Posts

7 Common Breach Disclosure Mistakes

Dark Reading | December 7, 2018

When a breach happens, speed and clarity are vital, adds Mike Lloyd, CTO at RedSeal. Organizations that have fared badly after a breach have always been the entities that mishandled the disclosure, took too long to disclose, miscommunicated the details, or tried to cover up the issues, he says.

“There is always a surprise factor when you realize someone has broken in, but the better you know your own organization, the faster you can respond,” Lloyd says.

Building a Cyber Resilience Plan: Insights and Tactics

Government Technology Insider | November 14, 2018

With Dr. Mike Lloyd, RedSeal CTO

In part one of our discussion with Dr. Mike Lloyd of RedSeal, he shared the steps that form the basis of a cyber resilience plan so that agencies can take to limit – and recover from – the impact of a cyberattack. Continuing the discussion, Lloyd drills deeper into steps any organization can take to become more resilient. 

Cyber resilience: not just bouncing back, but a strategy for effective cyber defense

Government Technology Insider | November 8, 2018

With Dr. Mike Lloyd, RedSeal CTO

Most discussions on cybersecurity focus on prevention, but not cyber defense. But, the unfortunate reality is, some attacks will be successful no matter how well you’ve protected your networks. The question then becomes, just how quickly can you get back online and back to business?

For the Government Technology Insider podcast, we asked Dr. Mike Lloyd, Chief Technology Officer for RedSeal about how to achieve “digital resilience” – the ability to prepare for and recover from a cyber attack.

Using cyber insurance to run virtuous circles around cyber risk

Computer Fraud & Security Magazine | October 2018

By Dr. Mike Lloyd, Chief Technology Officer

In 2016, the Ponemon Institute, which conducts independent research on privacy, data protection and information security policy, concluded that each of the 383 companies it surveyed had a “26% probability of a material data breach involving 10,000 lost or stolen records” within the “next 24 months”. Work this out over the long term, not for two years but for the projected life of your business and you must accept the certainty of data breach just as you accept the certainty of death and taxes. Breaches will happen. They will happen to you.

Is AI Resilient Enough for Security?

SIGNAL Magazine | October 22, 2018

By Dr. Mike Lloyd, RedSeal CTO

Machines need to be hard to fool and reliable under pressure.

Artificial intelligence can be surprisingly fragile. This is especially true in cybersecurity, where AI is touted as the solution to our chronic staffing shortage.

It seems logical. Cybersecurity is awash in data, as our sensors pump facts into our data lakes at staggering rates, while wily adversaries have learned how to hide in plain sight. We have to filter the signal from all that noise. Security has the trifecta of too few people, too much data and a need to find things in that vast data lake. This sounds ideal for AI.

“Zero Trust” Is the Opposite of Business

Infosecurity Magazine| September 14, 2018

By Dr. Mike Lloyd, RedSeal CTO

The term zero trust has been cropping up a lot recently, with even a small conference on the topic recently. It sounds like an ideal security goal, but some caution is warranted. When you step back and consider the reason security is important – keeping organizations running – it’s not so clear that zero trust is really what we want.

I see the label zero trust as an over-reaction to the challenges we face in security. To the extent that the term means “be less trusting”, I agree. Look at our lack of success in stopping breaches.

Which is more valuable – your security or a cup of coffee?

The drumbeat of media coverage of new breaches continues, but it’s useful sometimes to look back at where we’ve been.  Each scary report of so many millions of records lost can be overwhelming.  It certainly shows that our network defenses are weak, and that attackers are very effective.  This is why digital resilience is key – perfect protection is not possible.  But each breach takes a long time to triage, to investigate, and ultimately to clean up; a lot of this work happens outside the media spotlight, but adds a lot to our sense of what breaches really cost.

Today’s news includes a settlement figure from the Anthem breach from back in 2015 – a final figure of $115 million.  But is that a lot or a little?  If you had to pay it yourself, it’s a lot, but if you’re the CFO of Anthem, now how does that look?  It’s hard to take in figures like these.  So one useful way to look at it is how much that represents per person affected.

