Tag Archives: ThirdCertainty

The Threat From ‘Security Fatigue’

There is no mistaking that, by now, most consumers have at least a passing awareness of cyber threats.

Two other things also are true: too many people fail to take simple steps to stay safer online; and individuals who become a victim of identity theft, in whatever form, tend to be baffled about what to do about it.

A new survey by the nonprofit Identity Theft Resource Center reinforces these notions. ITRC surveyed 317 people who used the organization’s services in 2017 and had experienced identity theft. The study was sponsored by CyberScout, which also sponsors ThirdCertainty. A few highlights:

  • Nearly half (48%) of data breach victims were confused about what to do.
  • Only 56% took advantage of identity theft protection services offered after a breach.
  • Some 61% declined identity theft services because of lack of understanding or confusion.
  • Some 32% didn’t know where to turn for help in event of a financial loss because of identify theft.

Keep your guard up

These psychological shock waves, no doubt, are coming into play yet again for 143 million consumers who lost sensitive information in the Equifax breach. The ITRC findings suggest that many Equifax victims are likely to be frightened, confused and frustrated — to the point of acquiescence. That’s because the digital lives we lead come with risks no one foresaw at the start of this century. And the reality is that consumers need to be constantly vigilant about their digital life. However, cyber attacks have become so ubiquitous that they’ve become white noise for many people.

See also: Quest for Reliable Cyber Security  

The ITRC study is the second major report showing this to be true. Last fall, a majority of computer users polled by the National Institute of Standards and Technology said they experienced “security fatigue” that often correlates to risky computing behavior they engage in at work and in their personal lives.

The NIST report defines “security fatigue” as a weariness or reluctance to deal with computer security. As one of the study’s research subjects said about computer security, “I don’t pay any attention to those things anymore. … People get weary from being bombarded by ‘watch out for this or watch out for that.’”

Cognitive psychologist, Brian Stanton, who co-wrote the NIST study, observed that “security fatigue … has implications in the workplace and in peoples’ everyday life. It is critical because so many people bank online, and since health care and other valuable information is being moved to the internet.”

Make no mistake, identity theft is a huge and growing problem. Some 41 million Americans have already had their identity stolen — and 50 million reported being aware of someone else who was victimized, according to a Bankrate.com survey.

Attacks are multiplying

With sensitive personal data for the clear majority of Americans circulating in the cyber underground, it should come as no surprise that identity fraud is on a rising curve. Between January 2016 and June 2016, identity theft accounted for 64% of all data breaches, according to Breach Level Index. One reason for the rise was a huge jump in internet fraud. Card not present (CNP) fraud leaped by 40% in 2016, while point of sale (POS) fraud remained unchanged.

It’s not just weak passwords and individual errors that are fueling the rise in online fraud. Organizations we all trust with our personal information are being attacked every single day. The massive breach of financial and personal history data for 143 million people from credit bureau Equifax is just the latest example.

Over the past four years, there have been a steady drumbeat of major data breaches: Target, Home Depot, Kmart, Staples, Sony, Yahoo, Anthem, the U.S. Office of Personnel Management and the Republican National Committee, just to name a few. The hundreds of millions of records stolen never perish; they will continue in circulation in the cyber underground, available for sale and/or to be used in the next innovative fraud campaign.

Be safe, not sorry

Protecting yourself online doesn’t have to be difficult or complicated. Here are seven ways to better protect your privacy and your identity today:

  • Freeze your credit rating at the big three rating agencies so scammers can’t use your identity to take out loans or credit cards
  • Add a website grader to your browser to avoid malware
  • Enroll in ID theft coverage with your bank, insurer or employer —it could be free or surprisingly inexpensive
  • Get and use a password vault so you can create and use hard-to-guess passwords
  • Be knowledgeable about common cyber scams
  • Add a verbal password to your bank account login and set up text alerts to unusual activity
  • Come up with a consistent way to decide whether it’s safe to click on something.

There is a bigger implication of losing sensitive information as an individual: it almost certainly will have a negative ripple effect on your family, friends and colleagues. There is a burden on consumers to be more active about cybersecurity, just as there is a burden on companies to make it easier for individuals to do so.

See also: Cybersecurity: Firms Are Just Sloppy  

NIST researcher Stanton describes it this way: “If people can’t use security, they are not going to, and then we and our nation won’t be secure.”

