Cyber Threat Analysis for 25 Mar 2016

Analysis & Commentary on the Week’s Cyber Security Issues

The “so what” factor feeds and aggregators don’t give you.

Insufficient boardroom focus on cyber security, finds study

Although 81% of boards in the UK have placed more emphasis on cyber security in light of the breach at TalkTalk, a mere 53% have drawn up plans for breach management, according to a recent survey. (Acumin)

Whether boards actually care enough about cyber security to do something about it remains to be seen. For every report that suggests they do, another exists that indicates they don’t. Its true that C-level executives are losing their jobs over breaches, but whether that’s because the board has decided that that executive was negligent, or simply for optics, can’t be determined. What we do know is that high-performing CEOs (those who have a track record of keeping the stock price going from lower left to upper right) are unlikely to face the axe in light of a compromise because boards care about a lot more about financials than they do security.

Are you liable for a cybersecurity attack?

By far the most misunderstood insurance coverage is cyberliability. Just the name alone sounds futuristic and “techie.” Within the industry it’s also referred to as cybertheft, data security and data breach coverage.(Argus Leader)

Contrary to popular opinion, cyber insurance is not new. It was a thing, then it wasn’t, now its back, look for it to go away again. You only need to spend a few minutes listening to insurance agents and lawyers to realize that – in the wake of a breach – if the former doesn’t get you with the fine print, the latter will drive you to settle for pennies on the dollar. Nobody is fulfilling the role of “nurse-to-your-house” that happens when you apply for supplemental life insurance, and absent a sufficiently detailed understanding of what is and is not being done from a security perspective, no agency is really going to sign up for your liabilities. Not that insurance should be play a role in your risk-management scheme, just recognize that it is not going to make you whole.

Tanium CEO on The Security Industry

“We as an industry owe our customers better than to say that they should be terrified constantly and to give us lots of money.” (Bloomberg)

That this statement from a cyber security company CEO strikes so many people as unusual really says more about the industry than it does the man. You hear a lot of CEOs talk about focus on product and shipping and quality and customer satisfaction…you just don’t hear about it in security. They don’t have to. You can ship stuff that doesn’t work, or shake people down, and people will still stroke a check because they don’t have any choice: security (or more accurately ‘compliance’ with a security regulation) is something they have to do. If 1/10th of the security vendors decided they would adopt Orion’s attitude, this would be a much different world.