Anthem lost 79 million records, and the settlement total is $115 million.  This means the legally required payout comes out just a little over a dollar per person – $1.46 to be exact.

That may not sound like a lot.  If someone stole your data, would you estimate your loss to be a bit less than a plain black coffee at Starbucks?

Of course, this figure is only addressing one part of the costs that Anthem faced – it doesn’t include their investigation costs, reputation damage, or anything along those lines.  It only represents the considered opinion of the court on a reasonable settlement of something over 100 separate lawsuits.

We can also look at this over time, or over major news-worthy breaches.  Interestingly, it turns out that the value of your data is going up, and may soon exceed the price of a cup of joe.  Home Depot lost 52 million records, and paid over $27 million, at a rate of 52 cents per person.  Before that, Target suffered a major breach, and paid out $41 million (over multiple judgements) to around 110 million people, or about 37 cents each.  In a graph, that looks like this:

Which is more valuable – your security or a cup of coffee?

 

Note the escalating price per affected customer. This is pretty startling, as a message to the CFO.  Take your number of customers, multiply by $1.50, and see how that looks.  Reasonably, we can expect the $1.50 to go up.  Imagine having to buy a Grande Latte for every one of your customers, or patients that you keep records on, or marketing contacts that you track.  The price tag goes up fast!

Russia’s Alternate Internet

New York Magazine | July 13, 2018

By Dr. Mike Lloyd, RedSeal CTO

Russia has nearly completed an alternative to the Domain Name System — the common “phone book” of the internet that translates numerical IP addresses to readable text like “Amazon.com” and “NYMag.com.” When implemented, the DNS alternative could separate Russia and its allies from the rest of the connected internet — a possibility that, however remote, has experts worried about a “balkanization” of a global network.

Last November, the Russian Security Council announced its ambition to create an independent internet infrastructure for Russia and the other members of BRICS (Brazil, India, China, and South Africa). According to reports, the Russian government sought to create the alternative internet to protect itself from American and Western manipulation of internet services and avoid “possible external influence.” (Sound familiar?)

Security Lessons From Crazy-Busy Airports

Forbes | July 9, 2018

By Dr. Mike Lloyd, RedSeal CTO

I found myself in London Heathrow recently with a few hours to kill. I’d heard about a big political brouhaha rumbling along about adding a third runway, but there are lots of competing pressures — from the economic to the environmental and everything in between. So I decided to spend my down time looking into that. Just how badly does Heathrow need another runway?

After reading a good piece in Wired, this amateur pilot found the statistics intense: Heathrow functions at almost 99% capacity, essentially packing in as many people as the airport can take, with a landing or takeoff taking place every 45 seconds. Forty-five seconds might sound like there’s still some room for error, but from my point of view, it’s far from it. I’m not allowed to land the small planes I fly for three minutes after a big jet takes off or lands due to the dangerous turbulence they leave in their wake. If I wanted to land at Heathrow, it would have to make a huge gap, canceling landing clearances for at least three big jets. That would inconvenience many hundreds of people. What’s worse, at these use levels, the ripple effects could last all day.

As a security professional, I found a behind-the-scenes aspect of the story most interesting — specifically, the approach taken to ensure resilience.

The Biggest GDPR Mistake U.S. Companies Are Making

Forbes | June 12, 2018

By Dr. Mike Lloyd, RedSeal CTO

The General Data Protection Regulation (GDPR) zero-hour has finally arrived — enforcement started May 25, 2018. Like students cramming for a midterm, I witnessed a flurry of activity from U.S. businesses since the deadline forced people to pay attention, knuckle down and study.

When students cram for a test, they take any shortcuts they can, and that can make for predictable errors, especially any time there is a mentally comfortable answer that happens to be wrong. Psychologists even have a term for this — they call it “availability bias.” In a nutshell, this is our built-in tendency to assume something is right when it’s easy to recall or that it’s wrong just because it’s harder to remember.