The defenses of commercial organizations continue to be successfully exploited by determined adversaries operating in cyberspace, despite significant security investments. Although the scope, severity and cost varies by incident, even the smallest of them can be detrimental to a business, causing disruption, data loss, or data corruption.
Some of the better known casualties – such as Anthem, Sony Pictures, and Target – highlight not only the vulnerability of disparate industries to sophisticated attacks, but also how relevant the economic principal of diminishing returns can be when applied to this persistent challenge of preventing and detecting such costly threats to corporate information.
In its most basic form, the idea of diminishing returns is that as the number of technical controls or security staff increases at any organization, at some point the marginal effectiveness or utility of each additional sensor or employee will be less than the previous one, especially in a threat landscape of savvy and creative attackers.
The oft-discussed 2013 Target hack is a case in point. Despite being compliant with data security standards of the payment card industry, the dozens of security staff located in India and its US-based global security operations center, or even the $1.6 million intrusion detection tool that Target used specifically to monitor potential security incidents around the clock, the company was still victimized. The attack resulted in the compromise of 40 million credit card numbers and over 70 million pieces of customer personally identifiable information.
Optimizing Cyber Investments
The Target breach reminded corporations of the need for companies to invest smartly in security controls across people, process, and technology to address the reality that defending against threats to sensitive information cannot be solved by an overinvestment in technical solutions focusing on data security. Just as critical and often overlooked, there should also be equal consideration for other activities such as employee training and the development of a mature cyber security culture through effective policies and procedures. In its work assessing the bulk electric sector, Secure Halo has found that companies with a better cyber risk profile score and higher maturity scores had little difference in the domain of data security than those with lower scores. Where companies would become more mature, was in their implementation of other controls such as Insider Threat or External Business Operations.
For a better return on cyber security spending and to avoid the challenge of diminishing returns, Secure Halo recommends the following three steps:
Promotion of Proper Cyber Hygiene and Best Practices: As attacks increase in sophistication, corporate workforces must not only be aware of the changing threat landscape, to include how malicious adversaries are frequently targeting firms, but must discontinue outdated and unsafe computing practices that imperil the confidentiality and availability of networks and the information they hold.
This promotion of cultural change to better enhance information security and sound hygiene must begin at the top. With executive-level buy-in, IT security leaders and other stakeholders are empowered to start the process of creating realistic standards and best practices that can be pushed down to the greater organization.
Strategic Use of Sensors: Discussions with corporate board members and other leaders sometimes reveal an assumption that the deployment of best-of-breed sensors or traditional legacy defenses can be the 90% solution to the majority of cybersecurity problems. The Target example shows that is not always the case, and that a “one-size-fits-all” approach to risk management is both dangerous and outdated. Some sensors require a multitude of customizations, and since they are programmed to operate continuously and around the clock, it is often the case that firms do not have the manpower and talent resources to effectively manage them.
Take for instance data loss prevention (DLP), which is a particularly helpful tool used in the proactive monitoring and tracking of sensitive information from corporate networks. While useful in identifying inadvertent or deliberate insider threat, such programs can easily overwhelm a system with false positives that inevitably make it harder to identify true anomalies indicative of real compromise. To avoid casting such a large net as it relates to threat monitoring and detection, a rules-based approach should be applied to these systems which allow companies to program specific algorithms into the devices so that only the most relevant and likeliest potential threats can be identified.
Enlist the Help of Each Employee: Inadvertent insider threat is one of the most frequent sources of data breach and large cyber loss events afflicting corporations. While employees are often the target of such attacks (for example, through spear phishing), they can also be the solution as they are the human being behind every endpoint and all represent the last line of defense. In concert with the promotion of safe hygiene, training and awareness programs can remind employees of the creative ways in which malicious actors may target them while online or at the office, such as through social engineering or pretext phone calls. From a physical security perspective, and especially in larger corporations, challenging strangers who appear to look out of place, understanding and awareness of tailgating, as well as clean desk and white board policies are also helpful.
The law of diminishing returns is important to consider when thinking about how firms can get a better return on their cyber security spending. While technology is indeed crucial to any risk management discussion, it cannot be relied upon at the expense of other considerations. Those that invest in cybersecurity across their enterprise are best able to prevent, detect, correct, and ultimately recover from an attack or breach.
