinking about how social engineering training is delivered, too. Many companies today highlight the dangers of social engineering through simulated attacks, which test people’s response to attacks “live” in the workplace. Such attacks are backed by behavioural change theory: as well as being emotionally engaging, they help modify people’s schema. Put simply, they train people to expect attacks and, as such, help modify how people respond to genuine day-to-day threats.
6. Browsing securely
The green padlock no longer marks websites as safe to use – a fact few people outside of security actually know. Few people still have configured their browsers to avoid tracking or form auto-filling. Advice on browsing securely is therefore essential to any security awareness training programme.
Given behavioural change as an overall aim, it’s worthwhile going through step-by-step guides on browser configuration.
7. Device security
As with passphrase management, device security is an area which most are familiar with. Most people know the importance of antivirus software and most know how important it is to keep firewalls running. And yet malware infection remains prominent year in, year out. Why?
Again, it seems as though awareness is failing to change behavior. In the past, tried and tested content on device security has failed, so security awareness training on device security needs to go beyond what’s been done before.
Framing device security training in terms of the personal benefits users can expect is usually a good idea. For example, CybSafe’s module on device security opens with the line “This module will help you save money by showing you how to set up your computer securely.”
8. Malware
Related to device security is content on malware, which should cover the different types of malware and how infections occur. As research shows we tend to ignore security warnings, it’s worth including information on the importance of heeding security warnings, or even going one step further and decoding what ambiguously written security warnings are actually trying to say.
Including content on the signs of infection is also crucial. On average, it takes 197 days to detect a data breach or malware infection linked to data loss – yet the warning signs are often clear.
9. Breach recovery
Most security professionals agree on the naivety of failing to plan for a data breach – yet information on breach recovery is seldom included in security awareness training campaigns. The depth of subject matter necessary will vary depending on the audience. At the most basic level, people need to know how to report breaches. When training security teams though, more detail will be needed.
10. GDPR and data privacy
The General Data Protection Regulation is a far-reaching regulation and one that leaves those who handle data with some additional responsibilities.
Security awareness training that covers GDPR and, most importantly, puts it into context for various areas of an organization, not only helps organisations comply with the regulation, but reinforces the importance of the secure processing of data – an essential point, but one which some seem to have been forgotten.
All ten topics above are now covered in detail by the CybSafe platform, which updates not just as the threat landscape changes but also as your people’s security understanding and behaviours advance.
After learning about individual knowledge levels and behaviour patterns, CybSafe uses behavioural change insights to advance security awareness, behaviour and culture. At the same time, it uses machine learning to continually move key security metrics in the right direction, demonstrably reducing human cyber risk. To see how it works – as well as what’s included – arrange a free demonstration here.
Cyberattacks cost the world more than natural disasters – US$3 trillion in 2015, a price that may climb to $6 trillion annually by 2021 if present trends continue. But most people – and even most businesses – don’t have insurance to protect themselves against this rising threat.
Insurance against all kinds of risks – disease, disaster, legal liability and more – is extremely common. In the U.S., companies, families and even government agencies paid a combined $2.7 trillion in insurance premiums in 2016 – and received payouts totaling $1.5 trillion. But just $2.5 billion – 0.09 percent of the total spending – went to buy insurance against cyberattacks and hacking. Elsewhere in the world, there’s even less coverage. For instance, in 2017 the cyber insurance market in India was $27.9 million, 0.04 percent of the total insurance premiums paid in the country that year.
Certain types of companies tend to have – or not have – cyber insurance. The larger the firm and the more closely it depends on computerized data, the more likely it is to have coverage against digital threats.
For a company, that can make sense, because a digital intrusion can cost hundreds of thousands or even millions of dollars to fix and recover from. For individuals, the costs of a breach are lower, but still significant – even as high as $5,000.
Regular people are far less likely to have digital protection than companies are. In India, personal cyber insurance is less than 1 percent of the total cyber insurance market. In the U.S. and elsewhere, most products are targeted at rich people. Insurers such as AIG, Chubb, Hartford Steam Boiler and NAS Insurance sell personal cyber insurance policies as add-ons to homeowners’ and renters’ insurance.
The insurance industry is doing more, too. A wide range of insurers such as Munich Re, AIG’s CyberEdge, Saga Home Insurance, Burns & Wilcox and Chubb all offer cyber insurance for individuals. These plans cover as much as $250,0000 to repair or replace damaged devices and to pay for expert advice and assistance if a cyberattack affects a policyholder. They may also include data recovery, credit monitoring services and efforts to undo identity theft.
Some ransomware attackers don’t actually decrypt the data, even if they get paid – but that hasn’t stopped victims from paying big bucks – at least $1 billion in 2016 alone. Even so, there are insurers who sell coverage against ransomware, providing backup and decryption services – or even paying the ransom.
