Blog

Get the most innovative insights

Sort By

Putting Cybercrime in Perspective: What’s Your Risk Appetite?

Cybercrime is big news. It seems almost weekly, we see reports of a massive company affected by an even more massive data breach. We hear about the sophistication of the cybercrime economy on the dark web. And we hear politicians ranting about preventing cyberattacks by government-sponsored hackers.

Is it all hype? How much does cybercrime affect YOUR business—really?

Surprisingly, many mid-market companies and smaller enterprises often tell us they don’t feel they are really a target. They brush off the need for data security by telling themselves a couple of different kinds of stories:

  • We’re too small. After all, we are not Capital One. We hold a modest market share, and we don’t have any real
  • There isn’t anything we can do about it. We don’t have the resources to do data protection like a giant corporation—how could we possibly prevent a breach?

Those brush-offs are myths. The truth is:

  • Cybercriminals don’t care how big your company is; your data is extremely valuable. (And yes, you do have intellectual property (IP) that is worth a lot.)
  • Mid-market companies are held accountable to the same regulatory requirements as large enterprises, so it’s essential that you meet those mandates.

To ensure effective, cost-efficient data protection, mid-market companies need to put their security needs into business terms.

 

What’s Your Risk Appetite? Consider the Opportunity You’re Offering

To put some perspective around your risk for data loss, don’t compare yourself to the big media stories. Instead, consider the way criminals take advantage of opportunity.

Say you are a midsize regional hospital. In the gift shop, an employee leaves a $100 bill on the counter during a transaction. That bill is an opportunity; a fast-thinking criminal can snap up the bill and run out without any planning. Of course, the risk of getting caught with that $100 is reasonably high.

What if instead the gift shop employees leave an unsecured router on the counter? A thoughtful criminal might recognize that as a greater opportunity. The motive for stealing data through that router might be to sell employee and patient personally identifiable information (PII)—or it might be just to prove that they can break in. But the theft itself may not be discovered for a long time, and the chance of getting caught is pretty low.

Regardless, now that PII is in somebody else’s control. You have a data breach.

What will that cost you? According to the Ponemon Institute’s 2019 Cost of a Data Breach Report:

  • The average global cost of a data breach is $3.92 million.
  • Healthcare is the industry with the highest breach costs—averaging $6.45 million.
  • In highly regulated environments, costs have a longer impact, spanning more than 2 years.

That kind of impact could be devasting to your midsize hospital.

 

Take the Data Loss Prevention Steps That Matter

Of course, an unsecured router is only one of many ways cybercriminals can access your systems and the sensitive information of your customers and company. How can you implement data protection in a way that’s going to make the biggest impact in the most cost-efficient way?

The Cost of a Data Breach report offers recommendations for security program elements that make the greatest reductions in the financial impact of a breach:

  • Discover, classify, and encrypt sensitive information, ensuring the most sensitive data is encrypted on premise, at the endpoint, in transit, and in the cloud.
  • Invest in technologies that help improve the ability to rapidly detect and contain a data breach, including security automation and intelligent orchestration capabilities that provide visibility across the security operations center (SOC).
  • Minimize complexity of IT and security environments to make it easier to quickly identify breaches caused by third parties, compliance failures, extensive cloud migration, system complexity, and extensive IoT, mobile, and OT environments.
  • Know how you will identify genuine incidents–and how you will respond to them. Organizations that have developed expertise in responding and remediating security incidents can respond quickly to contain the fallout from a breach.

 

How Do You Respond to the Overwhelm of Cybercrime News?

Ultimately, investing in a data protection program is your most important form of risk management. Companies of all sizes must be highly aware of their risk tolerance and make informed decisions about how to invest appropriately to provide the level of protection their customers, regulators, and stakeholders demand.

 

Where does your data protection program stand?

For any size enterprise, from mid-market organizations to large global corporations, seeking the experience of a trusted managed data protection provider is a risk-reducing solution that makes good business sense.

InteliSecure experts bring more than 15 years’ experience in security analysis and data protection strategy. Contact us to discuss your organization’s data protection needs—and find the solution that fits.

Cybercrime is big news. It seems almost weekly, we see reports of a massive company affected by an even more massive data breach. We hear about the sophistication of the cybercrime economy on the dark web. And we hear politicians ranting about preventing cyberattacks by government-sponsored hackers.

Is it all hype? How much does cybercrime affect YOUR business—really?

Surprisingly, many mid-market companies and smaller enterprises often tell us they don’t feel they are really a target. They brush off the need for data security by telling themselves a couple of different kinds of stories:

  • We’re too small. After all, we are not Capital One. We hold a modest market share, and we don’t have any real
  • There isn’t anything we can do about it. We don’t have the resources to do data protection like a giant corporation—how could we possibly prevent a breach?

Those brush-offs are myths. The truth is:

  • Cybercriminals don’t care how big your company is; your data is extremely valuable. (And yes, you do have intellectual property (IP) that is worth a lot.)
  • Mid-market companies are held accountable to the same regulatory requirements as large enterprises, so it’s essential that you meet those mandates.

To ensure effective, cost-efficient data protection, mid-market companies need to put their security needs into business terms.

 

What’s Your Risk Appetite? Consider the Opportunity You’re Offering

To put some perspective around your risk for data loss, don’t compare yourself to the big media stories. Instead, consider the way criminals take advantage of opportunity.

Say you are a midsize regional hospital. In the gift shop, an employee leaves a $100 bill on the counter during a transaction. That bill is an opportunity; a fast-thinking criminal can snap up the bill and run out without any planning. Of course, the risk of getting caught with that $100 is reasonably high.

