Do You Trust Your Counterparty?

Do you trust your counterparty? What about ALL THE COUNTERPARTIES? Full disclosure, I bought my first car from a huckster used car salesman in the Bronx NY. His smile was perfect, his form straight out of central casting. The car? A “lightly used” Subaru Forrester. Really, what could I have to worry about? Subarus are known to be reliable. 12,000 miles from one owner hardly seemed used at all. It drove like a dream, and it looked great. As I pulled out of the lot, I was sure we made […]

by Richard Berkley
Contributing Editor

Read more

Wired for Cyber Resilience

Not original, but true: ‘you are only as strong as your weakest link.’  For cyber security, that weak link usually manifests itself in the people within your organization.  Over 90% of cyber breaches are a result of some form of human error.  Malicious individuals prey on human weaknesses and gaps in corporate culture.  We have found that most of these flaws can be categorized as the result of gaps in policy compliance or routine adherence. Most organizations have policies, unfortunately, often these same organizations often fail to ensure these policies […]

by Joseph Socolof
Contributing Editor

Read more

The Cyber Skim: Monthly Top Cyber Articles for June 2019

Cyber security is not just an IT or a CIO problem; it’s a senior leader problem. With so much information on cyber security out there, we’ve curated our list of the most interesting articles to come out this month to give senior leaders the information and perspective they need to approach cyber security. Tomorrow’s Cybersecurity Analyst Is Not Who You Think by Chris Schueler  I can vouch for this myself; some of the most talented cyber security professionals I know have “non-traditional” backgrounds such as music and language that make […]

by Dawn Dunkerley
Contributing Editor

Read more

We Have Met the Enemy and It Is Us

In this blog we have written often about the need to assess levels of risk and to apply appropriate levels of security to them, but we have not mentioned a solution that should be at the top of everyone’s list of remedies. Eliminate the possible risk. Last week First American Financial Corporation, a large provider of title insurance disclosed that it had inadvertently disclosed mortgage records, including social security and bank account numbers for 885 million records going back 16 years. There were no hackers involved or state sponsored villains. The […]

by Hank Berkley
Contributing Editor

Read more

The World is Getting Scarier

This blog and most cyber security reporting have focused on the financial ramifications of breaches. We speak of loss of business, loss of customers, loss of reputation and direct loss of money; but over the last few years there has been a group of threats that have been uncovered which have much more serious consequences. These are cyber-attacks with physical outcomes. The motives may still be to achieve financial benefits, such as collecting a ransom or stealing intellectual property, but the collateral damage can be significantly worse. The first known […]

by Hank Berkley
Contributing Editor

Read more

No More Mr. Nice Guy

A broad view of activity in the cyber world can help you to focus your resources as well as provide you with the basis of a scorecard compared to others. Verizon just released their 2019 Data Breach Investigations Report and it is worth a read for guidance it can provide. Here are a few of the things that we found of interest along with some of our comments. Of the just over 17,000 cyber incidents that were reported, the most common attack (more than 60%) was a denial of service event […]

by Hank Berkley
Contributing Editor

Read more

Measure for Measure

Measuring success in cyber security is difficult. In the simplest case it can be seen as a binary value – you had a security issue or you did not, but that is not particularly useful and certainly won’t help you to improve your overall security posture. In a world in which metrics drive just about everything, why are security metrics so difficult to identify? The values in cyber security that are most meaningful cannot be measured because they are unknown. We have seen companies report on how many SPAM emails […]

by Hank Berkley
Contributing Editor

Read more

Be Careful What You Ask For

The old cliché, “we are as strong as our weakest link”, applies perfectly to computer security. The implication is that we should invest in improving the awareness and thus behaviors of all our employees. While this may seem like a straight forward training exercise or a reason to implement new security policies, it turns out that it is a lot more complicated than that. As in most endeavors, you need to be aware of unintended consequences. When a new middle-school opened in my town the traffic control department feared that […]

by Hank Berkley
Contributing Editor

Read more

The Cost of War

Last week we discussed some conclusions that one could form based on a data breach report from the Ponemon Institute. One number we did not highlight was the impact of cyber insurance on losses. Taking that information together with activities taking place in the current marketplace suggest that it may be time to reexamine your insurance coverages and assumptions. In the US, the average data breach included in the report had a cost of $7.9 million. Of that amount, $4.2 million was related to what they refer to as “customer churn”. […]

by Hank Berkley
Contributing Editor

Read more

Figures Don’t Lie, But…

More than once this blog has referred to the costs of a data breach as a function of the number of impacted records. For some reason that seems to be the standard measure. The last IBM sponsored report from the Ponemon Institute suggests that the average global cost increased from $141 in 2017 to $148 in 2018 per lost record. But is this a valid metric? You have likely heard of the actuary with one foot in a bucket of ice and the other in scalding water who, on average, was […]

by Hank Berkley
Contributing Editor

Read more

Finding the Value

There is only one overarching reason to invest in cyber security. It is to save your company money through cost avoidance. That savings might come from avoiding legal expenses from a data breach or from not paying penalties imposed by regulators. These types of losses are frequently the ones presented to justify security spending as they are the most obvious, but they are not likely to be the ones you should be most concerned about. In the quainter times of a few years ago, people believed in the concept of […]

by Hank Berkley
Contributing Editor

Read more

Who You Going to Call?

