Exiting the Cyber-Stranglehold: Here's One Way Out.

Citing significant risks associated with multiple recent data breaches, Verizon Communications investors have filed a shareholder proposal calling on the company’s board to link senior executive compensation to the effectiveness of its cyber security and data privacy practices. Wow.

While Verizon has long claimed that data privacy and data security are top priorities, the proposal notes, in 2016 the company’s division that helps Fortune 500 companies respond to data breaches suffered a data breach of its own, including information on some 1.5 million customers of Verizon Enterprises.

Verizon’s acquisitions of Yahoo! and AOL – and the company’s plan to combine the firms into a new digital media and advertising company called Oath, with billions of customers – raise additional concerns, according to the shareholders. In October 2017, it was announced that all three billion accounts in Yahoo! had been breached prior to its acquisition by Verizon.

This isn't news to anyone watching, but the message from the shareholders is a departure from conventional shrugs and yawns that cybersecurity breaches have elicited in the past. It will be interesting to see how far the board will take that recommendation. I for one, am all for this.

When things go well, the CEO gets a bonus. Why not dock their pay when things go badly? Most companies address cybersecurity from within a reality distortion field. Perhaps this idea will spawn a re-imagining of the ways in which cybersecurity risk has been traditionally addressed.

One common thread to dealing with cybersecurity issues among reality distortion dwellers has been to assign the responsibility for the cybersecurity “problem” to a CISO or to the IT department, and to then assume that the oversight alone will take care of it or make it go away. This is true for all companies, both large and small. Assigning a Chief Information Security Officer (CISO), or formally placing the cyber-risk issues in the hands of the CIO or IT Director does not mean that cybersecurity has been handled.

In fact, it is almost the opposite in that without the executive team and functional heads ensuring that the day-to-day operational risks of cybersecurity are being managed and mitigated by the whole enterprise, the overall risk actually increases. Data breaches and cyberattacks affect the entire enterprise, and not just a single division, business unit, or department. Decisions and actions around the mitigation of these threats shouldn’t be relegated to Information Technology alone.

In his 2019 letter to shareholders, JPMorgan Chase's CEO Jamie Dimon wrote: “The threat of cyber security may very well be the biggest threat to the U.S. financial system." This isn't news to bankers. In Cornerstone Advisors' annual ‘What's Going on in Banking’ study, cybersecurity has been the number one concern of C-level bank and credit union execs for the past few years.

And their money is following. According to Kaspersky, financial services firms spend $1,436 per employee on cybersecurity, more than double what the retail industry spends. Which is truly unfortunate, because that’s the other place all of our sensitive consumer data rests. U.S. retailers actually lead the world in security breaches, according to the 2018 Thales Data Threat Report, Retail Edition. It turns out that U.S. retail data breaches more than doubled since the last report, rising to 50% from 19% in the 2017 survey.

In a truly dubious accomplishment, retail has emerged as the world leader in data breaches.

Additionally, the number of U.S. retailers reporting a data breach is up to 75% with half of those occurring in 2018. Of global retailers, 60% report at least one breach in the past. As a result, U.S. retail is now the second most breached segment analyzed by Thales, trailing the U.S. federal government only slightly (!) and coming in ahead of healthcare and financial services. When you only slightly trail the U.S. government in data breaches, you should know you have a serious problem.

Retailers reporting significant breaches in the recent past included: Macy’s and Bloomingdales, Adidas, Panera Bread, Under Armour, Chipotle, Saks Fifth Avenue, Saks Off 5th and Lord & Taylor. In previous years the list included Kmart, Buckle and Eddie Bauer. Many of the reported breaches involved months-long attacks on point-of-sale systems.

While 84% of the U.S. retailers polled are increasing information technology security spending, which is up from last year’s 77% and exceeds global retail’s 67%, the report indicates that the spending is “in all the wrong places.” In retail, the spending is highest on specific security measures regarded as the least effective.

But don’t take their word for it. One of our clients, a large retail chain where you have undoubtedly eaten this past year, invited us to conduct a fairly narrow penetration test as they were (rightfully) concerned about network vulnerabilities. The effort was seeded with 49 IP address, 34 email addresses, and 13 websites. From the initial data, our team was able to discover more sites that led to a presence on their corporate network, and our simulated attackers were able to compromise 50 user credentials and 21 computers. What did they choose to do about it?

