wsj

I don’t read WSJ for financial news

The Wall Street Journal and Bloomberg news services have recently dedicated a column on cybersecurity breaches. This week it is Anthem. I am not sure if they are starting an informal cyber intelligence sharing service but, unlike like the DOW and Nasdaq indexes, the size of the cybersecurity breaches are going up with new 52 week highs.

Target stole the headlines for a few weeks and after losing $148 million in Cyberbreach related losses, losing their CIO, CEO but, they lured customers with deeper discounts. Sony became the topic of President Obama’s conversation and today, Sony’s CoChairman Amy Pascal took the fall from the recent hack even after using 4 smart phones as a communication tool after the breach.

Unlike Sony hack, we didn’t waste time to point at China as the culprit behind Anthem breach because unlike North Korea who is interested in Hollywood, Chinese hackers like to know about our health and maybe personal information to start an identity theft plague.“Chinese laws prohibit cybercrimes of all forms,” Chinese Embassy spokesman Zhu Haiquan said. “Unfounded hypothesis and jumping to conclusions is irresponsible and will be counterproductive to address these issues.” We also encourage original source of goods and not counterfeit ones.

Cisco CEO John Chambers has warned that 2015 will be a worse year for hack attacks on businesses in a world where an increasing number of devices are connected to the internet.” There is no data center or network in the world that hasn’t been hacked. If you watched the number of attacks, they’re going up exponentially this year, this year’s going to be much worse than last year,” Chambers told CNBC at the World Economic Forum in Davos. He goes on to say the “The average attack, you get 90 percent of the data you want in like nine hours, and yet most of the companies don’t find out for three to four months,”

Bank of America Corp.’s cybersecurity team can spend as much as needed to protect the firm and its customers, Chief Executive Officer Brian T. Moynihan said. So, is the CEO sowing seeds that if a breach happens, he can say he did everything possible to help?

Anthem, which offers Blue Cross Blue Shield plans in California, New York and other states, said it doesn’t know precisely how many people may be affected. So far, it appears that the attack detected last week is the only breach of Anthem’s systems, and it isn’t yet clear how the hackers were able to obtain the identification information needed to access the database said Thomas Miller, the insurer’s chief information officer.

Let us take a look at the real numbers from Anthem breach assuming no personal health information is lost. According to reports 37 million Americans are currently insured by Anthem but, the federal law mandates insurance companies and healthcare providers to keep 6 years of patient data even if they left the system. So, numbers add up to 80 million or more, many of them who are not currently using Anthem.

I love the traders who assign financial value to a full set of medical information on a person for $40 to $50 on the street and a credit card number is worth $4 or $5. So, Target don’t sweat.

The impact of this breach will start sophisticated identity theft patterns which will haunt people for years. The other problem is the interconnection of our healthcare system. Anthem like any health insurer is possibly digitally connected to majority of hospitals, medical diagnostics companies, payroll companies, benefit providers, pharmacies which is a complicated digital ecosystem. An entry into the database of Anthem to steal crown jewels does not prevent the hacker to go into other weak links thus exposing personal data of more than 80 million Americans and other corporations.

The famous word encryption comes to play here. Scrambling of data like or masking data at rest. Unlike at retailers where Tokenization or changing digits of a credit card number which is only known to the card issuer, healthcare information is more complicated. As we know HIPAA regulation talks about encryption and deidentification of personal identifiable information but, it is not prescriptive. The encryption is needed but, not practical in many business scenarios. Insurance companies shares data with so many partners to service a patient that encryption may not be practical for them.

What we are seeing is a fundamental breakdown in the digital security with rouge nerds prying on us hiding behind some nation. I am not proposing regulation is the answer.

I would love to hear people’s comments on how to look at this problem holistically and a healthy debate, business leaders can think about!

outlook invite

Recurring meeting Invite to CEO and leadership team Topic – Cybersecurity breach

Invite your CEO, Board and senior leadership to block 7 days in a year to handle potential cybersecurity breaches.

Will the recent security breaches and President’s state of the union move the needle on cybersecurity spending?

There is a lot of conversation about cybersecurity spending boom and need for enterprises to loosen their purse strings for digital security but, is there a real ROI that can be measured??

A few analysis on 3 recent breaches with their business impact.

Target was the poster child for credit card companies to mandate tighter deadlines for EMV (chip card) migration to avoid fraud liability shift with the tens of millions of credit card stolen.

In terms of financial impact, Target earnings are approx. $2B and their net loss from recent cybersecurity breach after insurance payments were $148M. They may have additional liability from law suits but, from their quarterly reports, it did not look like there was any major shift in customer spending patterns and deeper product discount brought back shoppers. The CIO may have been a casualty but, the CEO departure was mostly attributed to their Canadian strategy.

So, bottom line financial impact was a loss of $200M, an additional investment of $150M in EMV etc.. But, for a major retailer, the cybersecurity loss was much smaller than their Canadian investment and the brand was not severely affected to result in big customer spending drop.

