Part of Your Security Posture is Making Sure Your Managers Aren’t Jerks

According to the Ponemon Institute’s 2018 Cost of Insider Threats: Global report, of the 3,269 insider incidents that Ponemon investigated, 23 percent were caused by “criminal insiders” (as opposed to careless/negligent employees or contractors, or credential thieves). These malicious insiders can wreak all sorts of havoc, including theft of customer records, trade secrets or competitive information; and they can create enormous liabilities for their employer in the wake of their departure, such as triggering regulatory audits or fines for violating customer privacy.

So, why do employees become malicious and what can be done about it? Reviewing advice from a variety of sources reveals that most of that advice focuses on checking employees: check their background before they’re hired, monitor their behavior for signs that they might become malicious, and so forth. However, Osterman Research believes that companies should also focus heavily on their managers and monitor their behavior. For example, do managers in your company berate employees in front of their peers? Do they give them poor performance evaluations that are not justified? Do they demonstrate that they have “favorites” among their subordinates? Do they enforce company policies differently for some employees than they do for others? Do they insult their employees? In short, how well do your managers treat those that they manage?

Understanding management behavior is key. A study from several years ago by the law firm Drinker Biddle and Reath found that employees who are treated poorly by their managers will be more likely to commit fraud, intentionally breach data, and otherwise violate corporate policies.

What should employers do? There are several things:

  • Monitor managers’ email and collaboration accounts to uncover instances of morale-destroying behavior.
  • Monitor their personal social media accounts to uncover posts that undermine employees, the company or others.
  • Conduct anonymous employee surveys to get some honest opinions about how managers are treating their subordinates.
  • Monitor employee accounts for signs that their managers are treating them badly.

Of course, the goal is not to conduct a witch hunt or to undermine the morale of corporate managers. But bad managers create bad employees, and that significantly increases a company’s risk profile.

How Do You Decide on a Cybersecurity Vendor?

Kevin Simzer, Chief Operating Officer at Trend Micro, wrote an interesting blog post entitled My Takeaways from Black Hat ’19. Among the good points he makes is this one:

“With some ~3,000 vendors, the [cybersecurity] industry is making it so hard for decision makers to keep a clear view of the problem they are out to solve.”

That’s almost an understatement. At a show like Black Hat, RSA or InfoSec, for example, no more than about 20 percent of cybersecurity vendors exhibit, and so there are another 80 percent of the available solutions that just aren’t available for evaluation by attendees. And, at a show like RSA (which had 624 vendors exhibit in San Francisco earlier this year), spending just five minutes at each booth to learn what was on offer would mean you’d spend 52 hours on the show floor — and the expo isn’t open anywhere near that long.

So, as a security professional, what do you do? You can learn as much about security solutions as you can through conferences, vendor briefings, webinars, analyst reports and the like. But even then, you’ll just be scratching the surface of what’s available. Another response is to consolidate on a much smaller number of vendors to avoid the problems associated with evaluating large numbers of solutions and figuring out how to integrate and manage them. For example, at one of the briefings I had at Black Hat, a leading vendor told me that one of their clients is attempting to consolidate their current crop of 40 security vendors down to just two. That carries with it its own set of difficulties, since a consolidation project like this — and finding just the right two vendors — could be tougher than having too many.

Compounding the problem is that many security vendors offer somewhat contradictory messages based on different philosophical approaches to security.

So, as a security professional, what do you do? I’d like to hear how you approach the problem for your organization. Please email me at michael@ostermanresearch.com, or text or call me at +1 206 683 5683.

Are You Paying Attention to SOT and HOT?

Everyone in the cybersecurity space is very familiar with Information Technology (IT), but far fewer are as familiar with Operational Technology (OT) – software and hardware that focuses on control and management of physical devices like process controllers, lighting, access control systems, HVAC systems and the like.