What if instead the gift shop employees leave an unsecured router on the counter? A thoughtful criminal might recognize that as a greater opportunity. The motive for stealing data through that router might be to sell employee and patient personally identifiable information (PII)—or it might be just to prove that they can break in. But the theft itself may not be discovered for a long time, and the chance of getting caught is pretty low.

Regardless, now that PII is in somebody else’s control. You have a data breach.

What will that cost you? According to the Ponemon Institute’s 2019 Cost of a Data Breach Report:

  • The average global cost of a data breach is $3.92 million.
  • Healthcare is the industry with the highest breach costs—averaging $6.45 million.
  • In highly regulated environments, costs have a longer impact, spanning more than 2 years.

That kind of impact could be devasting to your midsize hospital.

 

Take the Data Loss Prevention Steps That Matter

Of course, an unsecured router is only one of many ways cybercriminals can access your systems and the sensitive information of your customers and company. How can you implement data protection in a way that’s going to make the biggest impact in the most cost-efficient way?

The Cost of a Data Breach report offers recommendations for security program elements that make the greatest reductions in the financial impact of a breach:

  • Discover, classify, and encrypt sensitive information, ensuring the most sensitive data is encrypted on premise, at the endpoint, in transit, and in the cloud.
  • Invest in technologies that help improve the ability to rapidly detect and contain a data breach, including security automation and intelligent orchestration capabilities that provide visibility across the security operations center (SOC).
  • Minimize complexity of IT and security environments to make it easier to quickly identify breaches caused by third parties, compliance failures, extensive cloud migration, system complexity, and extensive IoT, mobile, and OT environments.
  • Know how you will identify genuine incidents–and how you will respond to them. Organizations that have developed expertise in responding and remediating security incidents can respond quickly to contain the fallout from a breach.

 

How Do You Respond to the Overwhelm of Cybercrime News?

Ultimately, investing in a data protection program is your most important form of risk management. Companies of all sizes must be highly aware of their risk tolerance and make informed decisions about how to invest appropriately to provide the level of protection their customers, regulators, and stakeholders demand.

 

Where does your data protection program stand?

For any size enterprise, from mid-market organizations to large global corporations, seeking the experience of a trusted managed data protection provider is a risk-reducing solution that makes good business sense.

InteliSecure experts bring more than 15 years’ experience in security analysis and data protection strategy. Contact us to discuss your organization’s data protection needs—and find the solution that fits.

Read More

August 15, 2019

3 Ways Dynamic Data Protection Impacts the Future of DLP

What is Dynamic Data Protection?

Dynamic Data Protection is a conceptual shift introduced by Forcepoint, a longtime leader in the field of data security and DLP solutions. A few years ago, Forcepoint acquired the User and Entity Behavior Analytics (UEBA) company Red Owl, which had developed a solution for parsing through logs from a multitude of sources in order to baseline normal behavior and identify behavioral risk anomalies in a user base.

Many technologies have the ability to build similar models to identify risk, but what Forcepoint did next was revolutionary. They decided they were going to integrate those risk scores into their DLP product so that the decision to block or allow a specific data transaction over a specific channel could be determined by the risk level of the user.

Let’s look at how the ability to dynamically adjust user controls is a game changer for three of the most common use cases you’ll encounter.

 

Establishing Probable Cause with UEBA

In some countries, it’s common to require companies to present a data protection program to a worker’s council before implementing the program. Users then evaluate the program to determine whether it meets their standards for workers’ rights, especially a worker’s right to privacy. Two of these countries, Switzerland and Germany, have many companies that depend primarily on Intellectual Property (IP) for revenue generation, including biotechnology, manufacturing, and pharmaceutical companies, so the approval process has been well tested.

One of the major issues that workers’ councils raise with data protection programs is that all traffic from all users must be inspected for the program to be effective, and the rules engines are not 100% accurate. The councils argue that workers are exposed to monitoring that may unintentionally violate their privacy and that level of intrusion isn’t proportionate to the necessary protection.

To make such a control acceptable to workers, the councils recommend that the control only be activated for individuals when the organization has probable cause to look into their behavior. To establish probable cause, the analysis should be automated and free from human bias.

When faced with that challenge, organizations have either abandoned their programs or used rudimentary manual mechanisms to identify risk and turn monitoring on. But manual programs, while better than nothing, were hardly effective.

UEBA meets the standard of an automated system free from human bias, allowing us to assess the risk of users without collecting any additional information about them; we are simply analyzing logs that contain data we’ve already collected. With Dynamic Data Protection, we can configure a policy to report a violation only if a user has a risk score that’s over a specified threshold. Therefore, we can satisfy the requirements of the workers’ council and potentially deploy data-centric information security programs in more countries than we could previously.

 

Compromised Credentials and the Three-Week Notice: Protecting Intellectual Property

An account belonging to a trusted user may suddenly begin exhibiting risky behavior for a variety of reasons. The two most common are 1) compromised credentials and 2) the three-week notice.

If a user’s credentials are compromised, that user’s behavior will change. Whoever compromised the credentials will begin exploring the access permissions they now have, what information they can access, and what they may want to exfiltrate.

With Dynamic Data Protection, that change in behavior will be detected, and the policy can be dynamically updated to prevent the user from downloading sensitive information or emailing it outside the organization. Security personnel then have time to remediate the compromised account. This approach is vastly superior to what normally happens—which is that the compromise is discovered after large volumes of data have left the company.

The three-week notice (a term I believe I “borrowed” from Scott Gordon, a Cloud Strategist for Symantec) begins when, during the week before an employee gives their formal notice, they start downloading company information that may be helpful to them in their next job. Many studies have verified this behavior, and it’s estimated that more than half of people take data with them from one job to another.