Home Depot on the other hand which makes $5B in earning had a net loss of less than $40M from their cybersecurity breach. No executives were fired and neither was the brand significantly affected.

Now, Sony is a whole another story. In Q3 2014 earnings, Sony lost $10M on a $1.7B revenue and now stands to add tens of millions of dollars from cybersecurity attack to its financial loss. This leaked emails and the loss in trust from its partners has made a major impact. They have not been able to report quarterly earnings and they are cutting paychecks manually. The loss of trust from the leaked emails fuels speculation if Sony pictures will still be a viable business.

In a recent conversation with a senior executive at a $4B company on increasing their cybersecurity investment, his responded to me by email was “we are not a Sony, we do not handle large consumer transactions like Target and chances of us getting breach are minimal with our current investment and if we do get beached, our lawyers and insurance will take care of our liability”.

Words I like to hear insurance and lawyers to reduce liability. I then responded saying that Target, Home Depot, Sony and hundreds of other cybersecurity events have one impact in common. Distraction. Senior executives are responsible to grow the business and increase shareholder wealth. Their job is to foster positive growth and not get distracted. When a company has a scandal or an investigation, the CEO’s, board and senior management performance is affected.

After the cybersecurity breach, Target CEO retired, CFO testified in front of Congress, CIO was fired and I am sure the senior leadership team spent hours convincing customers, partners and working with investigators which cannot be quantified but, certainly did not increase shareholder wealth. So is this not an impact from lack of cybersecurity controls?

“Home Depot ex CEO Mr. Blake took charge of the breach response. He backed up his chief information officer, Matt Carey, and spent time in the “incident response” room set up on the 20th floor of Home Depot headquarters.”

Sony Pictures CEO “It took me 24 or 36 hours to fully understand this was not something we were going to be able to recover from in the next week or two,” Mr. Lynton recalled in an interview.”

So, were their CEO’s not distracted and spent countless hours trying to mitigate damage that could have been contained in the first place just by smart investment? I am not trying to say they do not invest enough in cybersecurity today or more technology or resources will eliminate be the silver bullet but, continued serious investment will certainly reduce the risk and response to a cybersecurity breach.

So, what moves the needle? Senior leadership’s time, stakeholders trust and of course legal fees and tangible financial loss. Now, no small company or large company can argue that their CEO has time for cybersecurity breaches.

Thoughts?

lnkd

107,000 jobs on LinkedIn require one skill

President Obama in his State of union address mentioned “No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. So we’re making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. 
 
And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber attacks, combat identity theft, and protect our children’s information.  That should be a bipartisan effort.  (Applause.)
 
If we don’t act, we’ll leave our nation and our economy vulnerable.  If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe.”

The World Economic Forum ahead of Davos has issued a report that warns failing to improve cyber security could cost the global economy $3tn, and is urging companies to sign up to a new “framework” for assessing the risk of an attack.

It is very encouraging to see protecting digital assets and digital presence being mentioned at the highest levels.  While, there is much talk about technologies, intelligence sharing, the threat of cyber warfare, one key piece is the shortage of skills. A recent ISACA survey of 3400 members found that 68% of them have a shortage in cybersecurity skills to fend off an attack.

VC’s invested nearly $2B in different cybersecurity startups that are delivering the next generation of digital protection but, the shortage of people who know how to implement these complex technologies with relevance is still unresolved.  Yes, some industry groups and educational institutions are beginning to provide basic training courses to add new workforce.

Having been in information security world for over a decade, this profession requires hard skills and soft skills.  Security attack patterns are like amoeba.  The patterns can change with click of a mouse and the damage inflicted can be part of a President’s speech. I saw a posting from Sony for a IT security manager a few days after their cyber hack.  Does this mean, they did not realize, the importance of that position or they just could not fill it.

Many job postings for information security professionals just cannot be filled.  The reason, they want Sheldon from Big Bang theory or Stephen Hawkings of cybersecurity.  Security operations, compliance, risk, threat management all need a completely different training and approach unlike coding C++ and moving to Java.  A fundamental understanding of information security is key for all positions.  Their role within information security will depend on their personality, people skills, analytical thinking, investigative instincts and communication skills.

This crisis is going to affect midsize firms who need to have a level of cybersecurity protection but, cannot afford to hire expensive consultants and retain experienced employees.  The emergence of cloud, mobile is adding more weak spots for hackers. A white hat hacker who wants to help the community is also in demand from Bounty hunters with deep pockets.  A recent increase in cyber security freelancers is helping the industry a little but, costs remain high.  Many firms need skills on demand or for a period of time and consulting companies are not able to meet the growing demand.

In December 2014, one of the legislation passed by the senate authorizes the federal government to support research, raise public awareness of cyber risks, and improve the nation’s cybersecurity workforce.This maybe a start or a political dialogue but, maybe a tax incentive or a subsidy to enterprises, educational institutions, startups to provide training and education won’t hurt.

Lessons from Sony Hack

What can we learn from Sony’s hack?

According to Sony Pictures CEO Michael Lynton, Sony Pictures did not have a playbook.