However, cybersecurity professionals should familiarize themselves with OT because it is having an increasingly serious impact on their IT solutions and on their corporate data. Here are two of the several aspects of OT to consider:

Shadow OT (SOT)

Most of us are familiar with “Shadow IT” – individual users or departments employing their own mobile devices, mobile applications, cloud apps, laptops and other personally managed solutions to access corporate resources like email and databases. This phenomenon/scourge/blessing/reality has been with us for more than a decade and is generally well accepted by the IT community. But relatively new on the scene is “Shadow OT” – the use of Internet of Things (IoT) solutions in the workplace. For example, some businesses will employ consumer-grade solutions like routers, security cameras and lights in a work environment, introducing a number of vulnerabilities that are more common in consumer-focused IoT solutions than they are in industrial-grade solutions. Because consumer-grade IoT products are developed by manufacturers who are under enormous price pressure and will sometimes employ temporarily contracted teams to create these devices, the consideration of security in the design process, not to mention the ability to upgrade and patch these devices, is not common.

Because consumer-focused IoT solutions often will have vulnerabilities, they can create enormous security holes when used in the workplace. For example, as discussed at Trend Micro’s Directions ’19 conference earlier this week in a session hosted by Bill Malik (@WilliamMalikTM), a New Jersey hospital installed Bluetooth-enabled monitoring pads in its 2,000 beds to detect patient movement and dampness that would signal a patient needing a nurse’s attention. Doing so makes sense – using technology like this frees nurses from the task of going room-to-room to check patients who needed no help, allowing nurses to spend more time on other, more critical tasks. And, they were able to implement the solution for about $120,000 instead of the $16 million that would have been required to use FDA-approved beds that offered the same functionality. But these consumer-oriented devices very likely have major security vulnerabilities that could allow an attacker to access critical medical systems like insulin pumps and patient monitors, not to mention the hospital’s patient records that are valuable to bad actors.

Home OT (HOT)

Another important issue to consider is the use of OT in the home. Many employees work from home either occasionally or full time and they often do so in an environment populated by Internet-connected thermostats, baby monitors, game systems, voice-enabled home automation systems, security cameras, lights, alarm systems, wearables, refrigerators and the like. Here again, these often insecure solutions typically have numerous security vulnerabilities and access the home Wi-Fi network – the same one the employees use to connect their laptop and desktop computers to enterprise email and other corporate data sources. And, because all of these devices in the home connect through the same gateway, a bad actor’s access to one device exposes everything else on the network – including corporate devices – to unauthorized access and control.

The solutions to these issues won’t be easy. It’s tough to convince decision makers, as in the case of the hospital noted above, to spend 100+ times more on secure technology when they barely have the budget for what they can afford now. And it’s virtually impossible to require employees to disconnect the IoT devices in their homes while they’re working there. However, there are some things that can be done, such as using firewalls, monitoring solutions, VPNs and the like to make things more secure in the short term. Longer term security will require a change in design focus, as well as user education focused on being careful about using an ever-expanding array of OT devices, among other things.

A Shift from Public to Private Clouds?

At Dell Technologies World, Jeff Clarke made the point that 40 percent of workloads in the cloud today will migrate back to on-premises, private clouds in the future. On a related note, Pat Gelsinger made an interesting point in the Tuesday keynote that hybrid is not the future, but is the present and for three simple reasons:

  1. The law of physics: if you need 50-millisecond latency, you can’t afford a public cloud experience that provides 250-millisecond performance.
  2. The law of economics: hybrid cloud will often be cheaper than public cloud.
  3. The law of the land: compliance regulations will dictate that at least some data and infrastructure must remain on-premises.

They make a good point. Lots of companies went to the public cloud because it was easier, not because it was cheaper. For example, moving workloads to the public cloud is easier than evaluating, funding, deploying, configuring and maintaining on-premises infrastructure to support these workloads on-premises. That’s especially true in organizations that have a difficult time finding and/or affording the IT, security and other staff members who need to be involved in on-premises deployments.