This behavior isn’t necessarily malicious, but they shouldn’t be doing it, and they know it. Most employees have a pretty specific skill set, and when they leave one organization and go to work for a competitor, they take that knowledge with them. With this behavior, they are also taking information with them. Typically, they intend only to make their own lives easier, not necessarily harm their former employer. But they do harm their former employer in one way or another.

Dynamic Data Protection will identify that behavior and restrict that users’ ability to take data with them by applying a more restrictive policy when their behavior changes. InteliSecure client organizations that have a UEBA or Insider Threat program can generally identify users that are going to leave between one and four weeks ahead of formal notice based on behavior patterns alone.

 

Preventing Intellectual Property Theft

According to IBM’s Security Intelligence news site, annual cybercrime proceeds have exceeded $1.5 trillion. If cybercrime were a country, it would have the thirteenth-highest GDP in the world, ranking just above Spain and slightly below Russia. Global proceeds of cybercrime exceed the GDP of countries such as Australia, the Netherlands, Switzerland, Saudi Arabia, and Turkey.

One third ($500 billion) of that annual cybercrime revenue comes from stealing IP and trade secrets. In contrast, ransomware generates $1 billion annually, or about .2% as much as IP and trade secret theft. It’s common knowledge that very well-funded actors and nation states are often behind IP theft. Contrary to popular belief, however, those attacks are generally not launched using zero-day threats or sophisticated malware.

Take the case of American Semiconductor, a wind turbine component manufacturer who was the victim of Chinese IP theft which resulted in massive long-term impacts and almost put the company out of business. The Chinese didn’t hack into their systems. Instead, a Chinese government operative met a privileged user at a coffee shop and offered him $2 million to download some important files and turn them over.

Many employees would be tempted by such an offer, and all of the fancy anti-malware engines and perimeter defenses you hear so much about would be completely powerless to stop such activity.

However, Dynamic Data Protection could stop it.

As soon as that user returned from the coffee shop and logged in, his behavior would change. He would immediately begin looking for the data and downloading specific information to a USB file. UEBA could detect that behavior change and Dynamic Data Protection could stop that download.

 

The Future Offers Streamlined Protections for Sensitive Information

I am vendor-neutral in everything that I do, and this is not an advertisement for Forcepoint. Forcepoint has come up with a game-changing capability in my view that revolutionizes the art and science of data protection.

However, the approach isn’t perfect in its current form. It could be easier to deploy, faster to react, and integrated with many other Forcepoint and third-party products.

That being said, the idea of Dynamic Data Protection is amazing and should be embraced across the industry. Our focus as a security community on networks and endpoints is antiquated and failing. To move our data protection models into the future, we need to focus on people, data, and cloud. Dynamic Data Protection takes a meaningful step towards that future.

 

Discover a more dynamic approach to data protection.

Are you looking for a meaningful way to transform your approach to data protection—and help secure the future of your company? Talk to the experts at InteliSecure and learn the options that are available to you today.

What is Dynamic Data Protection?

Dynamic Data Protection is a conceptual shift introduced by Forcepoint, a longtime leader in the field of data security and DLP solutions. A few years ago, Forcepoint acquired the User and Entity Behavior Analytics (UEBA) company Red Owl, which had developed a solution for parsing through logs from a multitude of sources in order to baseline normal behavior and identify behavioral risk anomalies in a user base.

Many technologies have the ability to build similar models to identify risk, but what Forcepoint did next was revolutionary. They decided they were going to integrate those risk scores into their DLP product so that the decision to block or allow a specific data transaction over a specific channel could be determined by the risk level of the user.

Let’s look at how the ability to dynamically adjust user controls is a game changer for three of the most common use cases you’ll encounter.

 

Establishing Probable Cause with UEBA

In some countries, it’s common to require companies to present a data protection program to a worker’s council before implementing the program. Users then evaluate the program to determine whether it meets their standards for workers’ rights, especially a worker’s right to privacy. Two of these countries, Switzerland and Germany, have many companies that depend primarily on Intellectual Property (IP) for revenue generation, including biotechnology, manufacturing, and pharmaceutical companies, so the approval process has been well tested.

One of the major issues that workers’ councils raise with data protection programs is that all traffic from all users must be inspected for the program to be effective, and the rules engines are not 100% accurate. The councils argue that workers are exposed to monitoring that may unintentionally violate their privacy and that level of intrusion isn’t proportionate to the necessary protection.

To make such a control acceptable to workers, the councils recommend that the control only be activated for individuals when the organization has probable cause to look into their behavior. To establish probable cause, the analysis should be automated and free from human bias.

When faced with that challenge, organizations have either abandoned their programs or used rudimentary manual mechanisms to identify risk and turn monitoring on. But manual programs, while better than nothing, were hardly effective.

UEBA meets the standard of an automated system free from human bias, allowing us to assess the risk of users without collecting any additional information about them; we are simply analyzing logs that contain data we’ve already collected. With Dynamic Data Protection, we can configure a policy to report a violation only if a user has a risk score that’s over a specified threshold. Therefore, we can satisfy the requirements of the workers’ council and potentially deploy data-centric information security programs in more countries than we could previously.

 

Compromised Credentials and the Three-Week Notice: Protecting Intellectual Property

An account belonging to a trusted user may suddenly begin exhibiting risky behavior for a variety of reasons. The two most common are 1) compromised credentials and 2) the three-week notice.

If a user’s credentials are compromised, that user’s behavior will change. Whoever compromised the credentials will begin exploring the access permissions they now have, what information they can access, and what they may want to exfiltrate.

