Cyber Threat Analysis for 21 Apr 2016

Analysis & Commentary on the Week’s Cyber Security Issues

The “so what” factor feeds and aggregators don’t give you.

Subscribe to the Cyber Threat Analysis Weekly

Data Breach? Consumers Are Forgiving According to Survey

In the digital age, a hacker getting a hold of our personal data is par for the course. A quarter of American adults’ report they have been in the uncomfortable position of learning their information was involved in a data breach. It doesn’t seem to matter, though — only 11 percent of those people say they stopped doing business with the hacked company after their information was compromised, according to a new survey from the RAND Corporation. (Medical Daily)

The ability of most organizations of any size to make victims whole again could be viewed as a serious impediment to better security. When a minuscule increase in prices or fees spread out across hundreds or thousands of customer pays for even the most expensive breaches, what incentive does a firm have to spend money to improve security beyond the regulatory minimum? Barring new legislation, or an event of catastrophic proportions that drives an over-reaction, one might say “retail” cyber crime and defense have reached a stasis.

Majority of Healthcare Data Breaches Caused by Cyberattacks

According to a recent study, most healthcare data breaches in 2015 were caused by cyberattacks, such as phishing scams and ransomware. Cyberattacks were the top cause of healthcare data breaches in 2015, according to a recent study by Symantec Corporation on healthcare cybersecurity. The study showed that providers have shifted their views on healthcare cybersecurity to account for the rise of cyber threats, such as ransomware and phishing scams, and the increasing risk to care delivery and patient safety. (Health IT Security)

In a way, organizations in the healthcare industry have the potential to improve their security postures faster than in other industries. The development and use of well-researched, time-tested protocols is a hallmark of the industry, as are things like checklists, two-person rules and oversight by experts. Following formulas and working through checklists does not guarantee a more secure enterprise, but medical culture could enable sound practices to spread more quickly and stick with employees over time. The industry will need to take care to understand and look clearly at the threats they face and respond well under pressure (another trait of medical professionals), as the opportunity to “believe the hype” when lives may be on the line is going to be high.

Cyber Security Budgets Not Keeping Up With Threat Levels

Cyber security budgets are on the rise but are not keeping in line with increasing threats, according to security professionals. Almost two-thirds (60%) of members at the Institute of Information Security Professionals (IISP) say budgets do not fully meet the threats. Only 7 percent reported that budgets were rising faster than the level of threats. (Channel Biz)

Whether budgets are keeping pace with threats is a claim that few (especially practitioners) can  make in an objective fashion. Very few organizations have practices in place that can effectively measure security spending ROI. The lack of realism and rigor in testing regimes ensures that most organizations have a false sense of security when it comes to how protected they are and how well they can respond in a crisis. When their illusions are shattered, decisions tend to be reactive and may have no real impact on an organization’s defensive posture. Effective threat modeling and continuous realistic testing of mechanisms, methodologies, and people will give you a better idea of how much it costs to defend yourself against threats.

Know Thy Employees to Detect and Mitigate Security Risks

According to the UK Government Communications Headquarters, the scale and rate of cyber-attacks shows little sign of slowing down. In a 2014 report, the Department of Business Innovation and Skills (BIS) reported 81% of large organisations had experienced some type of security breach, and these breaches cost each organisation, on average, between $850,000 and $2mm. One of the easiest and most overlooked steps in managing and controlling the “danger” within organisations is – employees. (SC Magazine UK)

Countering the insider threat problem is going to require a significant commitment by organizational leadership that heretofore has been lacking. This is essentially a counterintelligence problem and most commercial concerns lack both the knowledge, skills and will to conduct such activities. Rather than being viewed as threat identification and risk reduction activities, they are too often viewed as “spying on employees,” which is a realistic concern if done poorly. A good insider threat program will include both technical monitoring and a human engagement element that helps assess if suspect activity is indeed intentional, and helps serve as a deterrent in case it is. 

Reduce Cyber Security Risks with Employee Training

Your employees are an important line of defense against a data breach or cyber attack that could lead to financial or reputation loss for your company. Increased investment in employee training can reduce the risk of a cyber attack 45 to 70 percent, according to a 2015 study by Wombat Security Technologies and the Aberdeen Group. The study surmised that employees are “perhaps the greatest evolving security threat.” (Milwaukee Business News)

Training employees on computer security can be a net benefit if leadership takes it seriously and holds people accountable for failing to meet standards. Computer security training is usually a one-off, pencil-whip exercise that everyone promptly forgets while they go about getting things done. No manager would tolerate repeated, fundamental mistakes by someone in Operations, but when it comes to security all too often the attitude is, “its just security.” If you believe improving computer security is important and you want to get value out of the training you provide, ensure everyone understands that “its just security” is a thing of the past and work with HR to develop a reasonable and defensible policy that includes rewards as well as punishments.