In the short run, the public cloud is much cheaper than on-premises solutions and it can be cheaper in many cases over the long run, as well. Plus, if you need tremendous flexibility and need to spin up and take down capacity quickly, the public cloud is a great option. But here are some things to consider when using the public cloud:

  • While in the short run the public cloud is cheaper, it might not be in the long run. Good cost modeling is essential as part of the decision-making process.
  • If you’re using public cloud applications (e.g., Office 365) you can’t avoid upgrades. In the days when Exchange Server was the norm for business-grade email, many organizations skipped an upgrade because of the difficulty and cost associated with doing so. That doesn’t happen with public cloud applications.
  • Many public clouds offer great performance, but the laws of physics still apply. Connecting to a cloud 500 feet away from your office will (almost) always be faster than one 500 miles away.
  • Most leading public cloud providers do a good job at protecting data. And many of the biggest data breaches over the past several years have been from on-premises infrastructure. However, there is still something to be said for having your critical data assets, backups, etc. held on your own premises.
  • Bandwidth considerations are important today and will be more so tomorrow, and so should always factor into the decision about where data and solutions will reside.

None of this means that the public cloud should go or is going away. It plays an increasingly essential role for most organizations and will continue to be important moving forward, not least of the reasons being its tremendous flexibility for a wide range of use cases. But consider everything related to the use of public clouds versus private clouds, not just the simplicity of deployment or the initial cost.

Archiving as a Customer Service Tool

We live in a suburb of Seattle and, like most of us who live in Western Washington, we have lots of trees in our neighborhood. One of the consequences of our winter storms is that our trees lose a number of limbs. To get rid of the tree debris each winter, about 16 years ago we and our neighbors purchased a gas-powered chipper from a company in northwestern Vermont called Country Home Products.

A pulley on the chipper shattered and I needed to order a new one. I tried to purchase a replacement part locally, but was told to contact Country Home Products directly, which I did. I didn’t remember the model number of the chipper and I didn’t have a part number for the broken pulley. However, I told the rep our address and that the broken pulley “was the larger one on the right as you face the housing.” He quickly brought up our purchase record from their database, knew the exact model of chipper we had purchased, and knew exactly what part we needed. The part was shipped and it was the right one.

We hear lots about archiving for purposes of regulatory compliance, litigation support, eDiscovery and the like — mostly defensive reasons just in case we need old data to satisfy a regulatory audit or address a legal action. But archiving can also be used as a customer service tool. In my case, a vendor’s customer service rep was able to immediately access my records from 16 years earlier and he knew more about my purchase and the specific replacement part I needed than I did.

That’s the kind of service that satisfies customers and builds brand loyalty — enabled because someone opted to keep their customer records in an easily accessible archive.

The Demise of the A380

The Airbus A380 is an amazing airplane and an engineering marvel – it’s the largest commercial aircraft currently flying, able to carry up to 868 passengers in a one-class configuration (although the typical three-class configuration carries 544 passengers). The plane is quiet, it’s comfortable and passengers like it. It can reduce airport congestion, since one A380 with 544 passengers will require less airport footprint and fewer resources than the three A320s that would carry the same number of passengers.

And yet, Airbus announced this week that it will cease production of its flagship A380 in 2021, just 14 years after its first commercial flight in 2007. Contrast this with the Boeing 747, which flew its first commercial flight in January 1970 and is still in production (albeit now only as a freighter and as two new Special Air Mission/Air Force One aircraft to be delivered in 2024), giving it a production life of at least 54 years.

So, why the demise of the A380? There are a number of reasons, including the logistical difficulties associated with producing the aircraft’s components in four countries across Europe and transporting them for final assembly in Toulouse, France; the high cost of the aircraft (~$445 million); the limited number of airlines that have purchased it (only 16 have ordered, and only 13 fly); the high cost of modifying airport terminals to accommodate it; and the introduction of highly fuel-efficient aircraft like the Boeing 787 and Airbus A350.

The A380 was designed to accommodate the hub-and-spoke model of air travel: fly large numbers of passengers to a central hub like London or Dubai, and then put those passengers on several smaller planes to their final destination. In contrast, aircraft like the 787 and A350 were designed more for point-to-point flights, making routes like Minneapolis to Lisbon financially viable. To be fair, the A380 was conceived before the 787, A350 and other, more fuel-efficient aircraft were available, but Airbus simply made the wrong decision about the future of air travel and was woefully optimistic in its forecasts: the company predicted in 2000 that 1,235 “very large aircraft” would be delivered from 2000 to 2019, but orders and deliveries of the A380 have been just 313 and 234, respectively, through last month. That’s a revenue miss of roughly $410 billion!