With Dynamic Data Protection, that change in behavior will be detected, and the policy can be dynamically updated to prevent the user from downloading sensitive information or emailing it outside the organization. Security personnel then have time to remediate the compromised account. This approach is vastly superior to what normally happens—which is that the compromise is discovered after large volumes of data have left the company.

The three-week notice (a term I believe I “borrowed” from Scott Gordon, a Cloud Strategist for Symantec) begins when, during the week before an employee gives their formal notice, they start downloading company information that may be helpful to them in their next job. Many studies have verified this behavior, and it’s estimated that more than half of people take data with them from one job to another.

This behavior isn’t necessarily malicious, but they shouldn’t be doing it, and they know it. Most employees have a pretty specific skill set, and when they leave one organization and go to work for a competitor, they take that knowledge with them. With this behavior, they are also taking information with them. Typically, they intend only to make their own lives easier, not necessarily harm their former employer. But they do harm their former employer in one way or another.

Dynamic Data Protection will identify that behavior and restrict that users’ ability to take data with them by applying a more restrictive policy when their behavior changes. InteliSecure client organizations that have a UEBA or Insider Threat program can generally identify users that are going to leave between one and four weeks ahead of formal notice based on behavior patterns alone.

 

Preventing Intellectual Property Theft

According to IBM’s Security Intelligence news site, annual cybercrime proceeds have exceeded $1.5 trillion. If cybercrime were a country, it would have the thirteenth-highest GDP in the world, ranking just above Spain and slightly below Russia. Global proceeds of cybercrime exceed the GDP of countries such as Australia, the Netherlands, Switzerland, Saudi Arabia, and Turkey.

One third ($500 billion) of that annual cybercrime revenue comes from stealing IP and trade secrets. In contrast, ransomware generates $1 billion annually, or about .2% as much as IP and trade secret theft. It’s common knowledge that very well-funded actors and nation states are often behind IP theft. Contrary to popular belief, however, those attacks are generally not launched using zero-day threats or sophisticated malware.

Take the case of American Semiconductor, a wind turbine component manufacturer who was the victim of Chinese IP theft which resulted in massive long-term impacts and almost put the company out of business. The Chinese didn’t hack into their systems. Instead, a Chinese government operative met a privileged user at a coffee shop and offered him $2 million to download some important files and turn them over.

Many employees would be tempted by such an offer, and all of the fancy anti-malware engines and perimeter defenses you hear so much about would be completely powerless to stop such activity.

However, Dynamic Data Protection could stop it.

As soon as that user returned from the coffee shop and logged in, his behavior would change. He would immediately begin looking for the data and downloading specific information to a USB file. UEBA could detect that behavior change and Dynamic Data Protection could stop that download.

 

The Future Offers Streamlined Protections for Sensitive Information

I am vendor-neutral in everything that I do, and this is not an advertisement for Forcepoint. Forcepoint has come up with a game-changing capability in my view that revolutionizes the art and science of data protection.

However, the approach isn’t perfect in its current form. It could be easier to deploy, faster to react, and integrated with many other Forcepoint and third-party products.

That being said, the idea of Dynamic Data Protection is amazing and should be embraced across the industry. Our focus as a security community on networks and endpoints is antiquated and failing. To move our data protection models into the future, we need to focus on people, data, and cloud. Dynamic Data Protection takes a meaningful step towards that future.

 

Discover a more dynamic approach to data protection.

Are you looking for a meaningful way to transform your approach to data protection—and help secure the future of your company? Talk to the experts at InteliSecure and learn the options that are available to you today.

Read More

August 1, 2019

Intellectual Property Theft Prevention: Black, White, and Shades of Gray

I work with organizations around the world across a variety of industries, and I’m perplexed by one thing that most of them have in common: their data protection programs are focused solely on regulated data such as social security numbers, credit card account information, and other personally identifiable information (PII).

Complying with data security regulations is important, but rarely is regulated data the only data worth protecting in a company. In most organizations, risks associated with regulatory fines presents far less risk than the potential losses associated with intellectual property theft—loss of market share, loss of competitive advantage, loss of revenue, and potentially loss of the entire company.

 

Why Are We Not Protecting What’s Most Important? It’s Complicated.

Protecting IP requires making calls that are not black and white, yes or no. IP data is often unstructured and doesn’t fit neatly into established categories. It takes Information Security teams into gray areas that’s uncomfortable. Before you can protect your IP effectively, you need to identify the difficulties around dealing with those gray areas.

Here are some of the most common issues.

It’s difficult to define IP

It’s true that protecting IP is not as straightforward as protecting other types of sensitive information. Regulated information is well defined in the public space. Something is either a credit card number or it’s not. It’s either personally identifiable information (PII) as defined by global regulations or it’s not.

Mature organizations have a list of people who can handle that regulated sensitive information and have defined acceptable use of that information. The Information Security team can set up rules to enforce those documented policies easily. It’s black and white.

IP protection, in contrast, is messy. It isn’t black and white. It’s one big squishy gray area. Although a few rules govern how IP cases can be brought to court, no external entity dictates what constitutes Intellectual Property or how an organization must protect it.

IP is difficult to define even for the organizations it belongs to. To properly protect IP, the Information Security team must engage the business leaders who create and profit from it. They need to know what drives revenue for the organization, what role the IP plays in that revenue, and whether the information would be valuable to an outside entity. And they need to understand who plays a role in the creation, storage, usage, and transmission of the data.

After that, they need to speak with the legal team to see what portions of the Intellectual Property are legally protected and therefore not sensitive—and what portions of the IP are considered Trade Secrets or Know-How and have few legal protections.

 

It’s difficult to quantify the risks associated with IP

Even when IP is defined, quantifying the risk of its loss is a challenge. The ability to quantify risk is a measure of a company’s overall health. Publicly traded companies must produce an annual report known as a 10k report. In that report, section 1A is a detailed list of the risk factors affecting their business.