Nothing.

The second common thread among reality distortion dwellers has been that only large companies are at risk of cyber-attacks. According to a 2018 report by Hiscox, a small business specialty insurer, 47 percent of small businesses suffered at least one cyber-attack in 2018. Of those, 44 percent experienced two, three, or four attacks in the past year, and eight percent had five or more attacks. That is a lot of attacks. These business owners and executives ranked a cyber-attack as one of the top two concerns for their business, along with fraud. 66 percent of small businesses said they were concerned or very concerned about cyber risk. Yet the vast majority haven’t taken the basic steps to prepare.

Ransomware, spear phishing, malware, drive by attacks, DDoS attacks are all on the rise. While cyber-attacks that make the news are often large, it is clear that small businesses are being attacked, too. In fact, small businesses are far more vulnerable to cyber threats than large corporations. Why? These businesses are less likely to have strategies in place to ward off attacks, less willing to spend the insignificant amount of money to defend against and detect cyber-attacks and are least prepared and able to reduce the damage after the fact. They are also less able to withstand the net financial impact of a hack or breach, so most of them go out of business within 6 months following an attack.

According to the survey (4,103 professionals responsible for their organization’s cyber security strategy were contacted (1,000 plus each from the UK, US, and Germany, and 500 each from Spain and the Netherlands), only 16 percent of small businesses are very confident in their cyber security readiness:

1.      Strategy. Barely half (52%) of small businesses have a clearly defined strategy around cyber security.

2.      Accountability. 23 percent of small businesses have a leadership role dedicated to cyber, whereas most (46%) have no defined role at all.

3.      Spend. 72 percent of small businesses spend less than 2% of their IT budget on cybersecurity compared with 6.4% across all size businesses – or – less than 1/3.

4.      Willingness to respond. Remarkably, 65% of small businesses have failed to act following a cyber security incident.

5.      Training. Less than one?third (32%) of small businesses have conducted any awareness training or phishing experiments to assess employee behavior and readiness in the event of an attack.

6.      Insurance. Less than a quarter (21%) of small businesses have a standalone cyber insurance policy, compared to more than half (58%) of large companies

The amazing irony here is that the average cost of effective anti-virus, Network and Internet security software and service, data backup, encryption, anti-spam, password and server backup solutions is only $42/user per month and $14/device/month. Add in training and cyber-insurance and the whole cybersecurity budget for a 50-person company with 50 devices is a whopping $3,400/month yet will probably eliminate or provide early detection for 98% of cyber-attacks.

That's what an average warehouse worker is paid in Houston this year.

Another shared belief among the folks inside the reality distortion field is that private industry will come up with a set of protective technologies that will finally work against all threats or that the Federal government will implement a standard GDPR-like set of rules that all companies must follow along with some kind of national digital identity scheme that will give everyone a hack proof identity.

Not only is the current political climate not conducive to a national identity effort, (immigration control, policy and voting issues), it is a bad idea anyway. As far as holy-grail-ware is concerned, the fantasies about AI/ML technologies leading us to the promised land isn’t about to happen. Our adversaries will always get there faster than we will. For every holy-grail-ware advance, the bad guys will have a better mousetrap built from the same underlying goodies.

One current and instructive example of this dynamic just occurred with biometric identity detection. It turns out that the much-hyped biometric technology in the Samsung Galaxy S10 ultrasonic biometric fingerprint scanner can be bypassed by just having the duped 3D Printed Fingerprint of the mobile owner.

A young hacker just proved this by taking a photograph of his fingerprint from the side of a wine glass with his smartphone and using Photoshop, he created an image of just the fingerprint, imported it to his 3D software to create a model which he then printed on a piece of resin with his AnyCubic Photon LCD printer. Voila! The square piece of resin containing a 3D model of the fingerprint successfully opened the Galaxy S10.

You don’t need a wineglass either. The prints are all over the phone, so all you need to do is steal the phone itself. In the real world, most banking apps only require fingerprint authentication, so if you have the hardware, software and the phone, all the banking information can be stolen, and all the money can be spent in less than 15 minutes.