In my opinion, the A380’s demise boils down fundamentally to a single question: as a passenger, would you rather take one flight or two to get to your destination? Airbus seems to have answered that question with “two”, while a large proportion of the flying public and most airlines answered “one”.

In my own case, I would rather not make a connection through a large and busy airport if it’s at all possible to avoid it and I will go out of my way – and pay more – to take a flight without connections. I realize that many people will opt for cheaper, connecting flights, but they carry with them some fairly high costs: for example, a dated study commissioned by the FAA found that in 2010, missed connections cost passengers $1.5 billion each year.

The inconvenience of needing to make connections, as well as the lost productivity and opportunities that sometimes result, is not something that most business travelers, and many leisure travelers, are willing to accept. It’s one of the key reasons that we will see no new A380s produced after 2021.

Should You Rent or Buy Your Email and Productivity Apps?

Microsoft dominates the business email and desktop productivity markets. Over the past few years, the company has been pushing hard to move its user base for both to Office 365 and away from Exchange Server and desktop versions of Office. The push has intensified in recent months to the point where the company is now telling customers not just to adopt Office 365, but also not to use non-Office 365 solutions. For example, as noted in this article, the Microsoft corporate VP for the Office and Windows group said that the various applications in Office 2019 are “frozen in time. They don’t ever get updated with new features”. By contrast, Office 365 keeps “getting better over time, with new capabilities delivered every month.” It makes one wonder why Microsoft bothered to produce Office 2019, but that’s a subject for a different post.

Perhaps telling people not to use your products is the natural consequence of having such a dominant market share that the only competition left for your new and shiny products is your old and dull ones.

The key for decision makers, then, is to determine if the “new capabilities delivered every month” in Office, coupled with the reduced IT labor required to manage corporate email, is worth becoming a renter in perpetuity rather than a buyer.

To compare the costs of renting versus buying for a 50-person company, we compared the cost of two competing systems:

  1. MDaemon Server (including MDaemon AntiVirus, MDaemon Connector for Outlook, MDaemon ActiveSync and MailStore email archiving) and Office 2019 Home & Business.
  2. Various flavors of Office 365 (Office 365 Business Premium, Office 365 Enterprise E3 and Office 365 Enterprise E5).

Using only publicly available pricing on the MDaemonOffice 365 and Amazon.com web sites, here’s the annual pricing to support 50 users with business email and productivity applications over a three-year period:

  • MDaemon and Office 2019: $114.68 per user per year
  • Office 365 Business Premium: $150.00 per user per year
  • Office 365 Enterprise E3: $240.00 per user per year
  • Office 365 Enterprise E5: $420.00 per user per year

Of course, the primary advantage of any cloud-based solution is the reduction in IT labor realized from not having to manage on-premises infrastructure. But productivity applications don’t need significant levels of IT support, and most on-premises email solutions for small companies, as in our 50-user example, don’t either.

Please understand that this is not meant to disparage cloud-based solutions. Osterman Research is a strong proponent of the cloud for productivity solutions, CRM, security, archiving and a wide variety of other capabilities, and we are also a strong proponent of Office 365. But when making decisions, it’s important to understand where to rent and where to buy — buying is still not a bad business decision in some cases.

 

Bartering our Privacy

Many years ago I worked for a brilliant man, an industry analyst who did groundbreaking work in developing models for delivering broadband services to residential customers. I recommend you check out his current company, DEEPfutures.