In that evaluation, regulatory fines are risks that are easy to understand. If you don’t comply with a specific regulation, the regulating body will fine your company for non-compliance with data security regulations. The company can look at the legal precedent to see what organizations were held accountable and what the actual costs were in the event of a breach. It’s black and white. And it’s easy to quantify the value of mitigating that risk too: I am going to invest X dollars to reduce my exposure to a risk of a fine that will cost Y dollars.

In my experience, effectively protecting IP will also mitigate 25%-40% of those easily quantifiable risks. However, organizations struggle to quantify risks associated with not protecting the IP itself, even though those risks are very real. It’s a gray area.

 

It’s difficult to define the rules related to IP

Organizations often maintain lists of users who can interact with regulated information. Data security regulations also typically define the allowed activities related to that information. For example, the Health Insurance Portability and Accountability Act (HIPAA) states that a health record being transmitted via email must be encrypted. That rule is black and white—easy to implement and enforce.

For Information Security teams asking whether a user can interact with IP inside an organization, the answer is almost never “yes” or “no.” In nearly all cases, “it depends.”

That answer is governed by a variety of factors related to the person’s job role and normal pattern of behavior. How that information should be used often changes quickly, and the changes are typically not well defined. The entire rule set for IP is a gray area.

 

It’s Difficult to Coordinate Communication About IP

These are conversations that many organizations’ Information Security teams are unwilling or unable to engage in.

In many organizations, data protection programs are categorized under the same umbrella as information security tools. This makes sense from an outside perspective; after all, data protection programs do fall under Information Security and are often operated under the same budgets as traditional security technologies such Security Incident and Event Management (SIEM), Endpoint Protection Platforms, and Intrusion Detection and Prevention Systems (IDS/IPS).

Data protection programs though, are fundamentally different from those technology tools because they require business engagement in order to be effective. And that can be a challenge.

Even in organizations that attempt to force that communication to happen, most Information Security teams do not use the same language (or jargon) to communicate security concepts that business leaders use. Business leaders are becoming more technically savvy, but many Information Security teams struggle to provide information in ways that make sense to their executive teams.

As a result, the IT Security teams default to the areas where they are most comfortable: protecting regulated data with black-and-white security tools. A firewall checks a list of senders, destinations, and ports and allows or denies each piece of traffic that attempts to traverse its network segment. A web gateway puts websites into categories and allows or denies users access to that category. A traditional antivirus program scans a file against a list of known bad files and if a match is identified, the program blocks or quarantines the file.

This is all very straightforward and not nuanced. The decision is black and white.

 

Operating in the Gray Area: Looking to the Future of IP Protection

There is good news for companies that recognize the value of their IP. Managed data protection solutions are enabling companies to access highly specific protections for structured and unstructured data while dramatically reducing the complexity of security management for their staffs.

In addition, emerging and newly available technologies are helping companies overcome the difficulty of working in the gray areas of data protection. Machine learning is an area showing tremendous promise. Although automated technologies aren’t capable of supporting nuanced decision patterns, they can help streamline responses, improve reporting, and allow for dynamic actions.

In my next post, I will walk through a concept called Dynamic Data Protection, a solution based on the idea is that if you combine analysis of the riskiness of human behavior with what is happening with respect to data, you can program machines to make nuanced, automated decisions in those gray areas.

This is an exciting concept and a major leap forward. It is also not a silver bullet. Organizations still must engage with the business to define what sensitive IP is, and they should start doing that now. Capabilities exist to protect sensitive Intellectual Property, and the stakes are higher than they’ve ever been.

The question is not whether you can afford to protect your intellectual property. The question is quickly becoming whether you can afford not to.

 

Looking for a proven approach to protect your intellectual property?

InteliSecure offers consulting services to help organizations navigate the gray areas of critical asset protection. Connect with us to start working through your complex conversations.

I work with organizations around the world across a variety of industries, and I’m perplexed by one thing that most of them have in common: their data protection programs are focused solely on regulated data such as social security numbers, credit card account information, and other personally identifiable information (PII).

Complying with data security regulations is important, but rarely is regulated data the only data worth protecting in a company. In most organizations, risks associated with regulatory fines presents far less risk than the potential losses associated with intellectual property theft—loss of market share, loss of competitive advantage, loss of revenue, and potentially loss of the entire company.

 

Why Are We Not Protecting What’s Most Important? It’s Complicated.

Protecting IP requires making calls that are not black and white, yes or no. IP data is often unstructured and doesn’t fit neatly into established categories. It takes Information Security teams into gray areas that’s uncomfortable. Before you can protect your IP effectively, you need to identify the difficulties around dealing with those gray areas.

Here are some of the most common issues.

It’s difficult to define IP

It’s true that protecting IP is not as straightforward as protecting other types of sensitive information. Regulated information is well defined in the public space. Something is either a credit card number or it’s not. It’s either personally identifiable information (PII) as defined by global regulations or it’s not.

Mature organizations have a list of people who can handle that regulated sensitive information and have defined acceptable use of that information. The Information Security team can set up rules to enforce those documented policies easily. It’s black and white.

IP protection, in contrast, is messy. It isn’t black and white. It’s one big squishy gray area. Although a few rules govern how IP cases can be brought to court, no external entity dictates what constitutes Intellectual Property or how an organization must protect it.

IP is difficult to define even for the organizations it belongs to. To properly protect IP, the Information Security team must engage the business leaders who create and profit from it. They need to know what drives revenue for the organization, what role the IP plays in that revenue, and whether the information would be valuable to an outside entity. And they need to understand who plays a role in the creation, storage, usage, and transmission of the data.

