[BreachExchange] Leveraging Accountability to Fix Cybersecurity

Audrey McNeil audrey at riskbasedsecurity.com
Fri Apr 6 21:51:04 EDT 2018


https://www.thecipherbrief.com/column_article/leveraging-accountability-fix-
cybersecurity

When accountability is used as innovation, it not only drives social change
but also helps solve seemingly intractable problems. Cybersecurity is an
industry that can desperately use a dose of accountability-as-innovation –
and there are plenty of examples in U.S. industry it could follow.

Take CVS, for instance. In the fall of 2014, the company decided to stop
selling cigarettes. CVS would forego $2 billion in revenue, because “the
sale of tobacco products is inconsistent with our purpose – helping people
on their path to better health,” said Larry J. Merlo, president and CEO of
CVS Caremark.

The company recently launched another initiative, this one aimed at
promoting more realistic body images by refusing to materially alter the
beauty imagery in their stores, packaging or communications. CVS encouraged
its suppliers to do the same.

Sacrificing short-term gains to reinforce the company’s mission has
understandably been a big positive for their brand—and it’s been great for
business. In December 2017, CVS announced it would buy Aetna, a move that
could very well reshape the health insurance landscape in this country.

But accountability in cybersecurity is virtually non-existent. Despite
billions of dollars spent worldwide on cybersecurity solutions, our
position in cyberspace is now more precarious than ever. Recently, the
World Economic Forum’s Global Risks Landscape 2018 ranked cyberattacks
alongside extreme weather events, and the prospect of nuclear war, as the
most likely and dangerous risks threatening the stability of society.

That means, on the internet, “attackers could trigger a breakdown in the
systems that keep societies functioning,” the report said. We just saw that
happen last month when cyber actors held critical services provided by the
city of Atlanta for ransom, and even took Baltimore’s emergency 911
response system offline. We’ve moved far beyond hackers playing
tic-tac-toe, defacing websites, and stealing passwords and credit card
numbers.

The resulting damage from ineffective cybersecurity is significant, with
large-scale attacks becoming more commonplace as well as more damaging.
Consider these statistics:

- In 2017, companies revealed breaches of more than 4 billion data records,
more than the combined total for the previous two years.
- Last summer, attackers held more than 300,000 computers hostage in the
UK’s National Health Service, bringing the system to a complete halt and
forcing hospitals, surgeries, and pharmacies to use pen and paper to run
the nation’s health system.
- On April 1, Saks and Lord & Taylor were breached, likely resulting in the
compromise of more than 5 million payment cards.
- The estimated annual cost of responding to cyberattacks is now $16.59
million per company, representing a year-on-year increase of 27.4%.
- The cost of cybercrime to businesses will rise to astronomical
proportions, expected to top $8 trillion by 2022, just five years from now.

It’s clear we’re moving on a trajectory from data theft to data and network
ransom, to data manipulation and physical destruction. If we don’t begin to
change the economics of being a bad guy on the internet, which is a really
good business today, it’s not going to get any better.

It is possible to establish in cyberspace advantages for defenders over
attackers. However, we first must reject the ideas that every attack is
unprecedented, that attackers have the ultimate and long-term advantage,
that volumes of damage equate to severity of impact, and that there’s
nothing that can be done.

Then, the innovation part of the accountability equation needs to kick in.

We must preempt instead of just reacting. Typically, cybersecurity
solutions act like a police force: when there’s an event, they’re called in
to solve it. React and respond. A more effective approach is to act as a
bodyguard. If an event occurs, that means a bodyguard has failed. This
method preempts incidents, and this preemptive posture is one that every
organization needs to adopt for success in cybersecurity.

We must be methodical and scientific and avoid the continued cargo-cult
science, in which erroneous conclusions are formed by misinterpreting the
causality of results. The reality is that approximately 95% of
cybersecurity incidents and damage begin with phishing. It is the absolute
root cause of our insecurity. Let’s focus where attacks start.

We need to leverage economic power in the marketplace where cybersecurity
solutions compete. You wouldn’t pay for a car you couldn’t drive off the
lot, or a meal you didn’t get, and you shouldn’t pay for cybersecurity that
doesn’t work. The equilibrium of the marketplace in cybersecurity needs to
be restored so that companies who build better products can succeed.

So what can you do to get the kind of cybersecurity worthy of your
investment? Here are three imperatives:

Invest in what works. Training is not effective at stopping phishing.
Likewise, buying insurance against the possibility of a breach is a misuse
of resources. Preemption is the proven strategy of success, rather than
remediation and autopsy.

Focus on the root cause, not the symptoms. Solutions that stop 99.9% of
attacks are fine, but it’s the .1% that do all of the damage. You need
solutions that stop those few, most dangerous attacks, which almost always
begin with some flavor of phishing. In World War II, British planes
returning from bombing runs were inspected for bullet holes. Allied
officers reasoned that the pattern of vulnerability they showed was where
the planes should be more heavily armored. But, the opposite was true. The
extra armor needed to be placed where there were no holes. The planes that
were shot in those places were the ones that did not return. Focus on the
.1% because phishing attacks penetrate your traditional defenses.

Insist on a guarantee of performance. If the cybersecurity company you’re
negotiating with doesn’t offer some kind of guarantee of performance, don’t
do business with them. If they’re willing to take your money in exchange
for their product, they should tell you what you can expect.

Shifting our collective mindset about what we expect from the cybersecurity
industry can pay tremendous benefits for all concerned. The companies that
are daring enough to be held accountable for the efficacy of their
solutions will do very well by raising the bar. Those that do not will be
part of a long-overdue industry shakeout.

Then customers will finally get something that up until now has been
unavailable at any price: cybersecurity they can rely on to keep them safe
and secure.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180406/46e2249e/attachment.html>


More information about the BreachExchange mailing list