Last August, he wrote a post on LinkedIn discussing new business models for Internet services. It’s a good read, but I disagreed with a key point that he made about the business model of presenting ads based on personal data:

“That business model is an unequal barter. In old-style, traditional barter, a farmer might trade a sheep and two chickens to have the barn roof repaired: both sides would have calculated the value and benefit. In our unequal barter, we trade all our personal information for…cat videos [and] free-to-us online services: Gmail, Facebook, Whatsapp, Twitter, etc. It’s unequal in that we, the users, have no say over or insights into the value the adtech giant firms abstract from our data. It’s also unequal in that all people’s data, mine, yours, a billionaire banker’s, a poor farmhand’s, are traded for the same “free” service, although our data clearly have different utility and value to the adtech companies and their customers.”

I disagree with this statement in two key areas:

  1. “It’s unequal in that we, the users, have no say over or insights into the value the adtech giant firms abstract from our data.” Yes, it may be unequal, but it’s certainly not unfair. In the old-style barter system, we assume that the farmer traded his sheep or chickens to the roof repairer so that the latter could feed his family. But what if the roof-repairer had discovered a way to make chickens lay golden eggs and he could generate millions of dollars in income going forward? That’s still not an unfair barter, since the farmer received something valuable — a now leakproof roof — in exchange for something he considered valuable. In the same way, companies like Google, Facebook and others who give us cat videos or apps in exchange for our data are providing something of value — we don’t lose in the bargain if they are smart enough to turn our data into something more valuable than we consider it be when we hand it over.
  2. “It’s also unequal in that all people’s data, mine, yours, a billionaire banker’s, a poor farmhand’s, are traded for the same “free” service, although our data clearly have different utility and value to the adtech companies and their customers.” Here again, that doesn’t really make the barter unfair — if adtech companies find more value in a billionaire banker’s data than they do in the data from a farmhand, but are willing to provide the same free services to both, that’s not really unfair to the banker or farmhand. These individuals, as well as the adtech companies, are willing to enter into a barter relationship for something they each perceive to be of value.

This should not be interpreted as any kind of defense of Google, Facebook or others who have clearly demonstrated that they often play fast and loose with others’ data. Nor is it a defense of adtech companies and others that take your data without permission. For example, TechCrunch has found that companies like Air Canada and Hotels.com will record your mobile phone interactions, sometimes without permission. That’s not barter, since something of value has been taken from you without your consent in exchange for nothing in return.

Instead, I believe the fundamental problem is that too many aficionados of cat videos and various types of “free” apps place too little value on their privacy. They are too quick to hand over their data without first considering the consequences of doing so. The transaction is fair, but the adtech companies are thinking critically about what they can do with data owned by people who don’t think critically about entering into a relationship with them.

Any unfairness in the bartering between individuals and adtech companies will be solved only when the former begin to think seriously about the implications of handing over data without first considering the consequences.

Some Ideas, Other than Fines, to Reduce Data Breaches

An idealist might view the European Union’s General Data Protection Regulation (GDPR) as an effective means of reducing the number of data breaches by imposing massive fines on those who lose control over the private data of EU residents. A cynic might view the GDPR simply as a means for the EU to make lots of money from those who violate it, while not having much impact on reducing the total number of data breaches.

The truth might lie somewhere in the middle.

In terms of good news about the efficacy of the GDPR, Cisco recently released a report showing that only 74 percent of GDPR-ready organizations experienced a breach since the GDPR went into effect last May, compared to 89 percent of non-GDPR-ready organizations that suffered a breach during the same period.

The bad news is that 74 percent of GDPR-ready organizations experienced a breach since the GDPR went into effect last May.

Corroborating the fact that data breaches are still running rampant is a DLA Piper report showing that more than 59,000 data breaches occurred in Europe during the eight months since the GDPR went into effect, or roughly 10 breaches per hour. The DLA Piper data shows that data breaches are significantly more common than the 41,502 breaches reported by the European Commission for the same period.

The continuing high rate of data breaches should not be used by corporate decision makers as an excuse for not complying with the GDPR. Every organization should do so for a couple of reasons: first, it’s the law and decision makers should comply with the law. Second, becoming GDPR-compliant will make organizations and the data they process and control safer and less likely to be breached.

