How to Get C-suite Support for Insider Threat Prevention

April 6, 2016 | Leave a Comment

By Susan Richardson, Manager/Content Strategy, Code42

033016_idc_blogIf you’re not getting support and adequate funding from the C-suite to address insider threats, a recent report highlights a powerful persuasive tool you may have overlooked: money—as in fines (cha-ching), lawsuits (cha-ching) and credit monitoring services (cha-ching) you’ll have to pay as the result of a data breach.

The IDC report, “Endpoint Data Protection for Extensible DLP Strategies,” cites two health-care groups that paid six figures each in fines for data breaches as a result of improper employee behaviors. Here are even more powerful examples of the price your organization could pay for not addressing insider data security threats:

Target insider breach costs could reach $1 billion
Target may have skirted an SEC fine, but the retailer is still paying a hefty price because cyber thieves were able to access customer credit card data via a subcontractor’s systems. Breach costs included $10 million to settle a class action lawsuit, $39 million to financial institutions that had to reimburse customers who lost money, and $67 million to Visa for charges it incurred reissuing compromised cards. For 2014, Target had $191 million in breach costs on its books; estimated totals could reach $1 billion after everything shakes out.

AT&T fined $25 million for employee breach
In 2015, AT&T paid a $25 million fine to the Federal Communications Commission after three call center employees sold information about 68,000 customers to a third party. The cyber thieves used the information to unlock customers’ AT&T phones.

On top of the fine, AT&T was required to do things it should have done in the first place:

  • Appoint a senior compliance manager who is a certified privacy professional.
  • Conduct a privacy risk assessment.
  • Implement an information security program.
  • Create a compliance manual and regularly train employees.
  • File regular compliance reports with the FCC.

AvMed paid $3 million in settlement
While the health plan company avoided a HIPAA fine, it paid $3 million in settlements to 460,000 customers whose personal information was on two stolen, unencrypted laptops. On top of that were costs to reimburse customers’ actual monetary losses.

In addition, the company had to:

  • Provide mandatory security awareness and training programs for all company employees.
  • Provide mandatory training on appropriate laptop use and security.
  • Upgrade all company laptops with additional security mechanisms, including GPS tracking technology.
  • Add new password protocols and full-disk encryption technology on all company desktops and laptops so that electronic data stored on the devices would be encrypted at rest.
  • Upgrade physical security to further safeguard workstations from theft.
  • Review and revise written policies and procedures to enhance information security.

The lesson here should be obvious. It’s far cheaper to act now—by implementing available endpoint protection technology and instituting a security-aware culture—than to wait for a breach that forces you into action.

As security expert Philip Lieberman noted in the AT&T case, the penalty cost AT&T much more than the steps it should have taken to prevent the insider breach: “The C-level staff will have to explain this to the board as to why they did not implement a control when the cost would be trivial.”

To learn more about “Endpoint Data Protection for Extensible DLP Strategies” get the IDC analyst report.

Don’t Let Your Cloud Security Strategy Get Railroaded by Old Thinking

April 4, 2016 | Leave a Comment

By Player Pate, Senior Manager/Product Marketing, Cisco Security Business Group

AM37473-432x230The standard gauge used for railroads (that is the distance between the rails) in the U.S. is four feet, eight and a half inches, which is an odd number however you look at it. The history behind it is even stranger and is a cautionary tale of assumptions and the consequences of basing decisions on old thinking.

That oddly sized gauge was borrowed from the English standard of railroad width, where they built railroads with the same tools they used to build wagons, which used that wheel spacing. And the wheel spacing had to be that width because that was the spacing of the wheel ruts that existed at the time in the roads throughout England.

So who created those?

Roman chariots created the wheel ruts in the roads when they occupied England some two thousand years ago. These Roman war chariots were built just wide enough to accommodate the rear-ends of two horses, which just happened to be…you guessed it: four feet, eight and a half inches wide. This created the standard gauge that is still used today.

Ok, so where’s this heading?

The space shuttles used in modern day space exploration carried two large booster rockets on the sides of their main fuel tanks. These rockets, called solid rocket boosters or SRBs, which gave the spacecraft initial thrust upon launch, were built in a factory in Utah. The engineers of the SRBs would have preferred to make them larger, but the SRBs had to be transported by train from the factory to the launch site. That railroad line ran through a tunnel in the Rocky Mountains and the SRBs had to fit through that tunnel. The tunnel is only slightly wider than the railroad track, and the railroad track, as we now know, is only about as wide as the hindquarters of two equestrian.

Say that again?

A primary constraint in the design of one of the most advanced transportation systems ever developed was determined more than two thousand years ago by two horses’ asses.

Interesting, but what’s that have to do with cloud security?

That is the danger of getting caught in the rut of the same old thinking. There’s danger in thinking about security in the old way when it comes to securing cloud infrastructure. Cloud security can’t be solved with legacy security technologies or siloed approaches to security. Cloud security must be as dynamic as the nature of the cloud itself and should address the issues of:

  1. Keeping valuable data secure in the data center or wherever your cloud is hosted;
  2. Securing applications and data in the cloud;
  3. Enabling secure access anywhere, to anything for the mobile user or IoT;
  4. Consistently protecting against threats across the data center, cloud and wherever users roam before, during, and after attacks; while
  5. Providing visibility across the entire spectrum to enforce governance and compliance.

Cloud security doesn’t require simply the deployment of a separate application or new technology. Nor does it require you to completely scrap your existing infrastructure. It is an extension of your entire security program where security is embedded into the intelligent network infrastructure, integrates with a rich ecosystem of applications and services, is pervasive across the extended network – not just networks themselves but all endpoints, mobile and virtual, that extend to wherever employees are and wherever data is…from the beating heart of the enterprise data center out to the mobile endpoint and even onto the factory floor.

Think of the journey to cloud security adoption as your chance to take off into space; when planning the size of your rockets, are you imagining all the new possibilities or limiting your opportunities by what we’ve always done. Hopefully the cautionary tale of the history of US railroads helps you expand your thinking.

Check out our Cisco Business Cloud Advisor adoption tool to evaluate the overall readiness of your organization’s cloud strategy, including from a security perspective. Also stay tuned to this blog as dig further into this topic.