It's all about people

Not a "new" approach, but an approach that consistently is under-appreciated because it doesn't have a technical component

parking lot shadowy figure
Credit: Shutterstock

I recently read a great article in Fortune magazine about a man I admire – Tony Robbins- the quintessential American success story.

At one point in the story, Robbins tells the crowd he is addressing that a study he read found that 29% of employees are “engaged in their work”, and that 24% are actively disengaged and hate their jobs! He goes on to exhort the crowd to find ways to fix this lack of engagement to the ultimate betterment of their company.

Stated another way, the costs to businesses to protect themselves against the disgruntled, disengaged insider include the costs to establish the value of the stolen data; a ramp-up of information technology support; the initiation, or purchase of network countermeasures; legal fees; the loss of revenue and customers, and the various services to affected customers and employees affected by a breach of their data systems and critical data.

Perhaps the costliest aspect- the damage to the company’s reputation, branding and accompanying loss in customer confidence, may never be recouped.

As you all very well know, in the past several years, both state-sponsored espionage (external threats); sabotage (external or internal threats), and insider threats (internal threats) have topped the lists of global security challenges for both governments and the private sector.

The risks associated with these threats can hardly be overstated in terms of costs to organizations of every description – both public and private. Recent government stats released indicated that costs to affected businesses as a range between $5,000 to $3 million.

The true costs are likely much higher, especially as one considers how little is to be gained by the negative publicity when a large multinational companies reports to authorities that they had been victimized by a cyber-espionage or insider attack.

Given the inherent innovation and creativity that America brings to the world, we can presume that various enterprising companies have arrived at a series of technological solutions to this ever-increasing risk to our global economy.

In fact, a 2014 report from Verizon Enterprise entitled “Data Breach Investigations Report” noted three disturbing statistics based upon their research and participation from fifty organizations around the world.

First: within cyber-espionage, the ‘discovery timeline’ of the breach was counted in months (62%) - only 9% was counted in hours. Another table, ‘Top 10 methods of discovery within cyber espionage’, lists the primary method of discovery by, an external unrelated party – only 1% was discovered by internal log review! With respect to the discovery timeline within Insider Misuse’, the Verizon report noted that over one half (56%) of the events were found days or weeks after the incident.

Another study conducted by Carnegie Mellon in 2012 noted that the typical insider has worked for his or her organization for five years before becoming a threat. And a Global Information Technology Report by the World Economic Forum, also in 2012, highlighted that 85% of [all] data breaches go undetected.

In his October Blog, Tony Bradley cites a 2014 study sponsored by HP which concludes that data breaches are becoming more costly each year, and that it is taking longer for organizations to recover from these attacks.

What do these statistics really mean? Of greatest concern to me is that these studies indicate that by the time the typical IT team recognizes a breach, the malicious insider or foreign agent has quite likely already exfiltrated the information and is long gone.

Despite our best technological efforts, in a country with vast resources of both treasure and intellect, and now, in a “post-Snowden” era, with ever more sophisticated methods of keeping secret private enterprises' (and mostly the governments) critical assets, we are still woefully behind the ‘power curve’ with respect to defeating this ever-increasing threat to America’s National and Economic security, i.e. the future viability of our businesses- large and small.

It might be counter-intuitive to some, but an organization can throw lots and lots of money at this problem – and still not ensure 100% immunity from threats. This is a fight we cannot afford to lose.

My next blog will discuss what I think is the simplest (and probably most economical) way to “get after this ever increasing problem”.

This article is published as part of the IDG Contributor Network. Want to Join?

Cybersecurity market research: Top 15 statistics for 2017