The term zero trust has been cropping up a lot recently, with even a small conference on the topic recently. It sounds like an ideal security goal, but some caution is warranted. When you step back and consider the reason security is important – keeping organizations running – it’s not so clear that zero trust is really what we want.
I see the label zero trust as an over-reaction to the challenges we face in security. To the extent that the term means “be less trusting”, I agree. Look at our lack of success in stopping breaches.
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngRedSeal2018-09-14 07:04:042018-11-26 12:34:14“Zero Trust” Is the Opposite of Business
The drumbeat of media coverage of new breaches continues, but it’s useful sometimes to look back at where we’ve been. Each scary report of so many millions of records lost can be overwhelming. It certainly shows that our network defenses are weak, and that attackers are very effective. This is why digital resilience is key – perfect protection is not possible. But each breach takes a long time to triage, to investigate, and ultimately to clean up; a lot of this work happens outside the media spotlight, but adds a lot to our sense of what breaches really cost.
Today’s news includes a settlement figure from the Anthem breach from back in 2015 – a final figure of $115 million. But is that a lot or a little? If you had to pay it yourself, it’s a lot, but if you’re the CFO of Anthem, now how does that look? It’s hard to take in figures like these. So one useful way to look at it is how much that represents per person affected.
Anthem lost 79 million records, and the settlement total is $115 million. This means the legally required payout comes out just a little over a dollar per person – $1.46 to be exact.
That may not sound like a lot. If someone stole your data, would you estimate your loss to be a bit less than a plain black coffee at Starbucks?
Of course, this figure is only addressing one part of the costs that Anthem faced – it doesn’t include their investigation costs, reputation damage, or anything along those lines. It only represents the considered opinion of the court on a reasonable settlement of something over 100 separate lawsuits.
We can also look at this over time, or over major news-worthy breaches. Interestingly, it turns out that the value of your data is going up, and may soon exceed the price of a cup of joe. Home Depot lost 52 million records, and paid over $27 million, at a rate of 52 cents per person. Before that, Target suffered a major breach, and paid out $41 million (over multiple judgements) to around 110 million people, or about 37 cents each. In a graph, that looks like this:
Note the escalating price per affected customer. This is pretty startling, as a message to the CFO. Take your number of customers, multiply by $1.50, and see how that looks. Reasonably, we can expect the $1.50 to go up. Imagine having to buy a Grande Latte for every one of your customers, or patients that you keep records on, or marketing contacts that you track. The price tag goes up fast!
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00Dr. Mike Lloyd, CTO, RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngDr. Mike Lloyd, CTO, RedSeal2018-08-22 00:35:582018-08-22 00:35:58Which is more valuable – your security or a cup of coffee?
Russia has nearly completed an alternative to the Domain Name System — the common “phone book” of the internet that translates numerical IP addresses to readable text like “Amazon.com” and “NYMag.com.” When implemented, the DNS alternative could separate Russia and its allies from the rest of the connected internet — a possibility that, however remote, has experts worried about a “balkanization” of a global network.
Last November, the Russian Security Council announced its ambition to create an independent internet infrastructure for Russia and the other members of BRICS (Brazil, India, China, and South Africa). According to reports, the Russian government sought to create the alternative internet to protect itself from American and Western manipulation of internet services and avoid “possible external influence.” (Sound familiar?)
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngRedSeal2018-07-13 08:25:112018-11-26 12:58:55Russia’s Alternate Internet
I found myself in London Heathrow recently with a few hours to kill. I’d heard about a big political brouhaha rumbling along about adding a third runway, but there are lots of competing pressures — from the economic to the environmental and everything in between. So I decided to spend my down time looking into that. Just how badly does Heathrow need another runway?
After reading a good piece in Wired, this amateur pilot found the statistics intense: Heathrow functions at almost 99% capacity, essentially packing in as many people as the airport can take, with a landing or takeoff taking place every 45 seconds. Forty-five seconds might sound like there’s still some room for error, but from my point of view, it’s far from it. I’m not allowed to land the small planes I fly for three minutes after a big jet takes off or lands due to the dangerous turbulence they leave in their wake. If I wanted to land at Heathrow, it would have to make a huge gap, canceling landing clearances for at least three big jets. That would inconvenience many hundreds of people. What’s worse, at these use levels, the ripple effects could last all day.
As a security professional, I found a behind-the-scenes aspect of the story most interesting — specifically, the approach taken to ensure resilience.
The General Data Protection Regulation (GDPR) zero-hour has finally arrived — enforcement started May 25, 2018. Like students cramming for a midterm, I witnessed a flurry of activity from U.S. businesses since the deadline forced people to pay attention, knuckle down and study.
When students cram for a test, they take any shortcuts they can, and that can make for predictable errors, especially any time there is a mentally comfortable answer that happens to be wrong. Psychologists even have a term for this — they call it “availability bias.” In a nutshell, this is our built-in tendency to assume something is right when it’s easy to recall or that it’s wrong just because it’s harder to remember.