Despite our best efforts, cyber security is often a reactionary process. We take steps to prevent breaches, but mostly wait for something to happen before we jump into action. If we detect and react quickly enough, we avert a problem or perhaps minimize its impact. The “bad guys” also know their time is limited and behave accordingly. Yet we don’t always prioritize our efforts to tighten the time frames, meaning we aren’t doing everything we can in the area of prevention. As with most professions, there is a wide disparity […]

by Hank Berkley
Contributing Editor

Read more

Working in the Department of Redundancy Department

Perfection is not achievable, yet information technology relies upon it every day. Cyber security teams deal with the small imperfections in computer software that inadvertently allow bad actors to cause the software to do things that were not anticipated. These flaws might be in the original design or in the implementation of that design. Regardless of their origins, information security today is all about protecting our assets from hackers who try to take advantage of those weaknesses. Your security team is challenged to block 100% of the attacks on an […]

by Hank Berkley
Contributing Editor

Read more

A New Hope

Cyber security does not come cheap and is not great. But that may be changing. Today security is primarily outside of regular business processes. It sits on top of and often interferes with business. Moving security from an external function to an integrated process potentially reduces the costs and improves the product, but we aren’t there yet. Information security is in a separate world in which people speak in acronyms and most of what is done is obscured from all but the most technology savvy people. But there is hope. […]

by Hank Berkley
Contributing Editor

Read more

I’ve Got Your Number

A few decades ago Americans were told to safeguard their social security number (SSN) and not to divulge it unnecessarily. Today, after billions of records have been breached that federal ID is no longer considered to be a trustworthy identifier. Even the government is recognizing that they can no longer rely on it and is implementing other methods to identify people.* But the newer solutions are not without their side-effects. At the root of all cyber security is identity. You need to know WHO is doing something in order to […]

by Hank Berkley
Contributing Editor

Read more

The Gig Economy

Volumes have been written about the transformation in the workforce as employees become contractors and companies focus on cutting costs by replacing full-time workers with part-time labor. A lot of this has been presented in a negative light because of the perception that businesses are simply trying to cut corners. While saving money may catch management’s attention, bringing in individuals to work non-traditionally may offer other benefits if it is done correctly. How is this related to cyber security? Read on. When we travel to a distant city, we make […]

by Hank Berkley
Contributing Editor

Read more

Trust Me!

Though cybersecurity pundits will make a lot of recommendations regarding steps to make you safer the truth is that it is not possible to be completely protected. In the complex and integrated world in which we operate we are exposed to so many technical dangers that we survive by placing trust in others. We previously wrote about third party risk, but focused primarily on vendors and entities with whom you have a transactional relationship. Recently there has been a lot of light being shed on some parts of your business […]

by Hank Berkley
Contributing Editor

Read more

From C to Shining C

Most departments within a business are distinct and wholly intact which leads to a clear management hierarchy, but technology and its related aspects bring overlap, conflicting goals and confusion. Companies seem to find it particularly challenging to figure out where in the corporate pyramid the Chief Information Security Officer (CISO) fits in. While the title implies a most senior placement, many are justifiably reticent to place these people near the top. Is there a “right” place for the CISO?* Some industries have seen legislation passed that specifically mentions the title […]

by Hank Berkley
Contributing editor

Read more

Contrary to Popular Belief…

A nationwide network of ATMs in Chile was recently hacked, and while there is not a lot of public information about costs and damages, some of the details about how this came about were released. This week we have decided to use this case as the basis of a fictionalized cyber crime to examine what can be learned at someone else’s expense. The following account is a somewhat embellished version combined with some typical scenarios that we have witnessed. Some of this might seem overly technical – but it is […]

by Hank Berkley
Contributing editor

Read more

Win Some, Lose Some.

The term “risk” as it applies to information security is a bit amorphous and because of that it may lead one to make some wrong assumptions. One such misconception has to do with the purchasing of cyber insurance. While insurance is considered to be a tool for “risk transfer”, in the case of cyber coverage it really doesn’t do that. What insurance really does is reduce the risk of an unanticipated financial loss. For most companies this means property loss, theft or significant injuries. What it does NOT do is […]

by Hank Berkley
Contributing editor

Read more