If You Are CEO Of A Consumer Organization, You Have A New Job Responsibility -- Security

Stephanie Balaouras

On May 5, 2014, Target announced the resignation of its CEO, Gregg Steinhafel, in large part because of the massive and embarrassing customer data breach that occurred just before the 2013 U.S. holiday season kicked into high gear. After a security breach or incident, the CISO (or whoever is in charge of security) or the CIO, or both, are usually axed. Someone’s head has to roll. But the resignation of the CEO is unusual, and I believe this marks an important turning point in the visibility, prioritization, importance, and funding of information security. It’s an indication of just how much:

  • Security directly affects the top and bottom line. Early estimates of the cost of Target's 2013 holiday security breach indicate a potential customer churn of 1% to 5%, representing anywhere from $30 million to $150 million in lost net income. Target's stock fell 11% after it disclosed the breach in mid-December, but investors pushed shares up nearly 7% on the news of recovering sales. In February 2014, the company reported a 46% decline in profits due to the security breach.
     
  • Poor security will tank your reputation. The last thing Target needed was to be a permanent fixture of the 24-hour news cycle during the holiday season. Sure, like other breached companies, Target’s reputation will likely bounce back but it will take a lot of communication, investment, and other efforts to regain customer trust. The company announced last week that it will spend $100 million to adopt chip-and-PIN technology.
     
Read more

Securing Mobile Development: Nontechnical Solutions

Tyler Shields

It takes a lot more than a static analysis tool, a web scanning service, and a few paid hackers to make your mobile development lifecycle, team, and eventually, your applications secure. Finding flaws in an individual mobile application is easy (assuming you have the right technical skill set). What is a lot harder is actually stopping the creation of mobile application security flaws in the first place.

To achieve the lofty goal of a truly secure mobile application development program takes a rethinking of how we have traditionally secured our applications in the past. Mobile development brings many changes to enterprise engineering teams including additional new device sensors, privacy impacting behaviors that cross the security chasm between consumer and enterprise isolation, and even faster release cycles on the order of days instead of months. Smaller teams with little to no experience in security are cranking out mobile applications at a fevered pace. The result is an accumulation of security debt that will eventually be paid by the enterprises and consumers that use these applications.

Read more

One-Quarter Of Asia Pacific Firms Face Windows XP Security Risks

On April 8, 2014, Microsoft stopped technical support for Windows XP; XP customers will no longer receive security or technical updates, hotfixes, or free or paid assistance. Microsoft statistics show that around 25% of PCs in Asia Pacific still run XP. Asia Pacific enterprises haven’t migrated away from XP because:

  • Technology management departments didn’t communicate the need well enough and thus have not received the necessary funding to migrate to Windows 7 or 8.
  • Many firms rely on legacy applications that run on XP and are often incompatible with the latest versions of Windows. For example, an Australia-based oil and gas exploration firm faced application compatibility issues when migrating from XP to Windows 7.
  • Some enterprises underestimated the work required to migrate to a new OS and are still halfway through their project.
Read more

Pet The Unicorns And Think Of Protecting Customer Data As A Corporate Social Responsibility

Heidi Shey

In a research world where we collect data on security technology (and services!) adoption, security spending, workforce attitudes about security, and more, there’s one type of data that I get asked about from Forrester clients in inquiry that makes me pause: breach cost data. I pause not because we don’t have it, but because it’s pretty useless for what S&R pros want to use it for (usually to justify investment). Here’s why:

  1. What we see, and what is publicly available data, is not a complete picture. In fact, it’s often a tiny sliver of the actual costs incurred, or an estimate of a part of the cost that an organization opts to reveal.
  2. What an organization may know or estimate as the cost (assuming they have done a cost analysis, which is also rare), and do not have to share, is typically not shared. After all, they would like to put this behind them as quickly as possible, and not draw further unnecessary attention.
  3. What an organization may believe is an estimate of the cost can change over time as events related to the breach crop up. For example, in the case of the Sony PlayStation Network Platform hack in April 2011, a lot of costs were incurred in the weeks and months following the breach, but they were also getting slapped with fines in 2013 relating to the breach. In other breaches, legal actions and settlements can also draw out over the course of many years.
Read more

Choose Your Own Adventure With The 2014 Verizon DBIR

Rick Holland

In a world where every single security vendor has their own annual threat report, the Verizon Databreach Investigations Report (DBIR) is the gold standard, and this year is no different. Last year I began blogging my initial analysis (Observations on the 2013 Verizon Data Breach Investigations Report), and I wanted to continue that again this year.  Here are some of the high-level details on this year's report: 

  • Fifty organizations representing 95 countries were included in the data set. This included 1,367 confirmed data breaches. By comparison, last year’s report included 19 organizations and 621 confirmed data breaches.
  • In a significant change, Verizon expanded the analysis beyond breaches to include security incidents. As a result, this year’s dataset has 63,437 incidents. This is a great change, recognizes that incidents are about more than just data exfiltration, and also allows for security incidents like DoS attacks to be included.
  • The structure of the report itself has also evolved; it is no longer threat overview, actors, actions and so on. One of the drivers for this format change was an astounding discovery. Verizon found that over the past 10 years, 92% of all incidents they analyzed could be described by just nine attack patterns. The 2014 report is structured around these nine attack patterns.  
Read more

Key Lesson From The US Airways #Fail: Marketers Need Help Managing Risk

Nick Hayes

Everyone makes mistakes, but for social media teams, one wrong click can mean catastrophe. @USAirways experienced this yesterday when it responded to a customer complaint on Twitter with a pornographic image, quickly escalating into every social media manager’s worst nightmare.