We aren’t going to win this war with great technologies alone.

As far as the Federal government doing anything useful in the space, we have never before seen cybersecurity at the forefront of so many federal legislative efforts and conversations than we have so far in this election season. While it’s marginally encouraging to see cybersecurity getting much-deserved attention from politicians seeking the highest office, I’m pretty sure these efforts are doomed to fail.

We need national cybersecurity initiatives that could contribute to strengthening our country’s ability to detect and mitigate cyberattacks against commercial, critical infrastructure or government systems. However, history has shown that standardizing cybersecurity practices at the federal level is … difficult. The reasons are simple. In the legislative branch, more than 80 groups claim some level of jurisdiction over cybersecurity issues. And despite all of the outrage and hearings on the hill after every major breach, Congress has not passed even a single new piece of effective cybersecurity legislation.

For instance, there is no current central Federal mandate that offers protections for personal data in spite of the billions of records containing PII that have been stolen or lost just in the past 24 months. What will it take?

In the meantime, Federal agencies like DHS, the SEC, and the IRS plow ahead with security standards within their own agencies, yet as is their historical pattern, those models and best practices aren’t being shared with other federal agencies. There is no spirit of united we stand, divided we fall among any of the Federal government agencies. That spirit is anathema in Washington D.C. One small and simple example is the fact that in spite of the DHS’ new Cybersecurity and Infrastructure Security Agency recently demanding that all federal agencies take specific steps to protect the flow of global internet traffic through the Domain Name System, nothing has yet been implemented.

In 2018, 35 states introduced more than 265 cybersecurity bills or resolutions targeting computer crimes, restricting public disclosure of sensitive security information and improving overall government security practices. As we’ve written about in past posts, Ohio has enacted a safe harbor law known as the Ohio Data Protection Act (2018 SB 220) that offers to help companies limit liabilities if they design and enforce policies that protect the security and confidentiality of their data. Under the law, they must guard against risks or hazards that threaten the integrity of their data and they must have measures in place to prevent unauthorized access.

California has also passed its version of the GDPR which is known as the California Consumer Privacy Act (CCPA) which purports to give consumers more control over how their data is collected, stored and shared, including the legal authority to tell Google and Facebook to delete their information. Yet, even this law is limited to companies who have annual gross revenue in excess of $25 million; processes the personal information of 50,000 or more consumers or derives 50 percent or more of its annual revenue from selling consumers’ personal information. All other businesses are exempt. And that is a lot of businesses.

There are many other examples of similar legislation, but most of those state laws focus on data privacy, not on policies and requirements that lead to more effective security and could help limit damage from attacks. In addition, since each state law differs, it creates a crazy patchwork of measures that will drive the average business crazy trying to figure out how to comply and operate within. And of course, all of them contain weasel exemptions that allow almost all small and medium size businesses to opt out.

The obvious needs to share best practices and expand the boundaries to include actual threat protection and prevention along with managed risk and an improvement in overall cybersecurity standards is highly unlikely. So again, the burden is on the enterprise and the enterprise alone. No state or Federal agency is going to rescue us.

To prevail against cyber-threats, we will need the focused effort of everyone in our organizations, all day and every day. It needs to start with leadership at the CEO level and permeate through every functional operating department in the enterprise. It will require fundamental, consistent and repetitive hygiene and education. Until the CEO and the Board attend cybersecurity awareness training along with the guys who haul crap in the warehouse and “Marge, down in accounting”, we will continue to expose critical information assets to risk, without any meaningful ability to prevent or even detect future cyber-attacks.

Just declaring that we are addressing cybersecurity issues and that we have a CISO in place, or checking off compliance boxes, or installing some great new technologies will not work to shield our organizations from today’s cyber-threats. It will require much more than that.

Perhaps linking executive compensation to the efficacy of our cybersecurity and data privacy practices will do the trick. Maybe if a CEO gets docked 50% of their pay, every time their organization get’s breached, we will be able to start putting an end to this constant cycle of get breached, fire CISO, hire new CISO, rinse, repeat.

We've finally discovered a practical approach to Cyber-defense that would absolutely work. But, the question is does any BoD have the courage to implement?