Application Security

5/23/2017
10:00 AM
Grant Elliott
Grant Elliott
Commentary
Connect Directly
Twitter
LinkedIn
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

With Billions Spent on Cybersecurity, Why Are Problems Getting Worse?

Technology alone won't keep you safe. Fully engaged employees should be your first line of defense.

In 2016, over $18 billion was spent on cybersecurity. It's estimated that almost a trillion dollars more will be spent over the next five years. Despite this, research shows that the problem is getting worse. Data breaches are at an all-time high, and the fierceness of these attacks has never been greater.

The reason is not that we're unable to develop smarter, better technologies to secure our data but that we use these technologies in a scattered and siloed approach. Also, we fail to leverage most companies' greatest asset — their people.

Protecting data has always been a challenge, but there are a number of reasons why it's becoming harder in the digital age.  

  • Digitization of information: Unprecedented amounts of data are now online. If you were to put all the data on the Internet on CD-ROMs and stack them on top of each other, they would bypass the moon. And this is doubling every three years.
  • We value convenience over security: The human tendency is to trust people. We share passwords, click on links when told to, and volunteer too much information on social media. Many people still use the same password for all their apps, making it simple for hackers to gain access to our accounts.
  • The anonymization of hacking: Hackers don't have to be sophisticated to hide their identity for most attacks. Only a small percentage of cybercriminals are ever identified, let alone caught. Even when they are caught, they're often beyond the reach of local law enforcement.
  • There is no adult in the room: Despite what people generally think, there are surprisingly few regulations that force companies to take reasonable steps to protect their data. Even in areas such as healthcare, regulations like the Health Insurance Portability and Accountability Act lack clarity and are insufficiently enforced. In 2016, more than 27.3 million patient records were breached, but despite this, the Office for Civil Rights (the healthcare security and privacy regulator) settled alleged HIPAA violations with only 12 healthcare organizations. Outside of areas like healthcare, finance, government, etc., most federal security enforcement has defaulted to the Federal Trade Commission, which uses an arcane statute of the Federal Trade Commission Act that prohibits unfair or deceptive practices in the marketplace. This means that only the most egregious violations are penalized, leaving implementation of effective cybersecurity to the discretion of most business leaders.  

So, in the absence of enforcement, what should we be doing?

  1. Understand what data you have. This applies to all data, not just valuable data. By classifying data by sensitivity, you can focus your efforts on protecting the most valuable data. This reduces the inconvenience and cost of trying to protect all data. 
  2. Know where your data is. Data is not a physical object that lives in one place. For example, the moment you view a Web page, you're already duplicating it on your browser. There can be many copies in both storage and in transit at any given time.
  3. Know who has access to your data. This includes both theoretical and incidental access. For instance, if someone doesn't have physical access but is authorized to request data to be shared with them, that's theoretical access. Likewise, if in the course of someone's duties it can be foreseen that they may come into access with data, then that is incidental access. In all cases, it is important to understand who has access and what level of access they have.
  4. Know what they're allowed to do with the data. Access to data must come with rules of use to ensure the data isn't shared or exposed in an unauthorized way. What's to stop an employee from publishing a private document on the open Web exposing sensitive data unless it has been made clear that this would be a violation? In addition, just because an employee has access to data doesn't mean they should access it.
  5. Know how the data is being protected from unauthorized access. To understand this, you first need to address all the points above. The type of data, where it is stored, and who needs access will determine the tools that need to be deployed. The level of encryption, physical security, access management, and identity protection are all valuable tools, but if they only protect one version of the data, then they become ineffective. 

Unfortunately, most companies start straight at #5. They select hosting providers, encryption methodologies, and sophisticated cybersecurity tools before they truly understand what they should be protecting. They often spend tens of thousands of dollars on sophisticated cybersecurity tools but neglect the most critical part: people.

Most of the biggest breaches of the last few years have been unsophisticated exploits — e.g., the US Office of Personnel Management, Anthem, Sony, and so on. I believe the most effective defense is to engage the workforce. By making sure employees understand where data is, when they should access it, how it should be used, and how it's being protected, they can become your front line of cyber defense. 

Annual training is not enough. Implementing cumbersome processes that make tasks more difficult without explaining why won't encourage adoption. An invested workforce is much more valuable.

In summary, there are many great cybersecurity tools available today. But the greatest tool of all is your employees. Engage them effectively and you will not just make your company more secure, you may even save some money. 

Related Content:

Grant Elliott is the CEO and Co-Founder of Ostendio, a cybersecurity and information management solution. He is the former COO and CISO of Voxiva (now Wellpass), a digital health IT company. He has over 10 years of experience developing and managing cybersecurity programs and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Diablue
50%
50%
Diablue,
User Rank: Apprentice
5/24/2017 | 10:46:02 AM
Re: 3 Additional Reasons
A coworker of mine once said "people are generally untrainable", and I think I have come to agree with his point.  We *should* invest in people, but it's more of a "CYA" (think "audits", "assessments", and "compliance") than for any real security benefit. 

People.  Don't.  Care.  Sure, we are supposed to *make* them care, but they don't.  We help those on the fence to teeter over in favor of caution, but there will always be that population who is clearly on the other side of the fence, and not interested in taking those steps.  They want to open every email, repost every Facebook "news" article, download whatever tools they feel they need to use, whenever they feel like it, and make their passwords easy to remember and quick to type.

Now, more than ever, I believe that technical controls are king, and security awareness is a borderline waste of time.

Borderlilne.
AlexaR421
50%
50%
AlexaR421,
User Rank: Apprentice
5/23/2017 | 11:16:41 AM
Re: 3 Additional Reasons
Complacency is a key contributor.  No company believes it will happen to them until it does.  Good governance now dictates that company boards (large and small) consider cybersecurity as part of their risk assessment.  
RobertM409
50%
50%
RobertM409,
User Rank: Apprentice
5/23/2017 | 10:59:25 AM
3 Additional Reasons
I believe the author Missed 3 big reasons, Complacency, Compliance Mindset, & Failure to Implement Available Solutions (Encryption, Multi-factor Authentication, Continous Diagnstics & Monitoring).  Numerous breach statistics support these.
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
BlueBorne Attack Highlights Flaws in Linux, IoT Security
Kelly Sheridan, Associate Editor, Dark Reading,  12/14/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.