Mind the gap: three actions to take today based on AT&T’s latest Cybersecurity Insights report
AT&T recently released volume 6 of their Cybersecurity Insights report, titled “Mind the Gap: Cybersecurity’s Big Disconnect.” You can download a copy of the report here.
The report helps to explain some of the reasons underlying the massive breaches we have seen this year. As Robert F. Kennedy once said, “Like it or not, we live in interesting times.”
To put this interesting year in context:
- Half of the U.S. population became victims of identity theft due to malfeasance by Equifax.
- All three billion Yahoo! users lost their passwords in the biggest hack ever.
- Deloitte, one of the Big Four professional services firms that offer cybersecurity consulting, had their email hacked.
- The NSA’s hacking tools were stolen twice in the same year and put to immediate use by criminals building cyberweapons like Petya/NotPetya and WannaCry.
Here are three things that organizations should do immediately based on the report’s findings:
1. Friends don’t let friends confuse cyber liability insurance with cybersecurity.
The most alarming revelation in the report was that more than a quarter of organizations appear to view cyber insurance as a substitute for cyber defense investment, rather than as one component of a multi-layered cybersecurity strategy. This pessimistic strategy cedes ground to criminals, has the potential to lower workplace productivity, and risks raising cyber liability insurance rates for everyone. Although cyber insurance policies often include funds for credit monitoring or identity-theft monitoring for affected individuals, they don’t compensate for the time that those victims will wait on hold with financial institutions, trying to clean up someone else’s mess when they’d otherwise be working productively at their offices.
Worse, Lloyd's 2017 Emerging Risks Report, "Counting the Cost – Cyber Exposure Decoded," found that losses from a cyberattack can be as large as those from a hurricane. The cyber liability insurance market is not generally standardized, and buyers often have trouble understanding what they’re buying, which can lead to underinsurance. Insurance companies are not charitable institutions. If firms choose a willfully negligent cybersecurity strategy in favor of large insurance payouts, cyber liability insurance rates will rise across the board, and we’ll see an increased number of demonstrable controls and requirements added to those policies. This is a short-term strategy.
Companies should hold cyber liability insurance with insurers that have a minimum A- credit rating from Standard and Poors (or an equivalent rating agency) and should hold a minimum coverage of $10 million. To reduce the risk of third-party breaches, companies should also request written copies of cyber insurance certificates from business partners and subcontractors on an annual basis at a minimum. Ideally, this would be coupled with an annual attestation report to confirm that third parties with access to company data or systems are still appropriate. As we learned with the Target breach, it takes just one contractor with privileged access to cause a serious breach.
2. Invest in consulting firms that have done this before.
The report found that at least half of all organizations surveyed admit they face skills gaps in three key areas: threat prevention, threat detection, and threat analysis. Just 56% of the U.S. respondents professed confidence in their ability to address cybersecurity challenges internally. Although most companies plan to increase hiring, there are not enough people to hire, and the International Information System Security Certification Consortium, or (ISC)², predicts that there will be a shortfall of 1.8 million cybersecurity workers by 2022.
Most organizations’ staff likely has limited market exposure to cybersecurity best practices. External consulting firms that work across industry verticals gain a unique perspective on what security practices to adopt and which ones to avoid. They can also provide trusted advice on where to invest limited budgetary dollars for the maximum increase in cybersecurity. The best consulting firms have hard ethical boundaries between advisory and implementation practice areas for their clients.
It’s important to differentiate between staffing firms and vendors’ professional services organizations. A staffing firm allows an organization to contract one or more people with some degree of cybersecurity expertise. However, as they have possibly not worked together before, have no external guidance or oversight, and are billing on an hourly basis, they’ll likely be waiting on your organization’s project manager to tell them what to do next. This is not a proactive or a consultative approach — it’s a hiring stop-gap. Vendors’ professional services organizations (PSOs) associated with a product or products should be treated with skepticism, as the primary function of a vendor PSO is generally to get the products deployed rapidly so that clients have an incentive to pay their maintenance or subscription fees next year. There are exceptions for both staffing firms and PSOs, but it’s important to have a general understanding of these types of organizations.
3. Get people emotionally invested in cybersecurity training.
AT&T’s report found that technology companies were leading the way in cybersecurity training, with 71% of respondents in this vertical market providing cybersecurity training to all their employees. Unfortunately, that’s only one market segment. As an attendee of multiple customer cybersecurity training classes (a side effect of contractual agreements) in multiple verticals, a lot of the cybersecurity compliance training available in the market is dull, uninspiring, and fails to connect with the audience.
Ask yourself: when was the last time someone was disciplined for subverting or violating your company’s security policy because he or she thought it was an impediment to doing their job? Too often there are minimal or no consequences for employees who break policy. Unfortunately, the Deloitte email breach was caused by a single administrator who disabled multi-factor authentication for his own email account. The Equifax breach was allegedly caused by an administrator who didn’t want to patch the software because it was too hard. There are numerous additional examples, many of which can demonstrably harm both the organization and the general public.
It’s time that employees realize that part of their job is to keep their employer secure. Failure to do so can lead to breaches that affect their own families, children, friends, and neighbors. Additionally, companies should no longer tolerate employees or executives who don’t follow the cybersecurity policy, as they increase the risks to everyone at the organization.
Taking these three actions immediately — investing in both cyber liability insurance and cybersecurity, investing in a trusted consulting firm, and getting people emotionally invested in cybersecurity training — will not prevent the next breach. However, these actions make it exponentially more expensive for criminals to breach your organization and are the socially responsible course of action to protect both your organization’s reputation and the public. By making it more difficult and expensive for criminals to breach organizations, we can reduce their profit margins and drive them out of business.
This post is brought to you by AT&T and IDG.
The views and opinions expressed herein are those of the author and do not necessarily represent the views and opinions of AT&T.