Underinvested? Overinvested? Do we have the right supplier(s)? Are we running the right software? Are we using the right security technology? Are our solutions keeping us safe and protected? Do we have applications and a network infrastructure that can be properly protected? These are the starting questions IT and Financial leaders of any organization face today when they look at the Equifax Security Breach – one the largest and deepest in US history. If you are unfamiliar or have chosen to forget it on purpose (apologies in advance if that’s the case), it impacted 140 million consumers’ personal information, including social security numbers and other critical credit information.For those of you outside the United States – having another’s social security number, is the primary ingredient for identify theft. It’s like having the keys to the credit kingdom wherein you can likely take out loans, credit cards, and carry out numerous and sundry other nefarious financial dealings in another’s name.
Now we can fast forward after an event like that and imagine the hundreds, maybe thousands, of fire drill meetings across North America and even the world, to assess the ‘threat’ to their own organization.
I imagine the meetings and aftermath of an ‘Equifax Event’ typically go something like this:
- Mid to Sr. Level IT Management:
- Immediate meetings with IT Security Software and Hardware suppliers, and in house or external (or both) Security Experts to immediately review and assess the specific threat that took down ‘Equifax’ (or Yahoo, Target, e-Bay, Heartland Payments, TJX and more).
- CSO and CIO:
- Revisit Security Policies and ‘Playbook’. Ask the what-if scenarios, and ensure they are defended against this, and similar threat events.
- Conduct a supplier review and readiness assessment to ensure the suppliers you have are the right ones to mitigate this new threat
- Review of investments around security breaches
- Analysis of liability and exposure if a similar event impacted them
- Liability exposure
- Forecasting where and how a breach would impact bottom line
- Meet with Corporate Legal Team to ensure all measures of protection are considered and active
What we don’t see enough of, are companies asking questions within a framework of cost versus liability. There are some areas of the business, that to be candid, do not cost justify the investment to protect at the same level. Areas that contains no personal, consumer, or other critical data may not warrant multimillion dollar investments in software and continuous upgrades.
To make matters more challenging, the stakes are getting much higher for organizations that breach an individual’s private information with the new EU General Data Protection Regulation (GDPR). It should be a concern for almost every organization doing business in the EU, regardless of whether the business stores or processes that data on EU territory. Information related to an identified or identifiable natural person are subject to stringent rules of protection and if breached, the fines are very stiff.
Companies must ask the question: If sensitive information is exposed (private individual details, proprietary information, sensitive communication, etc.) is exposed, what is the real damage? If the damage risk is less than the investment required to protect it – why would you? Put another way, companies must do more to evaluate the risk of what they will actually lose. So often what we are seeing is that companies that are unwittingly playing into the hands of the technology cartel, will buy the latest and greatest in ‘protection’ (software and services) so they can report that they’ve done all they can, without having prioritized exactly what it is they are protecting. Not to say you should not be vigilant in your data protection strategy—simply be pragmatic in accessing the risk and the probability of a breach.
And when you look at what they’re up against – it’s understandable. If you’re in IT Security, you already know this – if you’re not – consider these three major areas of threat:
The virtual impossibility of protecting everything is staggering when you think about the ‘Threat Surface’ most companies have and the layers within it.
- The threat surface being all those connected things to your company: POS Devices, mobile phones, laptops, networks, Internet of Things, and literally hundreds more
- Next you have all the connectivity between those devices, routers, switches, networks, and IoTs
- Between all those connections runs firmware, middleware and other applications – each with their own vulnerabilities
- Then we have almost all of the above (hardware, devices, applications, firmware, software, etc.) all come with their own security updates and patches
- All of those patches and updates must work with all those other devices and connections
The complexity becomes quickly overwhelming for anyone organization to manage and control – try as they might.