After that, they need to speak with the legal team to see what portions of the Intellectual Property are legally protected and therefore not sensitive—and what portions of the IP are considered Trade Secrets or Know-How and have few legal protections.

 

It’s difficult to quantify the risks associated with IP

Even when IP is defined, quantifying the risk of its loss is a challenge. The ability to quantify risk is a measure of a company’s overall health. Publicly traded companies must produce an annual report known as a 10k report. In that report, section 1A is a detailed list of the risk factors affecting their business.

In that evaluation, regulatory fines are risks that are easy to understand. If you don’t comply with a specific regulation, the regulating body will fine your company for non-compliance with data security regulations. The company can look at the legal precedent to see what organizations were held accountable and what the actual costs were in the event of a breach. It’s black and white. And it’s easy to quantify the value of mitigating that risk too: I am going to invest X dollars to reduce my exposure to a risk of a fine that will cost Y dollars.

In my experience, effectively protecting IP will also mitigate 25%-40% of those easily quantifiable risks. However, organizations struggle to quantify risks associated with not protecting the IP itself, even though those risks are very real. It’s a gray area.

 

It’s difficult to define the rules related to IP

Organizations often maintain lists of users who can interact with regulated information. Data security regulations also typically define the allowed activities related to that information. For example, the Health Insurance Portability and Accountability Act (HIPAA) states that a health record being transmitted via email must be encrypted. That rule is black and white—easy to implement and enforce.

For Information Security teams asking whether a user can interact with IP inside an organization, the answer is almost never “yes” or “no.” In nearly all cases, “it depends.”

That answer is governed by a variety of factors related to the person’s job role and normal pattern of behavior. How that information should be used often changes quickly, and the changes are typically not well defined. The entire rule set for IP is a gray area.

 

It’s Difficult to Coordinate Communication About IP

These are conversations that many organizations’ Information Security teams are unwilling or unable to engage in.

In many organizations, data protection programs are categorized under the same umbrella as information security tools. This makes sense from an outside perspective; after all, data protection programs do fall under Information Security and are often operated under the same budgets as traditional security technologies such Security Incident and Event Management (SIEM), Endpoint Protection Platforms, and Intrusion Detection and Prevention Systems (IDS/IPS).

Data protection programs though, are fundamentally different from those technology tools because they require business engagement in order to be effective. And that can be a challenge.

Even in organizations that attempt to force that communication to happen, most Information Security teams do not use the same language (or jargon) to communicate security concepts that business leaders use. Business leaders are becoming more technically savvy, but many Information Security teams struggle to provide information in ways that make sense to their executive teams.

As a result, the IT Security teams default to the areas where they are most comfortable: protecting regulated data with black-and-white security tools. A firewall checks a list of senders, destinations, and ports and allows or denies each piece of traffic that attempts to traverse its network segment. A web gateway puts websites into categories and allows or denies users access to that category. A traditional antivirus program scans a file against a list of known bad files and if a match is identified, the program blocks or quarantines the file.

This is all very straightforward and not nuanced. The decision is black and white.

 

Operating in the Gray Area: Looking to the Future of IP Protection

There is good news for companies that recognize the value of their IP. Managed data protection solutions are enabling companies to access highly specific protections for structured and unstructured data while dramatically reducing the complexity of security management for their staffs.

In addition, emerging and newly available technologies are helping companies overcome the difficulty of working in the gray areas of data protection. Machine learning is an area showing tremendous promise. Although automated technologies aren’t capable of supporting nuanced decision patterns, they can help streamline responses, improve reporting, and allow for dynamic actions.

In my next post, I will walk through a concept called Dynamic Data Protection, a solution based on the idea is that if you combine analysis of the riskiness of human behavior with what is happening with respect to data, you can program machines to make nuanced, automated decisions in those gray areas.

This is an exciting concept and a major leap forward. It is also not a silver bullet. Organizations still must engage with the business to define what sensitive IP is, and they should start doing that now. Capabilities exist to protect sensitive Intellectual Property, and the stakes are higher than they’ve ever been.

The question is not whether you can afford to protect your intellectual property. The question is quickly becoming whether you can afford not to.

 

Looking for a proven approach to protect your intellectual property?

InteliSecure offers consulting services to help organizations navigate the gray areas of critical asset protection. Connect with us to start working through your complex conversations.

Read More

July 24, 2019

Future-Proofing Your Information Security Strategy

“Your future takes precedence over your past. Focus on your future, rather than your past.”

—Gary Ryan Blair

 

This blog post doesn’t focus on data loss prevention (DLP); it is about security in general. I don’t often write about the broader topic of Information Security because there are large portions of the security space that I am not involved in. However, after much thought, I feel obligated to share some ideas with the larger Information Security community, and specifically Information Security leaders inside of organizations, about what I believe the future will hold.

My responsibilities require me to travel the world and talk to a lot of people. I hear business leaders expressing growing concern at their ability to protect their information and their businesses in the face of seemingly overwhelming security threats. My response is to offer a take on the message that Gary Ryan Blair expresses in the quote above: Don’t look to past paradigms to protect your business. Instead, focus on what’s ultimately important—and within your control—as you move into the future.

 

Information Security in a World Without Boundaries

Information Security professionals I talk to readily admit that the “perimeter”—that imaginary protective wall around a business and its data—is dissolving. One major driver of this dissolution is the fact that we already live in a hybrid world today. Very few organizations store and use their data 100% on premises and very few are 100% in the cloud. As a result, on-premises security and cloud security are equally important today.