Before cyber insurance becomes more common, however, the insurance industry will likely have to come to some consensus about what will and won’t be covered. At the moment each plan differs substantially – so customers must conduct a detailed assessment of their own risks to figure out what to buy. Few people know enough to be truly informed customers. Even insurance brokers don’t know enough about cyber risks to usefully help their clients.
In addition, because cybercrime is relatively new, insurers do not have much data on how much various types of cybersecurity problems can cost to fix or recover from. They therefore tend to be conservative and overcharge.
As people become better-informed about the digital dangers in their lives, and as insurance companies are able to more clearly explain – and more accurately price – their coverage options, the cyber insurance market will grow and may expand rapidly. In the meantime, most policies have some degree of custom design, so consumers should be careful to look for policies that actually cover their needs, and not just evaluate plans based on cost.
First, it was the Ticketfly hack in May. My email was among the 27 million accounts stolen from the events company.
According to the website Have i been pwned?, which monitors data breaches, my personal email has also been found in records stolen from sites like Tumblr and LinkedIn.
By the time the Ticketmaster and PageUp data breach notification emails landed in my inbox weeks later, my attitude had devolved from concern to extreme digital nihilism.
Am I suffering from data-breach fatigue?
Peter Singer, a strategist and senior fellow at New America who writes about cybersecurity, is worried that after all the hacks, data dumps and servers left unprotected, we may be tuning out.
Data breach fatigue
Troy Hunt, who runs Have i been pwned?, has seen the rate and size of data breaches grow since he founded the site in late 2013.
Rather than becoming fatigued, he suggested people simply accept such incidents are now “a normal part of online life”.
“I’m actually finding … that people are judging companies less on the fact they’ve had [a data breach], and more on how they’ve dealt with it,” Mr. Hunt said.
What should I do after a data breach?
Change your account password and get a password manager
Report financial losses to the Australian Cybercrime Online Reporting Network
Check your bank account for unusual charges
If your credit card details have been lost, contact your bank
We don’t yet know much about “data breach fatigue” as ameasurable phenomenon, agreed Cassandra Cross, an online fraud researcher at the Queensland University of Technology.
“I don’t really think we know … whether people are making choices to do things differently, [or] whether they’re just ignoring it,” she said, suggesting more work needs to be done.
Rui Chen, an information systems academic at Iowa State University, investigated consumer attitudes after online security incidents.
In 2015, the US Office of Personnel Management (OPM) lost more than 4.2 million personnel files, among other sensitive documents.
Dr. Chen and his team used sentiment-analysis tools to track the emotional content of 18,764 tweets containing the hashtag #OPMHack.
After events associated with the hack — from the initial breach announcement to the OPM director’s resignation — they saw a large drop-off in reaction.
In other words, Dr. Chen said, “we can see that the public is gradually losing interest in reacting to this news”.
The effects of ‘fatigue’
If people don’t take breaches seriously, they may not follow instructions to protect themselves, such as changing passwords or using credit-monitoring services.
But our understanding of how people do respond is limited.
“One thing could be there are just so many incidents of data breach happening … people consider it typical,” Dr. Chen speculated.
“It’s the norm of this digital world.”
These incidents can also feel quite abstract, Dr. Cross added.
Consider the compromising of more than 359 million MySpace accounts or more than 164 million LinkedIn accounts — these are almost unimaginable numbers.
For victims, there’s also a difference of perception between your details being lost or stolen and actual misuse of that information — in the form of identity theft, for example, which is estimated to cost Australia $2.2 billion each year.
“They’re just one small individual within an entire group, and they don’t feel that they are particularly valuable in terms of a target,” she said.
Real-world effects
New America’s Peter Singer suggested we won’t see decisive action from the government on these issues until breaches begin to have a dramatic impact in the physical world.
Connected devices, from fridges that can be accessed online to driverless cars, will make this more dangerous — and likely.
You might start caring more when a hacker uses stolen credentials to turn your lights on and off remotely.
“I think … what will inevitably happen is some type of bad outcome,” Mr. Singer added.
A badly handled data breach can also dent a company’s reputation.
Take Uber, which initially tried to cover up the exfiltration of the names, email addresses and mobile phone numbers of 57 million users.
Mr. Hunt also sees companies being judged harshly if a breach exposes their poor security posture, such as storing passwords in plain text without cryptographic protection.
On the flip side, he cited the Red Cross Blood Service’s reaction as “the gold standard” after it lost donor information in 2016.
The group was swift to act and tell the public — and was apologetic throughout.
As data breaches continue, Mr. Hunt hopes people will avoid fatigue and take control: get a password manager, make all passwords unique and turn on two-factor authentication.
“These are really basic things that we can all do, and they fundamentally change the impact of a data breach,” he said.