Sony’s Incident response plan to the recent cyber attack included

bbry gmail chk phnbnk

The lack of a response plan during the cyber breach added significant damage to Sony’s business impact. It took the 9/11 attacks for major financial institutions started to have secondary operation centers outside Wall Street for business continuity.

The Sony hack was no different than a disruption in business operations but, the preparedness demonstrates the weakness in cyber threat response and the time enterprises can recover from a cyber attack. Having been in cyber security business for decades, we have learned that attacks cannot be prevented but, the ability to minimize the business impact can be a proportional response.

I appreciate the fact that working on an incident response plan is not interesting or cyber insurance can be a shortcut but, impact needs to be measured more than financial loss. So, when it comes to lessons learned from Sony hack

  1. Sony CEO says No Playbook – Having no playbook is not enough but, doing annual tabletop will help refresh the tasks.
  2. Sony business down 8 weeks, Manual paychecks, and blackberry – The impact of an attack needs to be measured in the playbook to help plan an appropriate response. Not all attacks are same and business continuity needs to be a top priority.
  3. FBI and Consultants are not on remediation resources – The cybersecurity industry is seeing a shortage in skills and some of incident response roles like forensics are needed on demand. There are many freelancers will broad skillsets available and maybe easier to retain experts to assist as needed.
  4. Sony had 45 firewalls – There is a lot of noise on technology to identify and protect from the next big threat. The noise needs to be filtered by bringing relevance to business. Not every threat has same impact for every business and again technology is not the answer.
  5. Sony is hires Crisis specialist – PR specialists cannot contain reputation damage. Sony’s reputation and brand as an entity has been hurt over the weeks that $MM crisis specialist can fix. This is a wakeup call to every enterprise without an adequate response plan.
  6. Sony was attacked on No. 24th. Sony brought FBI and hired Mandiant on Dec. 1st – This 7 day delay shows the lack in communication, executive decision and inadequate plan to respond. If there was a waterleak in the office, the plumber would be there in 2 hours.
  7. 100TB of data stolen – Protecting what is relevant to the business in this case, movies, employee, customers and other corporate information should have been a priority. If a hacker gets a free rein into the network to steal not 1 but 100TB of data, the need to protect digital crown jewels was not a priority.

The press on Sony hack, the White house response should not be news but, a true wake up call. So, while there maybe lessons learned for a long time, this is a wakeup call to have an effective and tested incident response plan in place NOW.

NSA Director on Sony Hack: ‘The Entire World is Watching’

TIME

National Security Agency Director Admiral Michael Rogers expressed support Thursday for the United States’ economic sanctions against North Korea in response to the hack on Sony Pictures Entertainment, and called the attack against the movie studio a “game changer” for cybersecurity.

“Sony is important to me because the entire world is watching how we as a nation are going to respond do this,” Rogers said Thursday at the International Conference on Cyber Security in New York. “If we don’t name names here, it will only encourage others to decide, ‘Well this must not be a red line for the United States.'”

After naming North Korea responsible for the attack against Sony, the U.S. announced sanctions last week against 10 individuals and three organizations in North Korea, including the state’s main intelligence agency and its primary arms exporter. The sanctions effectively denied them access to U.S. financial systems.

In his address…

View original post 310 more words

Sony Hack: A Timeline

This could be the 9/11 of cyberattack

Deadline

Refresh for latest… The cyber attack on Sony Pictures Entertainment continues to cripple the company, embarrassing its top executives and those who do business with them, as e-mails and confidential information are sifted and selectively published by anyone with access to the hackers’ dump. Here is how the story broke, day-by-day. We’ll continue to update as it unfolds.

Day 1: Monday, November 24

At Sony Sony Guardians of PeacePictures Entertainment’s headquarters in Culver City, a typical week begins. The first sign of a digital break-in comes early that morning, when the image of a stylized skull with long skeletal fingers flashes on every employee’s computer screen at the same time, accompanied by a threatening message warning that “This is just the beginning.” The hackers say “we’ve obtained all your internal data,” and warn that if Sony doesn’t “obey” their demands, they will release the company’s “top secrets.”

At 10:50 A.M., Deadline’s Mike Fleming…

View original post 2,976 more words

Employee Data Breach The Worst Part Of Sony Hack

TechCrunch

The Sony hack has taught us so much. It’s taught us to send corporate email as if everyone is reading those emails. It’s taught us that people in Hollywood are just as mean as people in any other industry (and potentially racist). And it’s taught us that Channing Tatum is really enthusiastic about beating “TED” at the box office.

The one lesson that’s the hardest to stomach is that you may be doing everything possible to protect yourself online, but your employer may be laissez faire about the whole thing. This is the position that over 6,500 current (and many former) employees of Sony find themselves in today.

As Gizmodo’s Brian Barnett wrote:

“The most painful stuff in the Sony cache is a doctor shopping for Ritalin. It’s an email about trying to get pregnant. It’s shit-talking coworkers behind their backs, and people’s credit card log-ins…

View original post 355 more words