However, digital transformation has progressed to the point where the key question about data has changed. Instead of asking what data will go to the cloud and what will stay on premises, we should ask how long it will be before the majority of organizations don’t operate data centers at all.

Despite the wide recognition of this shift, organizations still try to apply perimeter concepts to a world without boundaries. For example, some organizations are deploying firewalls inside of Amazon Web Services. Why?

 

A Fundamental Shift: Different Operations, Different DLP

It’ my job to look into the future—and the future holds some revolutionary innovations. Consider the concept of quantum computing offers orders-of-magnitude more processing power than any binary system ever could because a single qubit can operate in 256 distinct states, whereas a traditional bit has only 2. The potential power of this type of computing is staggering.

However, most organizations will never own a quantum computer; the operating environments for this type of technology will be prohibitively expensive for most data centers, so it’s likely that the primary model for quantum computing will be Quantum Computing as a Service (QCaaS). Pair that with the rapid growth of Infrastructure as a Service (IaaS) that we’re already seeing, and it’s not hard to envision a world where all workloads are elastic and rented rather than static and purchased—and where the only organizations that own data centers are global governments and cloud services providers.

Many paradigms will change if such a world comes to fruition, but it is the most efficient way to operate and distribute resources. The shift will restructure many capital markets—and it will also challenge many security models.

 

Re-Thinking the Model for Critical Asset Protection

The Cyber Security Hub published this graphic detailing the disciplines of security and describing the products that fall into each bucket.

Mission Critical Assets

This model is helpful for understanding how we have navigated a crowded and confusing information security landscape. However, it is also useful for examining the future of security—and weeding out the sections we can no longer control.

  • If you accept the premise that in the future you will rent computing power rather than own it, you will completely lose the ability to deploy the perimeter technologies in the purple section.
  • Since you also won’t own the network, all of the blue section goes away as well.
  • The rise of bring-your-own-device (BYOD) strategies also renders the gold section obsolete to an extent because if you encourage your employees to use their home devices, or if they do so for convenience, it becomes difficult to exert control over those devices.
  • For Software as a Service (SaaS) applications, which are still the majority of cloud services, you will lose the red section as well—unless you use IaaS, in which case you will maintain that layer of protection.

What are you left with? Outside of policy management and limited operations, you are left with control over your data. If you look inside the teal bubble, you also have control over who you allow to access that data and the resources you rent.

Therefore, in this world, all that matters are people and data.

For those of us who are passionate about the importance of Information Security, the scary part of this new model is that most security strategies focus on the purple, blue, gold, and red sections—the sections that I don’t think organizations will control in the future I am describing.

 

What Really Matters in the Future—and What to Do Now?

I firmly believe we are moving at an accelerated pace towards the future I have described. I can’t realistically predict exactly when we will get there. When skeptics express doubts about the pace of the digital transformation, I ask them a simple question: “What trends are you seeing that suggest a massive move back on premises for services that have gone to the cloud?”

I just don’t see that trend going backwards. The elasticity, flexibility, and reduced barriers to entry into markets offered by cloud services is too appealing to ignore, especially for smaller and mid-market businesses, which still form the majority of the economy. I cannot imagine a new business starting today and borrowing capital to build out a data center. It would be difficult to imagine not utilizing SaaS and IaaS when those options allow you to be up and running in days instead of months or years.

Information Security leaders should start pivoting now to emphasize the two elements of security that are not likely to be diminished: people and data.

  • Design security programs with strong identity and access management (IAM)
  • Invest in multifactor authentication (MFA) and identity governance.
  • Understand how to implement Zero Trust Architecture and know how you will enforce the principle of least privilege (POLP) and need to know.
  • Gain an understanding for what data you have, what you must protect to establish international regulatory compliance, and what you should protect to minimize risk to the organization.
  • Invest in technologies now that allow you to secure Platform as a Service (PaaS), SaaS, and IaaS.

Most important, begin re-skilling your workforce to address the problems of the future. It’s fine to maintain your legacy systems like Security Incident and Event Management (SIEM), firewalls, intrusion detection and prevention services (IDS/IPS), and endpoint protection, but don’t make those the center of your strategy. If you do, you’re likely to see diminishing security efficacy over time.

 

We Can’t Face the Future of Information Security with Yesterday’s Tactics

If there’s one thing digital transformation should have taught us so far, it is that business is going to move towards innovation, efficiency, and mobility as quickly as possible. The advantages the future offers to business are essential to retaining a competitive advantage, and security leaders will not be able to slow or prevent the evolution.

We must prepare now so we can be ready to protect the business as it continues to innovate, rather than being dragged through digital transformation kicking and screaming. It’s time to challenge our thinking and finally accept there is no perimeter and we cannot build a castle. The future of Information Security is asymmetrical, dynamic—and already a reality.

 

Make the Case for Making the Shift

When it’s time to future-proof your DLP strategy, you may still need to convince your leadership of the value of that change. Download the case study Making the Case for Critical Asset Protection and learn how a major cancer center implemented a Critical Asset Protection Program™ (CAPP) with InteliSecure and gained control of the flow of information inside and outside the organization.

“Your future takes precedence over your past. Focus on your future, rather than your past.”

—Gary Ryan Blair

 

This blog post doesn’t focus on data loss prevention (DLP); it is about security in general. I don’t often write about the broader topic of Information Security because there are large portions of the security space that I am not involved in. However, after much thought, I feel obligated to share some ideas with the larger Information Security community, and specifically Information Security leaders inside of organizations, about what I believe the future will hold.

My responsibilities require me to travel the world and talk to a lot of people. I hear business leaders expressing growing concern at their ability to protect their information and their businesses in the face of seemingly overwhelming security threats. My response is to offer a take on the message that Gary Ryan Blair expresses in the quote above: Don’t look to past paradigms to protect your business. Instead, focus on what’s ultimately important—and within your control—as you move into the future.