Melanie Grano contributed to this story.

HBO Breach Raises New Cyber Concerns

Following on the heels of the two globe-spanning ransomware worms, the HBO hack—with its distinctive blackmail component—rounds out a summer of extortion-fueled hacks and destruction and theft of valuable data at an unprecedented scale.

WannaCry and Petya raced around the planet demanding ransoms after locking up servers at hundreds of organizations. The HBO hackers pilfered 1.5 terabytes of intellectual property and business documents from the television giant. Next, they heaved samples into the internet wild and demanded $7.5 million to halt disclosures of even more highly perishable intellectual assets.

See also: New Approach to Cyber Insurance  

These high-profile cyber attacks have sent shockwaves through the insurance industry. Inga Goddijn, executive vice president at Risk Based Security Inc., a Richmond, Virginia-based supplier of risk management services, agreed to supply some context and discuss the implications. Here are excerpts from our conversation, edited for clarity and length.

ThirdCertainty: How common is it for big media companies to hold cyber liability policies?

3C: Is it likely HBO held a cyber liability policy?

Goddijn: Cyber insurance is largely accepted by large organizations as an important and necessary part of their overall coverage portfolio. That’s not limited to just the big entertainment companies, that applies across the board to most large enterprises. Where we see a drop-off in the adoption rate is with small to midsize organizations.

It is likely there is some element of cyber coverage in place for HBO. It’s important to keep in mind it was HBO’s intellectual property that was compromised, not personally identifiable information. It’s not especially common to find cyber coverages that respond to the value of the policyholder’s creative content. So even with cyber insurance in place, it may not apply to this type of data compromise event.

3C: How do you expect the HBO hack to impact the emerging cyber insurance market?

Goddijn: We have already seen an uptick of interest in cyber coverage post-WannaCry and Petya malware events. This is yet another high-profile breach that highlights the fact that data has value. Attackers will go after what has value, which in turn can have a real financial impact on the breached organization. Cyber insurance is still the best option for addressing that monetary fallout.

3C: Could this accelerate wider implementation of third-party best practices; or, perhaps, smarter and wider use of encryption?

Goddijn: It’s hard to say. We’ve seen so many high-profile breaches come and go with little visible impact on security practices. Certainly that’s not true for all—as there is an argument to be made that the Target and Home Depot breaches accelerated the adoption of chip-enabled credit cards. What we can say is that each event like this does highlight just how important data security is to practically every business.

3C: Do you anticipate that the HBO hack will help give focus to cyber insurance?

Goddijn: Each breach that makes headlines the way the HBO event has puts more focus on cyber insurance options. What will be interesting to watch unfold is how the cyber market will address the increasing number of attacks targeting intellectual property.

3C: So what is being discussed in the insurance community with respect to extending coverages to include loss of intellectual property?

Goddijn: Traditionally, the insurance market has shied away from covering events like theft of trade secrets or damage to intellectual property. Perils like trademark or copyright infringement arising out of content created by the insured is widely available, but events such as the HBO breach—and more specifically the compromise of proprietary works—is not an area most carriers are comfortable entering.

Unlike a car or a building, it’s difficult to determine the value of something like a secret formula or an unreleased episode of a popular show. The actual value of the intellectual property itself is subjective and can change over time. Anytime there is that level of uncertainty around pricing a risk, it’s sure to cause hesitation for the underwriters.

See also: How to Shield Your Sensitive Data  

3CHow far off on the horizon is wide availability of intellectual property coverage? A year or two? Beyond that?

Goddijn: The diligent buyer that is interested in third-party coverage for a compromise of the I.P. of others can find this in today’s marketplace. It may take some looking, and specific circumstances may prevent any carrier from offering the coverage to a specific buyer, but it can be found. As for first-party coverage for intellectual property, that is a very rare product. There are only a handful of carriers willing to offer this, and it comes with its own host of coverage caveats. Given the nature of the exposure, it’s not likely we’ll see insurance carriers jumping into this area anytime soon.

This article originally appeared on ThirdCertainty.

How to Mitigate Cyber Threats

Employees often are seen as the weakest link in cybersecurity. Breaches by hackers may hit the headlines, but human error (or intent) is responsible for the majority of attacks.

IBM’s 2016 Cyber Security Index reported that insiders carried out 60% of all attacks. Three-quarters of these attacks were malicious, and a staggering 25% of breaches were accidental.

