[BreachExchange] Cybersecurity Myths Debunked

[Audrey McNeil]

https://www.natlawreview.com/article/cybersecurity-myths-debunked

Security incidents, loss of customer data, exposure of confidential
corporate assets, demands of ransom, and similar stories are becoming daily
headlines with the impacts being felt across a wide variety of industries.
We hear it every day. One need not go looking in the history books for
examples of significant and costly breaches of sensitive data maintained by
companies and other organizations. There are a plethora of large scale and
wildly divergent security incidents occurring all the time:

- In January 2017, a company that manufactures data extraction, transfer
and analysis devices for cellular phones and mobile devices was hacked
exposing nearly a terabyte of sensitive corporate data, including
information on its customers, its phone-cracking technology and other
sensitive information about the company’s products.

- In May 2017, it was reported that the online education platform was
breached, exposing the records for at least 77 million accounts, including
usernames, email address, and hashed passwords, all of which went up for
sale on the dark web.

- In July 2017, it was reported that the customer records for at least 14
million subscribers of a telecommunications company, including phone
numbers and account PINs, were exposed.

- In 2017, millions of computers worldwide were subject to the WannaCry
ransomware attack, considered to be one the largest ransomware attacks of
its kind, impacting the data of companies worldwide.

In addition to the foregoing, the CIA, Yahoo, Equifax, the TSA, US
Airforce, a national air carrier, and a global audit, consulting, tax, and
advisory service provider, a web performance, content delivery network, and
Internet security services provider have all been subject to highly
publicized cybersecurity breaches, and there appears to be no end in sight.

When a security incident strikes, we are all victims; both the data
subjects and the companies that have been breached. Each of these
incidents, and the many others serve as a constant reminder of the harm to
both individuals and companies that security incidents can cause. As a
result, companies looking to avoid having their name added to the
ever-growing list of cybersecurity breaches should consider reviewing and
revising their existing security practices and protocols.

While the importance of cybersecurity has certainly risen in prevalence
over the last decade, in both the public and private sector, a number of
myths still permeate common perception. These myths have created hesitance
in the boardroom to take more proactive measures toward enhancing their
cybersecurity efforts. Hopefully, by debunking some of the most common
myths, organizations can, once again, focus on making the company more
resilient to security incidents.

Myth #1:  “It’s all about the data”

- Security must be designed to account for not only the protection of the
data or information (including a company’s intellectual property), but for
the information system itself (including the people that monitor and access
the system). Security should be approached from both a holistic and
segmented perspective. By focusing only on certain components, or the data,
the entire system will be left vulnerable, which ultimately leaves
individual segments and data susceptible.

- Organizations also need to consider the reputational harm as a result of
the breach. In the U.S., indirect costs, including lost business, the cost
to attract or retain customers, and the loss of confidence in a company
often accounts for two-thirds of the cost of a data breach.

Myth #2: “It’s all about confidentiality”

- Confidentiality of information is only one element. What is equally
important is the integrity and availability of the information. The
integrity of the information aims to ensure that the information has not
been altered, maliciously, accidentally, or due to a system error and the
availability of information aims to ensure that the information is
available when needed.

Myth #3:  “To be a hacker, you must be a technology genius”

- Vast information and resources exist that allow even technical novices to
“hack” systems. Not all hackers are former technology geniuses gone rogue.
The average vulnerability has been known for more than 10 years and
exploits are easily obtainable, contributing to availability of “script
kiddies” and other average, ordinary, individuals ability to contribute to
security incidents.

Myth #4:  “It’s an IT Department issue”

- The IT department may be responsible for devising the security mechanisms
to guard against external threats, but cybersecurity is an enterprise-wide
issue that requires buy-in and direction from the board and upper
management. Increasingly, board members are held responsible for neglecting
their fiduciary duties when they ignore cybersecurity in their
organization. Even if the IT Department implements strict safeguards, the
strongest procedures will fail if employees are not educated on the
important of security “hygiene” as security is only as strong as its
weakest link.

Myth #5:  “I can achieve (need) 100% security”

- While there is no one-size-fits-all approach to security, it is also
impossible to achieve 100% security. One study estimated that an
organization that wanted to achieve the highest possible level of
cybersecurity, which itself was only capable of repelling 95% of the
attacks, would have to boost their spending on cybersecurity nine times.
The study also found that in order to just to be able to stop 84% of the
attacks, organizations would have double their investments in cybersecurity.

- As security protections are increased, the usability of the secured
system decreases, and vice versa. Even if it was possible to stop 100% of
the attacks, the system would not be usable for its intended purpose.
Therefore, organizations should appropriately balance their security
efforts with usability, and focus on managing the residual risks that
remain after their investments.

Myth #6: “I’m safe. I have great security.”

- The biggest myth of all is the false belief that an organization is safe
because it has “great” security. Thousands of new viruses and exploits are
developed every day.  According to an Imperva/Technion-Israel Institute of
Technology Study, the initial threat detection (zero day) is only 5%.
According to a Verizon Study:  83% of intrusions took weeks or more to
discover. According to a Trustwave Holding Study, the average time to
detect an intrusion is 210 days.

While security incidents due to hacking receive most of the attention in
the headlines, in reality, data breaches occur daily due to a wide number
of causes. Thus, a reasonable security program must be well-developed to
guard against external hackers, but it is also important to keep in mind
the impact of everyday actions, including, one of the biggest threats
facing companies today… the risk from internal people and sources. This
includes those rogue employees and malicious “insiders” who have access
credentials and knowledge of company’s confidential information as well as
the everyday employee who carelessly clicks on a link or sends a file
outside the organization in response to a phishing incident.

While there is no such thing as perfect security, there are a number of
best practices that organizations should implement and principles to be
mindful of to help mitigate the risk of a security breach. This includes
the development of internal policies to protect confidential information,
including personal and sensitive information, along with intellectual
property. On a macro level, the most effective protocols are those that:
(1) restrict access to the information (i.e., via comprehensive network
security), (2) limit the number of people who know the information and have
those people sign non-disclosure or confidentiality agreements (i.e.,
employee agrees to confidentiality as part of their employment agreement;
third parties and business contacts sign NDAs), and (3) mark any written
material pertaining to trade secrets or protected IP as confidential and
proprietary and/or follow-up in writing if there is a verbal disclosure.
The following are additional considerations and suggestions for a more
effective cybersecurity program:

Common Components of Effective Security Policy Programs

1. Be aware of Federal and State requirements; tailor privacy policies as
applicable.

2. Designate people responsible for security in the organization.

3. Conduct security training for employees.

4. Take reasonable steps to ensure vendors/service providers protect data.

5. Consider minimizing data collection.

6. De-identify where possible.

7. Conduct a privacy or security risk assessment initially and periodically
thereafter.

8. Consider encryption, particularly for storage and transmission of
sensitive information.

Ten key elements of a cybersecurity risk management program

1. Incident management

2.  User education and awareness

3. Managing user privileges

4. Manage home and mobile computer working environments

5. Removable media controls

6. Malware protection

7. Monitoring

8. Secure configuration

9. Network security

10. Cybersecurity insurance
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171019/fca0eb08/attachment.html>