 

Information Security in a World Without Boundaries

Information Security professionals I talk to readily admit that the “perimeter”—that imaginary protective wall around a business and its data—is dissolving. One major driver of this dissolution is the fact that we already live in a hybrid world today. Very few organizations store and use their data 100% on premises and very few are 100% in the cloud. As a result, on-premises security and cloud security are equally important today.

However, digital transformation has progressed to the point where the key question about data has changed. Instead of asking what data will go to the cloud and what will stay on premises, we should ask how long it will be before the majority of organizations don’t operate data centers at all.

Despite the wide recognition of this shift, organizations still try to apply perimeter concepts to a world without boundaries. For example, some organizations are deploying firewalls inside of Amazon Web Services. Why?

 

A Fundamental Shift: Different Operations, Different DLP

It’ my job to look into the future—and the future holds some revolutionary innovations. Consider the concept of quantum computing offers orders-of-magnitude more processing power than any binary system ever could because a single qubit can operate in 256 distinct states, whereas a traditional bit has only 2. The potential power of this type of computing is staggering.

However, most organizations will never own a quantum computer; the operating environments for this type of technology will be prohibitively expensive for most data centers, so it’s likely that the primary model for quantum computing will be Quantum Computing as a Service (QCaaS). Pair that with the rapid growth of Infrastructure as a Service (IaaS) that we’re already seeing, and it’s not hard to envision a world where all workloads are elastic and rented rather than static and purchased—and where the only organizations that own data centers are global governments and cloud services providers.

Many paradigms will change if such a world comes to fruition, but it is the most efficient way to operate and distribute resources. The shift will restructure many capital markets—and it will also challenge many security models.

 

Re-Thinking the Model for Critical Asset Protection

The Cyber Security Hub published this graphic detailing the disciplines of security and describing the products that fall into each bucket.

Mission Critical Assets

This model is helpful for understanding how we have navigated a crowded and confusing information security landscape. However, it is also useful for examining the future of security—and weeding out the sections we can no longer control.

  • If you accept the premise that in the future you will rent computing power rather than own it, you will completely lose the ability to deploy the perimeter technologies in the purple section.
  • Since you also won’t own the network, all of the blue section goes away as well.
  • The rise of bring-your-own-device (BYOD) strategies also renders the gold section obsolete to an extent because if you encourage your employees to use their home devices, or if they do so for convenience, it becomes difficult to exert control over those devices.
  • For Software as a Service (SaaS) applications, which are still the majority of cloud services, you will lose the red section as well—unless you use IaaS, in which case you will maintain that layer of protection.

What are you left with? Outside of policy management and limited operations, you are left with control over your data. If you look inside the teal bubble, you also have control over who you allow to access that data and the resources you rent.

Therefore, in this world, all that matters are people and data.

For those of us who are passionate about the importance of Information Security, the scary part of this new model is that most security strategies focus on the purple, blue, gold, and red sections—the sections that I don’t think organizations will control in the future I am describing.

 

What Really Matters in the Future—and What to Do Now?

I firmly believe we are moving at an accelerated pace towards the future I have described. I can’t realistically predict exactly when we will get there. When skeptics express doubts about the pace of the digital transformation, I ask them a simple question: “What trends are you seeing that suggest a massive move back on premises for services that have gone to the cloud?”

I just don’t see that trend going backwards. The elasticity, flexibility, and reduced barriers to entry into markets offered by cloud services is too appealing to ignore, especially for smaller and mid-market businesses, which still form the majority of the economy. I cannot imagine a new business starting today and borrowing capital to build out a data center. It would be difficult to imagine not utilizing SaaS and IaaS when those options allow you to be up and running in days instead of months or years.

Information Security leaders should start pivoting now to emphasize the two elements of security that are not likely to be diminished: people and data.

  • Design security programs with strong identity and access management (IAM)
  • Invest in multifactor authentication (MFA) and identity governance.
  • Understand how to implement Zero Trust Architecture and know how you will enforce the principle of least privilege (POLP) and need to know.
  • Gain an understanding for what data you have, what you must protect to establish international regulatory compliance, and what you should protect to minimize risk to the organization.
  • Invest in technologies now that allow you to secure Platform as a Service (PaaS), SaaS, and IaaS.

Most important, begin re-skilling your workforce to address the problems of the future. It’s fine to maintain your legacy systems like Security Incident and Event Management (SIEM), firewalls, intrusion detection and prevention services (IDS/IPS), and endpoint protection, but don’t make those the center of your strategy. If you do, you’re likely to see diminishing security efficacy over time.

 

We Can’t Face the Future of Information Security with Yesterday’s Tactics

If there’s one thing digital transformation should have taught us so far, it is that business is going to move towards innovation, efficiency, and mobility as quickly as possible. The advantages the future offers to business are essential to retaining a competitive advantage, and security leaders will not be able to slow or prevent the evolution.

We must prepare now so we can be ready to protect the business as it continues to innovate, rather than being dragged through digital transformation kicking and screaming. It’s time to challenge our thinking and finally accept there is no perimeter and we cannot build a castle. The future of Information Security is asymmetrical, dynamic—and already a reality.

 

Make the Case for Making the Shift

When it’s time to future-proof your DLP strategy, you may still need to convince your leadership of the value of that change. Download the case study Making the Case for Critical Asset Protection and learn how a major cancer center implemented a Critical Asset Protection Program™ (CAPP) with InteliSecure and gained control of the flow of information inside and outside the organization.

Read More

July 17, 2019

JOIN NEWSLETTER

Know What We're Up To!