[BreachExchange] The ostrich security strategy is now very risky

[Audrey McNeil]

https://www.csoonline.com/article/3286620/data-protection/the-ostrich-
security-strategy-is-now-very-risky.html

Some potential buyers of security technologies may decline to purchase
technologies that detect data breaches because if they don’t know of a
breach, they believe they can avoid penalties under the recent regulations,
GDPR and the new California Consumer Privacy Act. Such a strategy dooms
companies to major breaches and potentially massive fines. Ostrich-minded
security, an unintended consequence of GDPR and CCPA, increases cyber risk.

California’s new privacy law

The first step in GDPR-like policies impacting the U.S. is the California
Consumer Privacy Act of 2018, which will undoubtedly have a huge impact on
tech companies that must now adequately address consumer privacy concerns.
Any business that transacts with people, online or offline, is now
responsible for changing its relationship with customers, for the better.
That act has three core pillars: anyone can opt out of having their data
shared or sold, everyone has a fundamental right to know where their
personal data is and with whom it is shared, and all have protection from
companies who inadequately protect their data.

The act is clearly aimed at controlling businesses that gather Personally
Identifiable Information (PII) (eg., data gathered when transacting or
browsing on websites) giving consumers full control to opt out of the
company’s data gathering activities, and to be fully informed of what data
is gathered about them.

The fines under CCPA can scale to large financial losses

The loss of PII has real teeth, although it isn't perhaps as severe as
major GDPR violations:

"Any consumer whose nonencrypted or nonredacted personal information, as
defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section
1798.81.5, is subject to an unauthorized access and exfiltration, theft, or
disclosure as a result of the business’ violation of the duty to implement
and maintain reasonable security procedures and practices appropriate to
the nature of the information to protect the personal information may
institute a civil action for any of the following:

"1. To recover damages in an amount not less than one hundred dollars
($100) and not greater than seven hundred and fifty ($750) per consumer per
incident or actual damages, whichever is greater."

So what is a reasonable security procedure and practices to protect PII
from being lost? Will we now see an end to the breach-a-day reporting of
one or another successful cyberattack? For those companies who “opt out” of
fielding “reasonable” security architectures, their cyber risk analysis
must be updated to account for losses due to fines under both GDPR and
CCPA. You can do the math by simply counting the number of customer records
that are lost, and applying the damage estimate plainly stated in the
letter of the law.

What is a reasonable security procedure and practice?

Most security professionals understand the complexity of a security
architecture, and perhaps have excellent cyber risk analyses to back their
decisions. It is evident that security, and now privacy, must be taken very
seriously. But nothing is perfect and overworked and highly stressed
professionals can do silly things. They do, however, have important moral,
ethical and professional standards to uphold in the mission to secure their
corporations.

Reading the fine print of GDPR and CCPA might lull a security professional
to think it is unwise to field a new security technology so that they avoid
knowing when a breach has occurred. Such information requires all of the
reporting and hard work to comply with these new regulations, and security
teams are already overworked. Don’t scoff that this ostrich strategy isn’t
real. It is. And it is potentially very costly to the organization.

Some years ago, I was tasked by DARPA to deploy and test a new intrusion
detection system I invented that focused entirely on sophisticated (very)
low and slow attacks against military networks. The sensor operated
magnificently well and revealed a startling number of very sophisticated
activities no other deployment was able to detect. Success was met with
consternation, and the staff on site immediately unplugged and removed the
device. Why? Their response was “we weren’t ordered to detect those
attacks.” Silly, but true. It was an eye opener. Not knowing was considered
safer. There was a real “need not to know”.

The ostrich strategy to security is an expensive risk

Can the ostrich strategy still exist in today’s commercial world? Are
tougher regulations encouraging a desire not to know?

A recent sales opportunity disappointingly confirmed that the ostrich
strategy is alive and well. There are clear implications that the
organization has missed the point and has substantial risk it may not have
accounted for – its own security personnel purposely ignoring reasonable
means of detecting breaches quickly. It’s bottom line may now be at risk.

I paraphrase the security personnel’s remarks when being briefed about a
new technology that quickly detects data loss utilizing a new data tracking
technology, beacons:

"I wouldn’t want to know or be alerted every time I may have incurred a
data loss because it would start the 72 hour window clock [as stated in
GDPR]. A part of me would just rather not get alerted if a sensitive
document was opened in Russia. I would be afraid that I would get a lot of
alerts."

I am quick to admit that the overwhelming majority of serious security
professionals would not utter such a comment, although they may have a
fleeting moment in their mind to think about hiding their head. The
systemic nature of the breach-a-day culture is no longer tolerable, and the
new financial risk to the bottom line of a corporation under these new
regulations is real and substantial.

For those companies whose security professionals opt out of fielding
reasonable security architectures, the CFO and compliance committees and
officers ought to reconsider their cyber risk analysis, updated to account
for losses due to fines under GDPR and CCPA. The return on investment in
new security technology should be evident: loss is frequent given today’s
security standards, and fines will mount far more than the cost of
investing in new data loss security controls.

The CCPA regulation requires “reasonable security procedures and
practices,” as does GDPR. Ignorance of a serious security event is
unreasonable, and just like ignorance of the law, it is no defense.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180705/65903953/attachment.html>