Not only is this one of the most obscene social media #fails to date, but the marketers operating the airline’s Twitter handle left the post online for close to an hour. In the age of social media, it might as well have remained up there for a decade. Regardless of how or why this happened, this event immediately paints a picture of incompetence at US Airways, as well as the newly merged American Airlines brand.

It also indicates a lack of effective oversight and governance.

While details are still emerging, initial reports indicate that human error was the cause of the errant US Airways tweet, which likely means it was a copy and paste mistake or the image was saved incorrectly and selected from the wrong stream. In any case, basic controls could have prevented this brand disaster:

  • US Airways could have built a process where all outgoing posts that contain an image must be reviewed by a secondary reviewer or manager;
  • It could have segregated its social content library so that posts flagged for spam don’t appear for outgoing posts;
  • It could have leveraged technology that previews the full post and image before publishing.
Read more

Big Data Initiatives Can Lead To Big Security Problems For Asia Pacific Firms

Asia Pacific firms are gradually beginning to understand how important big data is for responding to rising customer expectations and becoming customer-obsessed to gain a competitive edge in the age of the customer. Data from our Forrsights Budgets And Priorities Survey, Q4 2013 shows that 40% of organizations across Asia Pacific expect to increase their spending on big data solutions in 2014.

In addition to traditional structured data (from ERP and other core transactional systems), organizations are increasing seeking insight from unstructured data originating in both internal (IM, email) and external (social networks, sensors) sources to enhance the business value of data. But these initiatives pose a significant challenge to security and risk professionals:

  • Protecting sensitive data from fraudsters. Today’s fraudsters are active both inside and outside of firms, working to steal business-critical data. Inadequately secured and poorly controlled big data environments can potentially make the job of these malicious actors easier by reducing the number of systems or entry points that they must compromise in order to steal the data they need.For example, the personal data of 20 million South Koreans (40% of the country’s population) was stolen by a contract worker at the Korea Credit Bureau.
Read more

What Asia Pacific Firms Must Learn From The Data Privacy Breach In Australia

It was recently revealed that the personal details of 10,000 asylum-seekers housed in Australia were accidently leaked via the Department of Immigration and Border Protection’s website. This has damaged asylum-seekers’ trust in the Australian government and, according to Greens Senator Sarah Hanson-Young, potentially put lives at risk. Such incidents represent significant breaches of local regulations and can result in heavy penalties.

Recent amendments to existing privacy laws in Australia and Hong Kong allow each country’s privacy commissioner to enforce significant penalties for repeated or serious data breaches. Countries like Japan and Taiwan, where new privacy laws have been passed and/or existing ones are being enforced more strictly, also assess penalties for noncompliance.

You must treat the protection of sensitive customer data as a core responsibility essential to your enterprise’s success. Help earn and retain customer trust by formulating a comprehensive strategy for complying with local privacy regulations that includes the following action items:

Read more

New Research: CISOs Need To Add Customer Obsession To Their Job Description

Edward Ferrara

The CISO And The Customer

Next month Forrester will publish research focusing on the role the customer plays in security planning. Customer attitudes are changing, and companies need to recognize these changes or risk losing customers. These changes put enormous attention on the CISO and the security team. But CISOs should also look at this as a big opportunity for CISOs to move from the back office to the front office. Security incidents, managed well, can actually enhance customer perceptions of a company; managed poorly, they can be devastating. If customers lose trust in a company because of the way the business handles personal data and privacy, they will easily take their business elsewhere. Sales will fall, stock prices will follow, and the CISO will be accountable. CISOs need to improve their security program by focusing on the company’s true customers – the ones that create revenue – clarifying and speeding communications and implementing customer-focused security controls.  Look for it next month!

Target Breach: Vendors, You're Not Wrestlers, And This Isn't The WWE

Rick Holland

Yesterday, Bloomberg Businessweek ran a story providing some alarming details on the Target breach.  The article, “Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It,” didn’t paint a pretty picture of Target’s response. 

Some of the highlights in case you haven't read it yet: 

  • Six months before the incident, Target invested $1.6 million in FireEye technology.
  • Target had a team of security specialists in Bangalore monitoring the environment.
  • On Saturday November 30, FireEye identified and alerted on the exfiltration malware. By all accounts this wasn't sophisticated malware; the article states that even Symantec Endpoint Protection detected it. 
Read more