Plus, complying with the requirements of the GDPR is a good idea because they make sense: encrypt data, keep it only for as long as you need it, ensure that third parties that have access to data comply with good data governance practices, enable data owners to have control over information about them, and so forth.

What might not be such a good idea is imposing massive fines on companies for data breaches because big fines often don’t work. For example, in 2015 five US banks were fined $5.6 billion for their role in colluding to manipulate interest rate and currency markets, yet some concluded that the fines had little impact on the future behavior of these institutions. In January of this year, Google was fined €50 million (~$57 million) in France for GDPR violations, or about 0.04 percent of the company’s 2018 revenue – a drop in the bucket for a company this large. Even at a personal level, huge fines have little impact: for example, in 2014 the State of Illinois imposed new anti-littering laws that, for a third offense, impose a fine of $25,000 and a felony conviction on the offender. The result in the first three months of the new law was that very few citations were issued.

So, what might be a more effective way to reduce data breaches and increase compliance with privacy regulations like the GDPR? Here are three ideas:

  1. Every time a breach occurs, require offending companies to pay for 1,000 randomly selected victims to be flown first class to an exotic location — perhaps a very nice hotel for a long weekend — where victims can meet in a public forum and air their grievances with executives of the company that lost their data. Also require that the event be recorded and made available on the home page of the offending company’s web site for one year following the event. This would allow executives to meet their victims face-to-face and learn first-hand of the pain their carelessness has caused.
  2. Require the CEOs from offending companies to take a three-month sabbatical following a data breach, not allowing them to participate in the day-to-day activities of running their companies.
  3. Instead of imposing fines on offending companies, instead require that these companies spend the same amount on technologies, processes, training, etc. to ensure that their data processing practices are improved so as to prevent future data breaches. The spending plan and expenses could be monitored by a third-party consulting firm not connected with the offender.

While these ideas certainly won’t prevent all future data breaches, they might be more effective than slapping offenders with big fines that dissipate into a government bureaucracy.

How Secure Can Your Company Be?

Last week, Cisco released an interesting report entitled Maximizing the value of your data privacy investments. Among the various findings from the in-depth, 18-country survey discussed in this report is that organizations that are mostly or completely enabled to satisfy the compliance requirements of the European Union’s General Data Protection Regulation (GDPR) had a significantly smaller number of data breaches during the past year than their counterparts that are least prepared to satisfy the requirements of the GDPR.

One one level, that’s good news: 89 percent of organizations that are not yet ready for GDPR experienced a data breach, while only 74 percent of GDPR-ready organizations experienced a breach. Clearly, GDPR is having a positive impact on data security.

Then again, that’s not particularly good news: even after going to the significant expense and difficulty associated with GDPR compliance, 74 percent of organizations still experienced a data breach! Of course, we would expect that figure to drop in the future given that the GDPR went into force only about eight months ago, but three in four GDPR-ready organizations still experiencing a data breach is very high.

This kind of result prompts a bigger question: just how secure can any organization be in the context of security? Given that we face a well-funded, intelligent, and collaborative set of adversaries in the cybercriminal community that will always have a guaranteed advantage (we need to protect every point of ingress while they need to break into just one), what is the lowest possible number of data breaches, malware infections, account takeovers, successful DDoS attacks, etc. that we can ever hope to achieve? Could a large organization not experience even one data breach in the course of a year? Could it not experience even a single malware infection? Could it prevent every insider threat? Could every CFO recognize every CEO Fraud attempt?

Probably not. So what is the target at which we’re aiming? A senior executive team or board of directors that is asked by the CIO for a 20 percent budget increase to improve security probably should know what they can expect to gain from that kind of investment. A vendor marketing a new technology to combat CEO Fraud or account takeovers would find it beneficial to their sales and marketing efforts if they could provide some concrete metrics about what their prospective customers could hope to gain by implementing their solution. Vendors of security awareness training would be well served by being able to report an X-percent reduction in successful phishing or ransomware incursions after employees were properly trained.

In short, it’s highly unlikely that any organization will ever reduce the success of cybercriminals’ efforts against them to zero. But what can we reasonably expect to achieve?