See also: How to Determine Your Cyber Coverage  

I took the opportunity to sit down with Richard Ford, chief scientist at Forcepoint Security at Black Hat 2017 in Las Vegas. The notion of understanding human behavior and its role in cybersecurity was the topic of our discussion, and you can find the key takeaways below.

Look at the why, not the what.

We’re great at focusing on what is happening within our network and capturing every single event. What we’re bad at doing is talking about the why. This often is much more significant. It’s time companies think about what the hacker is trying to accomplish. Why did that file get moved? Why did that data loss prevention (DLP) event occur? Mitigation depends on the why. You’d mitigate an accidental data breach very differently than an intentional one. When companies move toward the why, they can start to mitigate much more effectively.

Reduce the friction caused by IT security. 

A lot of security measures aren’t successful because they create friction between users. Currently, we see security’s role as protecting the business. In the future, we will see it as a way to enable business to be done safely. For example, to stop restricted files from leaving company servers, most firms would turn off universal serial bus (USB) access. But that creates friction. Instead, the file should be seamlessly and silently encrypted so that it will only decrypt if it is loaded onto another company device. It’s the same level of protection but with far less friction. The more seamless security is, the more people will buy into it.

See also: Cyber Measures Starting to Pay Off  

Make privacy a first-class citizen.

Too often, companies send a bad message by giving the impression that they don’t trust their employees. Security and privacy should be a benefit to the employee, not a negative. One way companies can achieve this is by being open with employees. When employees understand what’s happening, they understand why it’s protecting the company. Another is by anonymizing the data in a way that protects an employee’s personal information but still continues to protect the company. When done right, employees’ privacy should be protected and so should the company’s data. You shouldn’t do one at the expense of the other.

Cyber Measures Starting to Pay Off

Organizations pay a hefty price for a data breach, but the cost, for the first time, has dropped, a 2017 IBM Security study conducted by the Ponemon Institute has found.

The study, which interviewed more than 1,900 individuals at 419 organizations in 11 countries, found the average cost of a data breach is $3.6 million—a 10% decrease from IBM Security’s 2016 study.

Incidents with fewer than 10,000 records compromised cost, on average, $1.9 million, and incidents with more than 50,000 compromised records cost, on average, $6.3 million. Incident costs in the 2016 study averaged $2.1 million for the smaller breaches and $6.7 million for the larger ones.

See also: How to Measure Data Breach Costs?  

I was pleasantly surprised to see this was the first year in the history of the study that the global cost of a data breach has declined,” says Diana Kelley, IBM Security’s global executive security adviser. The Ponemon Institute has tracked the cost of U.S. data breaches for 12 years and other countries’ breaches for as long as 10 years.

This year’s decrease, Kelley says, “may be an indication that the expertise and processes being put in place to optimize security measures are more effective than ever before.”

What’s working

The new study found that incident response, encryption and education had the most impact—and business continuity programs also helped—in reducing the cost of a data breach.

The faster a data breach can be identified and contained, the lower the costs, the study revealed.

For the 419 companies in the study, the average time to identify a data breach was 191 days, and the average time to contain a breach was 66 days. The average time to identify and contain a breach was highest when a malicious or criminal attack was involved.

People, not glitches, cause most problems

Successfully responding to a breach is all about speed and limiting the window of access and damage to an organization’s IT environment and data,” Kelley says. “The more quickly a security team can identify what has happened, what the attacker has access to and how to contain and remove their access, the more successful they will be in keeping costs down.”

Hackers and criminal insiders cause the most data breaches. The study found that 47% of all breaches were caused by malicious or criminal attacks. The average cost per record to resolve such an attack was $156. In comparison, system glitches were resolved at an average cost of $128 per record, and human error or negligence breaches were fixed for $126 per record.

Companies in the U.S. and Canada spent the most to resolve a malicious or criminal attack. U.S. organizations spent, on average, $244 per record, and those in Canada spent $201 per record. In comparison, companies in India spent much less—$78 per record.

A single record compromised, of course, would be a manageable expense, but organizations with data breaches usually are faced with hundreds to thousands of compromised records.

The numbers add up quickly when you consider all the resources and elements affected by an attack,” Kelley says. “Detection and escalation costs alone can include forensic and investigative activities, assessment and audit services, crisis team management and communications to executive management and the board of directors.”

