Home Podcasts Videos Guest Posts Q&A News This Week Bio Contact

PODCAST: A case for studying the ‘why’ of network breaches instead of just the ‘how’

August 18th, 2017

By Byron V. Acohido

Employees often are seen as the weakest link in cybersecurity. Breaches by hackers may hit the headlines, but in many instances human error (or intent) is responsible for the majority of attacks.

IBM’s 2016 Cyber Security Index reported that insiders carried out 60 percent of all attacks. Three-quarters of these attacks were malicious, and a staggering 25 percent of breaches were accidental.

Richard Ford, chief scientist at Forcepoint Security

I took the opportunity to sit down with Richard Ford, chief scientist at Forcepoint Security at Black Hat 2017 in Las Vegas. The notion of understanding human behavior and its role in cybersecurity was the topic of our discussion, and you can find the key takeaways below.

Look at the why, not the what. We’re great at focusing on what is happening within our network and capturing every single event. What we’re bad at doing is talking about the why. This often is much more significant. It’s time companies think about what the hacker is trying to accomplish. Why did that file get moved? Why did that data loss prevention (DLP) event occur? Mitigation depends on the why. You’d mitigate an accidental data breach very differently than for an intentional one. When companies move toward the why, they can start to mitigate much more effectively.

Reduce the friction caused by IT security. A lot of security measures aren’t successful because they create friction between users. Currently, we see security’s role as protecting the business. In the future, we will see it as a way to enable business to be done safely. For example, to stop restricted files from leaving company servers, most firms would turn off universal serial bus (USB) access. But that creates friction. Instead, the file should be seamlessly and silently encrypted so that it will only decrypt if it is loaded onto another company device. It’s the same level of protection but with far less friction. The more seamless security is, the more people will buy into it.

Make privacy a first-class citizen. Too often, companies send a bad message by giving the impression that they don’t trust their employees. Security and privacy should be a benefit to the employee, not a negative. One way companies can achieve this is by being open with employees. When employees understand what’s happening, they understand why it’s protecting the company. Another is by anonymizing the data in a way that protects an employee’s personal information but still continues to protect the company. When done right, employees’ privacy should be protected and so should the company’s data. You shouldn’t do one at the expense of the other.

For a deeper drill down, please listen to the accompanying podcast.

For more about human behavior and data breaches:
Why studying human behavior could be the key to securing networks
Look to human nature for continued success of phishing attacks
Wetware: People are the problem in countless data breaches

This article originally appeared on ThirdCertainty.com


NEWS THIS WEEK: Ukrainian hacker with tied to DNC hack surrenders; Uber agrees to improve privacy; Scottish paliament hacked

By Byron V. Acohido

In the news this week, a Ukrainian hacker called “Profexer” who built one of the tools used to penetrate the Democratic National Committee servers last year has turned himself in to authorities. The man, who first contacted Ukrainian police earlier this year, claims he wrote a piece of software called the PAS Web shell, which the Department of Homeland Security has identified as malware used in the hack. The hacker maintains that he wasn’t behind the attack, …more

Q&A: Why the HBO hack is destined to accelerate the fledgling cyber insurance market

By Byron V. Acohido

Following on the heels of the two globe-spanning ransomware worms, the HBO hack—with its distinctive blackmail component—rounds out a summer of extortion-fueled hacks and destruction and theft of valuable data at an unprecedented scale.

WannaCry and Petya raced around the planet demanding ransoms after locking up servers at hundreds of organizations. The HBO hackers pilfered 1.5 terabytes of intellectual property and business documents from the television giant. Next, they heaved samples …more

PODCAST: Want to know what the No. 1 cybersecurity VC firm is betting $300 million on? Give a listen

By Byron V. Acohido

In 2016, venture capital firms invested in more startups than ever before. The year saw venture VC firms invest a total of $3.1 billion in 279 cybersecurity startups. This compares to $3.7 billion of investment in 272 startups in 2015 and $833 million in 117 startups in 2010.

Levels of investment look set to continue into 2017. The first two months of the year saw the industry attract more than $300 million of funding. …more

NEWS THIS WEEK: Walmart tracks customers’ facial expressions; teachers hacked; Asians seek cyber insurance

By Byron V. Acohido

In news this week, Walmart has filed a patent for video technology to track customers’ facial expressions as they shop, potentially allowing employees to address customer needs before they have to ask. The system would use video to scan for customers who are frustrated or unhappy if they can’t find a product or figure out pricing. The system also could see when a display or product pleases shoppers. According to the patent filing, Walmart says it’s easier to …more

PODCAST: Why securing networks requires a mind shift in the C-suite and board rooms

By Byron V. Acohido

As technology has evolved, it’s gotten bigger and more complex, making the job of information technology departments more difficult. Dealing with Windows, Macs, the cloud and the Internet of Things (IOT) means they have to manage more things in more places.

I had the chance to discuss this with Phil Lieberman, founder of Lieberman Software, at Black Hat 2017 in Las Vegas. Lieberman spoke passionately about his company’s efforts to develop solutions to handle a …more

VIDEO: How phishers are coming after you — and what you should do about it

By Byron V. Acohido

The current cybersecurity climate makes it hard not to be cautious of phishing attacks. Forget reclaiming lost family fortunes or assisting Nigerian princes, today’s phishing scams are targeted, complex and incredibly prevalent.

It feels like a new, high-profile phishing attack is getting reported every other month. In May, Google Docs users were being targeted with malicious invitations to edit fictional documents. Before that, DocuSign users were sent bogus emails encouraging them to download a …more