Home page logo

dataloss logo Data Loss mailing list archives

Wake-Up Call From the Largest Data Breach in History
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 12 Mar 2014 19:21:33 -0600


As the largest data breach in history unfolded, most executives were both
disappointed that it occurred to a great American brand like Target, and
relieved that it missed them--for now.

The massive breach and its resulting fallout is a stark reminder to senior
executives and boards of U.S. companies that they will remain vulnerable
24x7x365 until they strategically retool their security to effectively
fight in today's full-scale economic war. What we did yesterday in security
is no longer relevant.

Every Company Targeted

It is estimated that U.S. companies quietly lose over $5 trillion in value
each year to adversaries who take the stolen secrets and return as cheaper,
direct competitors with identical trade secrets. Additionally, up to 80
percent of the value of today's companies resides in their trade secrets
and competitive advantage. Every company in every industry is the next
potential big hit.

Our adversaries exploit our history of American innovation, openness, and
our own laws of economic espionage to their advantage and to our massive,
constant loss. In many cultures, economic espionage is mandatory, trained,
and rewarded. In the United States, it is illegal, although we are playing
in a global marketplace with our "eyes wide shut."

Security: Not an IT Problem

Senior executives and boards can no longer view security solely as an IT
problem. When breaches or attacks negatively affect your customers,
profits, operations, and brand--the value you created--security is clearly a
fundamental business problem that must be owned by all fiduciary guardians
within an organization.

Senior leadership must act as the catalyst providing protection to the
company's value, its constituents, shareholders, and customers. To do this,
they must become the driving force in implementing requisite risk
management and needed security items at their disposal, in protecting their
intellectual property and competitive advantage. This again is the
fiduciary responsibility of the senior executives and directors of the

Every company must transform its mindset and develop a protective and
proactive security strategy--with every employee, contractor and supplier.
Consider it "reverse table stakes"--your employees, contractors, and
suppliers are continuously pursued for spoils of economic warfare that a
competitor or industrial nation-state can monetize to their advantage.

Weakest Link

By the time they go to lunch, your employees and suppliers have been
stalked via several methods: smartphone, home Wi-Fi, public Wi-Fi, company
email, personal email, social media ... far too many exposure points to
elaborate on here. Adversaries are intrepid and imaginative in exploiting
your weakest links.

The foundation of a new archetype for security strategy must focus on the
human element as well as the IT/cyber/physical/financial elements. In
almost every cyberbreach, the human element facilitated the cyberbreach. In
many cases, the cyberbreach is staged to cover up the actions of the

The message here is that the human and cybercomponents are inextricably
coupled. An effective cyberstrategy and security policy is grossly
incomplete if the human element is not effectively addressed with a high
degree of efficacy. This argument is poignantly stated: "Cyber is just the
canary. Immediately addressing the human element is paramount," said Eric
Qualkenbush, former CIA director of central cover and current director of
training and education at BlackOps Partners Corporation.

Policies of Several Kinds

A proactive cyberpolicy is critical. Keeping anti-virus software updated is
a start, but only a start. All of the cyberprotection in the world can be
nullified by a single insider, contractor, or supplier. This was the case
in the recent breach at Target. An HVAC vendor's credentials were reported
compromised (the human element) and provided the pathway for unlawful and
malevolent cyberaccess providing direct damage to the value premise of the

With the basis of a creative and persistent enemy, it becomes a fiduciary
obligation to combine cyber/other security measures as above with requisite
insurance/risk management programmatic efforts founded on a proactive
pre-loss mitigation analysis and strategy.

"Cyber Insurance is in a constant state of evolution and in many cases is
inadequate for the current state, hence a company must have a robust and
dynamic loss prevention strategy interwoven into their risk management
mantra," said Erik Matson, former AIG regional president.

Most current security programs are antiquated and constructed for another
time and opponent. By design, these policies have proven defective. It is
easy for attackers to transcend most barriers. Conversely, a top-down,
proactive, and offensive security program affords the best measure of
advanced protection and pre-loss view required to effectively address
threats of today.

Senior Executive Mantra

Senior executives and board members with fiduciary roles must take up the
mantle to institute change in their companies. CIO's and CISO's must also
be new-breed, proactive information security champions, each reporting
directly to the CEO. They must operate from the same playbook with the same
business rationale. Finding vulnerabilities must be rewarded. Every board
meeting needs to make this an ongoing focus area to measure.

We have entered into a new era of pervasive technology and resulting
exponential vulnerabilities. Senior executives and boards have no choice
but to get in the game and drive the efforts to ensure their values and
competitive advantage sustainability.

The return on investment for holistic security investment is your business
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 


Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!

  By Date           By Thread  

Current thread:
  • Wake-Up Call From the Largest Data Breach in History Audrey McNeil (Mar 17)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]