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngRedSeal2018-06-12 08:41:522018-11-26 13:02:40The Biggest GDPR Mistake U.S. Companies Are Making
Warren Buffett recently made clear how risk-averse his business is when it comes to cyber insurance. Addressing his annual shareholder meeting, he summarized the state of play like this: “I think anybody that tells you now they think they know in some actuarial way either what [the] general experience is like in the future, or what the worst case can be, is kidding themselves”.
These are wise words, from a famously far-sighted individual. However, the question is: What are we going to do about this? Certainly, at RedSeal, we do not think this is acceptable. Businesses rely on insurance providers for several critical things. It starts with the basic concept of insurance: you hand your premiums over to an insurer so that you’ll get some protection against the financial downsides of hard-to-predict and catastrophic events. But the relationships between insurers and those who buy insurance has a symbiotic, mutually beneficial aspect to it as well (as Warren Buffett knows). The two groups aren’t adversaries (despite the frictions that result when it’s time to pay up); they have the same long-term interest in reducing the cost and number of catastrophic events. Think of the way our car safety has improved over the last few decades. Some of that improvement was driven by government regulation, but more of it is a result of insurers offering price breaks for things like raised, central brake lights, or ABS, or alarm systems. Insurers investigate accidents in detail, and have learned which car features cause or prevent accidents. When they price that knowledge into their products, they motivate car buyers, who in turn motivate car makers. You might think car makers should just know what makes cars safer, but they don’t really know how people will behave behind the wheel or how much safety people are willing to buy. The process works well over the long haul because of insurance companies’ critical role in gathering data, quantifying cost/benefit, and pricing that into policies that people can understand.
So how do we make this work for cyber insurance? Today, the market for cyber insurance is growing rapidly. Companies want the product, insurers are selling large numbers of policies, and there is still more demand than insurers can comfortably supply. The main thing holding insurers back is the ability to correlate good or bad security behavior against real incident rates. We’re close – the security industry knows a lot about good security, in much the same way that car makers know how to make a car safer, but they aren’t sure about the cost/benefit for any given action. This means we’re spring loaded – there’s market demand, there’s a lot of knowledge about security, but the last critical ingredient is the ability for actuaries at insurance companies to compute the hard-quantified payoffs (change in “Annualized Loss Expectancy” would be the technical term).
This is why RedSeal is working with XL Catlin on innovative ways to measure the cyber practices of companies buying insurance. It’s an exciting time – something we don’t get to say often about the insurance business!
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00Dr. Mike Lloyd, CTO, RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngDr. Mike Lloyd, CTO, RedSeal2018-05-21 08:42:072018-08-14 08:56:20Warren Buffett’s Take On Cyber Insurance
“The biggest issue that IT and security heads need to focus on is mapping out how their business operates. Under regulations like GDPR, it is not enough to evade breaches (by luck or by skill); rather, GDPR requires you to demonstrate that you take customer privacy seriously in every aspect of your business process. To demonstrate this, you must be able to map out your whole business — people, processes and technology.” — Dr. Mike Lloyd, RedSeal CTO
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngRedSeal2018-05-18 10:50:102018-08-13 15:02:49GDPR: Are You Ready?
With experts now agreed it’s not a case of “if” but “when” your organisation suffers a major breach or outage, the expanding cyber-insurance industry offers a vital way to protect against losses.
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngRedSeal2018-05-09 15:31:462018-12-10 12:20:42Cyber-Insurance Can Reshape the Way Organisations Do Security for the Better
The problem of cyber-insurance is lack of data for understanding risk: but third party technologies can measure and quantify the defensive state and breach risk of each organisation by using standardised, repeatable yardsticks.
Cyber-security is approaching an inflection point, where several major forces are combining to produce a much-needed breakthrough. The reason why: cyber-insurance.
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngRedSeal2018-05-02 11:47:442020-05-19 09:26:24Breaking the Log Jam – Data for Informed Cyber-Insurance
With a recent Veritas study indicating that more than half of organisations are yet to start work on meeting the minimum requirements set by the General Data Protection Regulation (GDPR), the clock is well and truly ticking away. The EU’s GDPR comes into force in May so it’s vital that CISOs focus on the impending deadline and look into the future to avoid the significant fines that can be imposed.
Here we speak to industry experts to ask what those companies who have some catching up to do really need to know about demonstrating their compliance to GDPR.
https://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.png00RedSealhttps://www.redseal.net/wp-content/uploads/2016/08/RedSeal-logo.pngRedSeal2018-05-01 14:26:122018-08-13 15:03:09Are You Ready for GDPR?
In order to provide you with the best experience possible we might sometimes track information about you. Sometimes this may involve writing a cookie. We use this information for things like experience enrichment, analytics and targeting advertising. We recommend allowing these functions to get the most out of your experience.
We may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.
Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.
Essential Website Cookies
These cookies are strictly necessary to provide you with services available through our website and to use some of its features.
Because these cookies are strictly necessary to deliver the website, refusing them will have impact how our site functions. You always can block or delete cookies by changing your browser settings and force blocking all cookies on this website. But this will always prompt you to accept/refuse cookies when revisiting our site.
We fully respect if you want to refuse cookies but to avoid asking you again and again kindly allow us to store a cookie for that. You are free to opt out any time or opt in for other cookies to get a better experience. If you refuse cookies we will remove all set cookies in our domain.
We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.
Other external services
We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.