Human Social Behavior
Like all systems and networks – trust in people is a big problem. Not that people can’t be trusted per se, it’s that they often just don’t know what they are unleashing. Put another way, as humans we can be trusting, too trusting, which puts us at risk at being duped into inadvertently exposing our organization to new threats, even some of the smartest and most aware individuals among us have fallen victim to this. Depending on the publication you read, 65% of all email people receive is SPAM. Of that 65% - something like 60% of it has malware associated (attached or embedded) with it. All it takes is one open within an organization – and the trap is set. And sometimes it won’t be sprung for months or a year. The more time malcontents take to snoop around, the more they can take later. It’s almost impossible to 100% control the human element – and mistakes will be made.
“Inspiration: the process of being mentally stimulated to do or feel something, especially to do something creative.”
To say that the ‘hacker’ class is inspired is an understatement. There is incentive all around them that fuels the intensity, frequency, and boldness of attacks. As with many endeavors, there is a huge profit motive. So much so, that countries are now getting into the act (or always have been). According a New York Times article from July 2017 – North Korea has established an entire department dedicated to hacking for profit, not just for cyber warfare. But it doesn’t have to be a country. There are highly organized groups that do this for the sheer thrill and fun of it, and others part of organized crime syndicates who rely on it as a stream of income. And to say there is money in hacking would be a gross understatement.
It would be like a team playing football (American or European), with one team able to create and maneuver however they please (hackers), playing without a rulebook. While the other team (Corporate and Government entities) playing with a blindfold trying to guess where the opposition is headed with the ball, while at the same time playing by a set of rules (laws and regulations) written by people who likely don’t even play the game.
Summary? “He’s Just Not That Into You”
The question is, how can you reasonably expect to play this game and win from an IT Security standpoint? With limited resources (time, money, and people), an ever-increased threat surface, and a technology industry ready to sell you any software or service to “help you”, who can you really trust to optimize your decisions and resources? The answer is of course – yourself and your direct peers. The answers are not simple, but they are more than just buying additional ‘tools’.
Start by asking questions you may not have considered previously. Such as – what are we protecting? Why are we protecting it? Can we shift resources to other areas that are critical, and leave other areas with less than the fully loaded costs of enterprise level protection? Is the cost of protecting some information exponentially more than the cost of losing it?
Insurance companies have done this for decades. They place of value on people and things, and determine what they are willing to pay for should a loss occur. All too often companies try to lock everything down like losing any of it will be catastrophic. For some, that may be the case – but for many others it simply is not. There was a 2009 movie released called, “He’s Just Not That Into You” – and it reminded me that it may apply to whole areas of your business that you’re investing millions in.
Developing and sustaining a solid security management framework that takes a 360 degree view of the security threat and the tools, process and expertise to address is vital for any organization, large and small. Providing unified, granular access control to applications, services and infrastructure, regardless of location, whether on-premises or in the cloud and applying this level of access control scrutiny to third-parties, contractors, employees is vital in this process. This is more than just spending to fix the problem. It is a concerted effort at data protection that leverages independent expertise that is agnostic to any one supplier solution.
Maybe it’s time to ask some different questions, and think more about the process of what and why you are spending millions to protect ‘assets’ – and see if there is a better, more focused approach that doesn’t require a double-digit increase in budget year over year to protect against a threat that will never come (to you).
Celebrating 15 years, NET(net) is the world’s leading IT Investment Optimization firm, helping clients find, get and keep more economic and strategic value. With over 2,500 clients around the world in nearly all industries and geographies, and with the experience of over 25,000 field engagements with over 250 technology suppliers in XaaS, Cloud, Hardware, Software, Services, Healthcare, Outsourcing, Infrastructure, Telecommunications, and other areas of IT spend, resulting in incremental client captured value in excess of $250 billion since 2002. NET(net) has the expertise you need, the experience you want, and the performance you demand. Contact us today at firstname.lastname@example.org, visit us online at www.netnetweb.com, or call us at +1-866-2-NET-net to see if we can help you capture more value in your IT investments, agreements, and relationships.
NET(net)’s Website/Blogs/Articles and other content is subject to NET(net)’s legal terms offered for general information purposes only, and while NET(net) may offer views and opinions regarding the subject matter, such views and opinions are not intended to malign or disparage any other company or other individual or group.