See also: Aggressive Regulation on Data Breaches  

The bill “continues to rise,” she says, with the cost of notifying victims, help-desk activities, inbound communications, special investigative activities, remediation, legal expenditures, product discounts, identity protection services and regulatory interventions.

For some small- or medium-size companies,” Kelley says, “a data breach could cost them their business if not effectively addressed.”

This article originally appeared on ThirdCertainty.com. It was written by Gary Stoller.

Security of Medical Devices Needs Care

Medical devices, such as pacemakers, insulin pumps and defibrillators, could become lethal in the hands of a hacker tampering with them remotely. A new study that shows medical devices—and patients—are vulnerable to cyber attacks is a wake-up call for manufacturers, according to a Silicon Valley software company that sponsored the study.

Device manufacturers must change their culture and look at security as an equal to patient safety, says Chris Clark, principal security engineer of strategic initiatives for Mountain View, Calif.-based Synopsys.

The company’s study, which surveyed about 550 employees of device manufacturers and healthcare delivery organizations (HDOs), found that nearly 70% of manufacturers and nearly 60% of HDOs believe an attack on a device built or in use by them is likely to occur during the next 12 months.

The most surprising finding, Clark says, is that about 40% of manufacturers and 45% of HDOs—despite being aware of the risks—take no steps to prevent medical-device attacks.

See also: How to Make Smart Devices More Secure  

There are, however, some positive takeaways, he says. The study, conducted by the IT research organization Ponemon Institute, showed that “a significant percentage” of HDOs are concerned about the risk of insecure medical devices, and many are taking measures to test them for vulnerabilities. That’s a good sign, Clark says, because most study respondents work for small organizations “with limited resources and expertise in this area.”

Security painfully lacking

About 60% of respondents work for organizations with fewer than 1,000 employees, 10% said they had no budget for device security and 40% said their annual budget was less than $500,000.

The study found that 59% of respondents employed by HDOs rated the importance of medical device security as very high relative to all other data and IT security measures deployed. Yet, only 37% of those who work for manufacturers consider such security of very high importance.

A cyber attack on a medical device can manifest in various ways. This tells us the manufacturers still operate under the pretense that security is an HDO issue, and medical device security will be a lower priority for the foreseeable future, Clark says. “This statistic alone should be of great concern and a critical lesson for HDOs who are truly interested in protecting their infrastructure.”

An attacker could take control of a device to administer inappropriate or harmful treatment to a patient, Clark says. The attacker could dispense the wrong dosage of medication via an infusion pump, manipulate the electrical output of a pacemaker, crash or render a device inoperable, access the data stored or transmitted by a device or use it to pivot to other systems or devices within the same network.

Hospitals risk erosion of patient confidence

Each of these scenarios has a physical impact to a device or group of devices, but the real danger is a loss of confidence in the ability of HDOs to deliver quality care and protect patient information, Clark says. “A breach could be catastrophic for a hospital system.”

The Synopsys study found that 80% of respondents who work for medical device manufacturers or HDOs say medical devices are very difficult to secure. The top reasons cited for device vulnerability include accidental coding errors, lack of knowledge/training about secure coding practices and pressure on development teams to meet product deadlines.

Security an afterthought

Securing medical devices also is difficult, Clark says, because security is not a primary consideration early in the design process. “This, along with the need for flexible communications that are often unencrypted or have no security characteristics, create a wide range of challenges.”

Respondents in the Synopsys study were surveyed before the WannaCry ransomware attack in May. The worldwide cyber attack targeted computers running the Microsoft Windows operating system and, within a day, reportedly infected more than 230,000 computers and medical devices in more than 150 countries.

See also: Can Your Health Device Be Hacked?  

Healthcare organizations are “some of the most commonly targeted cyber attack victims, second to only the banking and financial industry,” Clark says. “If you couple that trend with the results of this survey showing how little is being done to protect medical devices, it’s not unreasonable to expect things to get worse before they get better.”

Most stakeholders, though, are “genuinely concerned” about the impact of insecure medical devices—“both in terms of patient safety and risk to their organizations,” Clark says. “What remains to be seen is whether the industry steps up to voluntarily address these challenges or the U.S. Food and Drug Administration takes a more aggressive stance.”

This article originally appeared on ThirdCertainty. It was written by Gary Stoller.